Date: 10/27/2025
Severity: High
Summary
In mid-2025, TransparentTribe (APT36), a Pakistan-linked cyber espionage group, launched a phishing campaign targeting Indian government and defense organizations, focusing on Linux-based systems. The campaign used malicious DESKTOP files within ZIP archives to deploy a Golang-based remote access trojan (RAT) called DeskRAT. Upon execution, the malware downloaded, decoded, and ran a payload, while displaying a decoy PDF to appear legitimate. DeskRAT then established command-and-control communication via WebSocket, enabling remote access and data theft. This activity highlights TransparentTribe’s evolving tactics and growing focus on Linux environments in its espionage operations against Indian military entities.
Indicators of Compromise (IOC) List
URLs/Domains | http://newforsomething.rest:8080/ws http://seeconnectionalive.website:8080/login http://seeconnectionalive.website:8080/ws https://modgovindia.com/CDS https://modgovindia.com/CDS_Directive_Armed_Forces.pdf https://modgovindia.com/download.php?file=Gimpfile.txt modgovindia.com newforsomething.rest seeconnectionalive.website seemysitelive.store:8080 ws://seemysitelive.store:8080/ws |
Hash | 3563518ef8389c7c7ac2a80984a2c4cd
4c56fedd177108a8849cec423f020625
6dda9056917355b487bc591a828cf85a7e7d577c
8c1638bfd93071eeb6b1244e4a9552866a688b19
43715401531e0060827d3dcfd406add434829192051fe76d5ffdbb22602cc136
567dfbe825e155691329d74d015db339e1e6db73b704b3246b3f015ffd9f0b33
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://modgovindia.com/CDS" or siteurl like "https://modgovindia.com/CDS" or url like "https://modgovindia.com/CDS" or domainname like "http://newforsomething.rest:8080/ws" or siteurl like "http://newforsomething.rest:8080/ws" or url like "http://newforsomething.rest:8080/ws" or domainname like "modgovindia.com" or siteurl like "modgovindia.com" or url like "modgovindia.com" or domainname like "newforsomething.rest" or siteurl like "newforsomething.rest" or url like "newforsomething.rest" or domainname like "http://seeconnectionalive.website:8080/ws" or siteurl like "http://seeconnectionalive.website:8080/ws" or url like "http://seeconnectionalive.website:8080/ws" or domainname like "https://modgovindia.com/CDS_Directive_Armed_Forces.pdf" or siteurl like "https://modgovindia.com/CDS_Directive_Armed_Forces.pdf" or url like "https://modgovindia.com/CDS_Directive_Armed_Forces.pdf" or domainname like "https://modgovindia.com/download.php?file=Gimpfile.txt" or siteurl like "https://modgovindia.com/download.php?file=Gimpfile.txt" or url like "https://modgovindia.com/download.php?file=Gimpfile.txt" or domainname like "seemysitelive.store:8080" or siteurl like "seemysitelive.store:8080" or url like "seemysitelive.store:8080" or domainname like "ws://seemysitelive.store:8080/ws" or siteurl like "ws://seemysitelive.store:8080/ws" or url like "ws://seemysitelive.store:8080/ws" or domainname like "seeconnectionalive.website" or siteurl like "seeconnectionalive.website" or url like "seeconnectionalive.website" or domainname like "http://seeconnectionalive.website:8080/login" or siteurl like "http://seeconnectionalive.website:8080/login" or url like "http://seeconnectionalive.website:8080/login" |
Detection Query 2 : | md5hash IN ("3563518ef8389c7c7ac2a80984a2c4cd","4c56fedd177108a8849cec423f020625")
|
Detection Query 3 : | sha1hash IN ("6dda9056917355b487bc591a828cf85a7e7d577c","8c1638bfd93071eeb6b1244e4a9552866a688b19")
|
Detection Query 4 : | sha256hash IN ("43715401531e0060827d3dcfd406add434829192051fe76d5ffdbb22602cc136","567dfbe825e155691329d74d015db339e1e6db73b704b3246b3f015ffd9f0b33")
|
Reference:
https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/
https://otx.alienvault.com/pulse/68faa2fc3b968f29851e7255