APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign

Free, Unbiased, and Open threat intelligence

APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign

threat Profile

HIGH

Description

A Pakistan-nexus threat actor APT36 (Transparent Tribe) has been observed targeting Indian government entities through spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT. The campaign, observed in August and September 2025, involves sending phishing emails containing ZIP file attachments or links to archives hosted on legitimate cloud services like Google Drive. The attacks specifically target BOSS (Bharat Operating System Solutions) Linux systems with a remote access trojan capable of establishing command-and-control using WebSockets. The malware supports multiple persistence mechanisms and file exfiltration capabilities. The threat actor has transitioned from using legitimate cloud storage platforms to dedicated staging servers for payload distribution.

MITRE ATT&CK Techniques

T1566.001 T1204.002 T1547.001 T1053.003 T1071.001 T1083 T1005 T1041 T1027

Related Entities

Threat Actors

Operation C-Major

Malware

ChromeStealer Exfiltrator BabShell MemLoader HidenDesk Stom Exfiltrator MemLoader Edge StealthServer Windows-V2 StealthServer DeskRAT VRat vxRat StealthServer Windows-V3 cayote.log StealthServer Windows-V1 Havoc Remcos RAT Uplo Exfiltrator

CVEs

CVE-2025-8088

Indicators of Compromise (2)

modgovindia.com

Command and control server used to host malicious payloads including decoy PDF and DeskRAT malware

modgovindia.space

Command and control server used for HTTP-based C2 communications on port 4000 for Linux variant file exfiltration

Metadata

Published

7 months ago

Views