DeskRAT: Golang Backdoor Used in Targeted Campaigns Against Indian Government Targets

Security researchers have observed a spear-phishing campaign targeting Indian government entities that delivers a Golang-based remote access trojan (RAT) named DeskRAT. Attributed to the Pakistan-nexus actor Transparent Tribe (aka APT36), the activity was seen in August–September 2025 and builds on prior reporting of similar campaigns. The operation demonstrates a sustained, cross-platform effort to infiltrate Linux and Windows environments used by public sector organizations.

Attack Vector and Delivery

Attackers send tailored phishing emails containing a ZIP archive or links to archives hosted on legitimate cloud services (for example, Google Drive). The ZIP includes a malicious .desktop file that both displays a decoy PDF (e.g., CDS_Directive_Armed_Forces.pdf) in Mozilla Firefox and triggers the main payload. Components are fetched from an external staging domain (reported as modgovindia[.]com), enabling the campaign to switch between cloud hosting and dedicated servers.

Targeting and Platform Scope

The campaign specifically targets BOSS Linux (Bharat Operating System Solutions) environments, and a Windows counterpart has been reported under the family name StealthServer. Observed activity suggests the adversary operates a cross-platform toolset, reusing Golang payloads for Linux and Windows to simplify development and evade platform-specific defenses.

DeskRAT Capabilities and Persistence

DeskRAT establishes robust persistence and flexible C2 communications (WebSockets). Four persistence mechanisms have been observed on Linux:

• systemd service creation

• cron job scheduling

• autostart entry under $HOME/.config/autostart

• .bashrc entry launching a script in $HOME/.config/system-backup/

Supported commands include:

• ping / pong — simple heartbeat messaging with timestamps

• heartbeat — structured heartbeat response

• browse_files — directory listings sent to C2

• start_collection — collect and transmit files matching predefined extensions under 100 MB

• upload_execute — drop and run additional payloads (Python, shell, or desktop files)

DeskRAT’s C2 domains were described as “stealth servers”, meaning name servers that are not publicly visible in DNS records, complicating attribution and takedown.

Related Windows Variants (StealthServer)

QiAnXin XLab described three Windows StealthServer variants (V1–V3) showing evolutionary changes: from scheduled-task and registry persistence to added anti-debugging checks and WebSocket-based C2. Two Linux StealthServer variants were also observed, one matching DeskRAT functionality and another using HTTP for C2 and a smaller command set (browse, upload, execute).

Implications and Mitigations

Transparent Tribe’s high cadence, cross-platform tooling, and use of cloud staging underscore the need for layered defenses. Recommended mitigations:

• Treat unsolicited archives with caution; disable automatic execution of .desktop files.

• Restrict and monitor outbound WebSocket/HTTP connections from endpoints.

• Enforce least privilege and harden systemd/cron/autostart locations.

• Implement multi-factor authentication for remote access and rotate credentials regularly.

• Conduct threat hunting for anomalous persistence entries and encrypted exfiltration endpoints (e.g., modgovindia*).

Proactive monitoring, rapid incident response, and developer/administrator awareness remain key to detecting and containing such state-level espionage operations.