Pakistan-linked attackers were observed targeting Indian government agencies as part of a spear-phishing attack aimed at delivering Golang-based malware known as DeskRAT.
The activity, which Sekoia observed in August and September 2025, is believed to be the work of Transparent Tribe (also known as APT36), a state-sponsored hacking group known to have been active since at least 2013. This activity also builds on a previous campaign unveiled by CYFIRMA in August 2025.
The attack chain involves sending a phishing email with a ZIP file attachment. In some cases, it also includes links pointing to archives hosted on legitimate cloud services such as Google Drive. Inside the ZIP file is a malicious desktop file embedded with a command that uses Mozilla Firefox to display a decoy PDF (‘CDS_Directive_Armed_Forces.pdf’) and at the same time execute the main payload.
Both artifacts are retrieved from the external server ‘modgovindia’.[.]As before, this campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems using a remote access Trojan that can establish command and control (C2) using WebSockets.
The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory ($HOME/.config/autostart), and configuring a .bashrc that launches the Trojan using a shell script written to the “$HOME/.config/system-backup/” directory.
DeskRAT supports five different commands.
ping, sends a JSON message with the current timestamp along with a “pong” to the C2 server’s heartbeat. Send a JSON message with a heartbeat_response and a timestamp. browse_files, sends directory listing. start_collection, searches for and sends files that match a predefined set of extensions and are less than 100 MB in size. upload_execute and drop an additional Python, shell, or desktop payload. and run it
“DeskRAT’s C2 server is named as a stealth server,” the French cybersecurity firm said. “In this context, a stealth server refers to a name server that does not appear in the publicly visible NS records of the associated domain.”
“While initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now moved to using dedicated staging servers.”
The findings follow a report from QiAnXin XLab, which details a campaign targeting Windows endpoints with a Golang backdoor tracked as StealthServer through phishing emails with booby-trapped desktop file attachments, suggesting a cross-platform focus.
It’s worth noting that there are three variants of StealthServer for Windows.
StealthServer Windows-V1 (observed in July 2025). Employs several anti-analysis and anti-debugging techniques to evade detection. Establish persistence using scheduled tasks, PowerShell scripts added to the Windows startup folder, and changes to the Windows registry. Communicate with C2 server using TCP to enumerate files and upload/download specific files StealthServer Windows-V2 (verified late August 2025). Adds new anti-debug checks to tools like OllyDbg, x64dbg, and IDA while preserving functionality. StealthServer Windows-V3 (verified late August 2025). Use WebSockets. Same features as DeskRAT for communication
XLab said it also observed two Linux variants of StealthServer, one of which was DeskRAT, which supports an additional command called “welcome.” The second Linux version, on the other hand, uses HTTP instead of WebSockets for C2 communication. Features three commands –
Browse, enumerate the files in the specified directory Upload, upload the specified file Execute, execute a bash command
It also recursively searches the root directory (‘https://thehackernews.com/’) for files matching a set of extensions and sends the found files in encrypted form to ‘modgovindia’ via an HTTP POST request.[.]space:4000.” This indicates that the Linux variant may have been an earlier version of DeskRAT, as the latter has a dedicated “start_collection” command for extracting files.
“This group’s operations are frequent and characterized by a wide variety of tools, numerous variations, and high frequency of delivery,” said QiAnXin XLab.
Attacks from other South and East Asian threat clusters
The development comes amid the discovery of various campaigns orchestrated by South Asia-focused threat actors in recent weeks.
Phishing campaign conducted by Bitter APT targeting government, power, and military sectors in China and Pakistan. CVE-2025-8088 is exploited using a malicious Microsoft Excel attachment or RAR archive, ultimately dropping a C# implant named ‘cayote.log’ that can collect system information and execute arbitrary executable files received from an attacker-controlled server. A new wave of targeted activity conducted by SideWinder. Targeting the maritime sector and other industries in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar, it uses credential harvesting portals and weaponized lure documents to distribute multi-platform malware as part of an “intensive” campaign codenamed Operation Southnet. An attack campaign conducted by a Vietnamese-aligned hacker group known as OceanLotus (also known as APT-Q-31). Provides a Havoc post-exploitation framework in attacks targeting businesses and government departments in China and neighboring Southeast Asian countries. Attack campaign conducted by Mysterious Elephant in early 2025. Through a combination of exploit kits, phishing emails, and malicious documents, they gain initial access to targeted government and diplomatic departments in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka. Use a PowerShell script to drop BabShell (C++ reverse shell) and start MemLoader HidenDesk. (a loader that executes Remcos RAT payloads in memory) and MemLoader Edge (another malicious loader that incorporates VRat, a variant of the open source RAT vxRat).
Notably, these intrusions also focused on stealing WhatsApp communications from compromised hosts using a number of modules (i.e. Uplo Exfiltrator and Stom Exfiltrator) that specialize in capturing various files exchanged through the popular messaging platform.
Another tool used by threat actors is ChromeStealer Exfiltrator. As the name suggests, it can collect cookies, tokens, and other sensitive information from Google Chrome as well as siphon files related to WhatsApp.
The disclosure reveals a hacking group that has evolved into a sophisticated threat operation that not only relies on the tools of other threat actors, but also uses its own custom malware. This enemy is known to have tactical overlap with Origami Elephant, Confucius, and SideWinder, all of which are assessed to operate with India’s interests in mind.
“Mysterious Elephant is a highly sophisticated and active advanced persistent threat group that poses a significant threat to government and diplomatic sectors in the Asia-Pacific region,” Kaspesky said. “The use of custom-made open source tools such as BabShell and MemLoader highlights the technical expertise and willingness to invest in the development of advanced malware.”
Source link
