{ "id": "06070d11-c540-4531-aba2-ae310bb8811f", "created_at": "2026-04-06T00:11:26.988485Z", "updated_at": "2026-04-10T03:36:50.107201Z", "deleted_at": null, "sha1_hash": "80f3c75cdb57bc409e4cc9d5370d922f40862d0d", "title": "Sindoor Dropper: New Phishing Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 614802, "plain_text": "Sindoor Dropper: New Phishing Campaign\r\nBy Pierre-Henri Pezier\r\nPublished: 2026-03-30 · Archived: 2026-04-05 21:22:28 UTC\r\nOur analysis uncovered a phishing campaign targeting organizations in India, leveraging spear-phishing techniques\r\nreminiscent of Operation Sindoor. What makes this activity stand out is the use of a Linux-focused infection method that\r\nrelies on weaponized .desktop files. This technique has been linked to APT36 (aka\r\nTransparent Tribe, Mythic Leopard, G0134)\r\nin the past, suggesting the same group may be behind the campaign while also adapting its methods.\r\nWhen opened, these .desktop files trigger a heavily obfuscated execution chain built to evade both static and dynamic\r\ndetection. The chain ultimately delivers a MeshAgent payload, which gives the attacker full remote access to the system.\r\nThis access includes the ability to monitor activity, move laterally, and potentially exfiltrate data.\r\nThe campaign highlights an evolution in regional threat actor tradecraft, particularly in its targeting of Linux environments,\r\nwhich have historically received less attention from phishing operators. By combining localized spear-phishing lures with\r\nadvanced obfuscation techniques, the adversaries increase their chances of bypassing defenses and gaining footholds in\r\nsensitive networks.\r\nThis report provides a technical breakdown of the payload delivery campaign, along with indicators of compromise (IOCs)\r\nand recommendations for mitigation.\r\nAt the time this article was written, the initial payload was not flagged by any antivirus vendors on VirusTotal.\r\nSmuggling\r\nThe malicious .desktop file is crafted to appear harmless by masquerading as a legitimate document. On the victim’s\r\ndesktop, it displays an icon resembling a PDF file (image below), luring the user into executing it.\r\nUpon launch, the file opens a benign-looking decoy PDF (image below) to reinforce the illusion of legitimacy.\r\nWhile the user is focused on the opened document, a background process silently runs the obfuscated routines that initiate\r\nthe deployment chain, ultimately installing the MeshAgent payload. This approach blends social engineering with stealth,\r\nhiding malicious activity behind what appears to be a harmless file.\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 1 of 7\n\nBy using a .desktop file, the attacker can place executable files on the victim’s system without needing elevated privileges\r\n(chmod).\r\nTechnical Analysis\r\nInfection Chain Overview\r\nTo better illustrate the complexity of this execution chain, the following schema outlines the infection process from the\r\ninitial .desktop file launch to the final MeshAgent deployment.\r\nProcess Analysis\r\nThe original desktop file downloads the decoy document, a corrupted decryptor, and an encrypted downloader.\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 2 of 7\n\nFile name sha256 URL\r\nNote_Warfare_Ops_Sindoor.pdf.desktop 9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59 N/A\r\n/tmp/Note_Warfare.pdf ba5b485552ab775ce3116d9d5fa17f88452c1ae60118902e7f669fd6390eae97\r\nhttps://docs.google[.]com/\r\nexport=download\u0026id=1fz\r\nmayuw 6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443\r\nhttps://drive.google[.]com\r\nexport=download\u0026id=1M\r\nshjdfhd 6b1420193a0ff96e3a19e887683535ab6654b2773a1899c2ab113739730924a1\r\nhttps://drive.google[.]com\r\nexport=download\u0026id=190\r\nThe decryptor is a Go binary packed using UPX. To avoid detection, this