APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery

Aug. 21, 2025, 9:35 p.m.

Description

Pakistan-linked APT36 (Transparent Tribe) launched a new cyber-espionage campaign targeting Indian government and defense entities. Active in August 2025, the group used phishing ZIP files containing malicious Linux “.desktop” shortcuts that downloaded payloads from Google Drive.

External References

https://www.cloudsek.com/blog/investigation-report-apt36-malware-campaign-using-desktop-entry-files-and-google-drive-payload-delivery
https://otx.alienvault.com/pulse/68a78a27909fa2f7e2fab5a6
Tags
persistence
stealth
apt36
websocket
google drive
2025-08-21
syscall
icon data
ctfuft
linux desktop
stealth server
unix timestamp

Date

  • Created: Aug. 21, 2025, 9:05 p.m.
  • Published: Aug. 21, 2025, 9:05 p.m.
  • Modified: Aug. 21, 2025, 9:35 p.m.

Indicators

  • 7a946339439eb678316a124b8d700b21de919c81ee5bef33e8cb848b7183927b
  • 6347f46d77a47b90789a1209b8f573b2529a6084f858a27d977bf23ee8a79113
  • 34ad45374d5f5059cad65e7057ec0f3e468f00234be7c34de033093efc4dd83d
  • 164.215.103.55
  • http://seemysitelive.store:8080/ws
  • seemysitelive.store
Download all indicators here!

Additional Informations

  • Critical Sectors
  • Defense
  • Government