binary has its ELF magic bytes stripped off, which\r\nappears to be necessary to evade scanning by the Google Docs platform. The magic bytes are restored on the fly by the\r\n.desktop file to make it executable again:\r\nprintf '\\x7FELF' | dd of=mayuw bs=1 count=4 conv=notrunc\r\nThis decryptor is responsible for AES decryption and execution of the payload. There is also an option to use DES instead of\r\nAES:\r\nThe decryption process is straightforward and can be achieved with the following command line:\r\n./mayuw -f shjdfhd -d 'NIC0fficialDB_Auth' \u0026\u0026 rm -r mayuw \u0026\u0026 ./shjdfhd\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 3 of 7\n\nOnce decrypted, the second-stage payload is a UPX-packed Go dropper that drops another decryptor along with another\r\nAES-encrypted payload (with the password WOrkiNgtoDesksSS8123whyme?youseethis ).\r\nThe dropper contains basic anti-VM tricks:\r\n1. The process checks that every value in /sys/class/dmi/id/board_name , /sys/class/dmi/id/bios_vendor ,\r\n/sys/class/dmi/id/board_vendor , /sys/class/dmi/id/sys_vendor , and /sys/class/dmi/id/product_name does\r\nnot match any of the following values: VBOX_QEMU , QEMU , KVM_XEN , XEN .\r\n2. The following MAC address prefixes are blacklisted:\r\n00:05:69\r\n00:0c:29\r\n00:1c:14\r\n00:50:56\r\n08:00:27\r\n00:15\r\n3. It attempts to execute the following processes to check if it is inside a VM:\r\nvboxservice\r\nvboxtray\r\nvmtoolsd\r\nvmwaretray\r\nxenservice\r\n4. The dropper checks that /etc/os-release does not contain any of the following values: boss , vbox , qemu ,\r\nKVM_ , XEN_ .\r\n5. The machine’s uptime must be over 10 minutes to continue execution.\r\nAll strings are obfuscated using a combination of Base64 encoding and DES-CBC encryption:\r\nThe process repeats with another download and decryption stage, this time using the password WOrkiNgtoDesksSS8123 :\r\nFile name sha256 URL\r\naccess 231957a5b5b834f88925a1922dba8b4238cf13b0e92c17851a83f40931f264c1\r\nhttps://drive.google[.]com/uc?\r\nexport=download\u0026id=1g1AgwMnUTEV1HHmQkcH-eTww3w8et82m\r\ninter_ddns a6aa76cf3f25c768cc6ddcf32a86e5fcf4d8dd95298240c232942ce5e08709ec\r\nhttps://drive.google[.]com/uc?\r\nexport=download\u0026id=1UFD10tcoPJZIBpF4hcz6orM1C\r\nThe decryption process concludes with the deployment of the final payload, a MeshAgent.\r\nMesh Agent\r\nThe final payload delivered by the Sindoor dropper is a MeshAgent binary, a legitimate remote administration tool that has\r\nbeen repurposed for malicious use. MeshAgent provides the attacker with full remote access to the compromised system,\r\nenabling a wide range of post-exploitation activities such as activity monitoring, lateral movement, data exfiltration, and\r\npersistent access.\r\nFile\r\nname\r\nsha256 URL\r\nserver2 b46889ed27b69b94fb741b4d03be7c91986ac08269f9d7c37d1c13ea711f6389\r\nhttps://drive.google[.]com/uc?\r\nexport=download\u0026id=1ygXFO_RLAfvjfBS1go5qWX93o7\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 4 of 7\n\nFile\r\nname\r\nsha256 URL\r\nserver2 05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8 N/A\r\nOnce executed, the MeshAgent connects to its command and control (C2) server at:\r\nwss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx\r\nAll observed subdomains under indianbosssystems.ddns[.]net resolve to the IP address 54.144.107.42 . Analysis\r\nindicates that this command-and-control (C2) infrastructure is hosted on an Amazon Web Services (AWS) EC2 instance.\r\nAccording to registration records from validin.com, these subdomains were all registered on 2025-08-15, suggesting a\r\ncoordinated setup of the infrastructure immediately prior to the campaign’s activity.\r\nThis connection allows the attacker to issue commands, transfer files, and maintain persistence on the infected host. The use\r\nof a legitimate tool like MeshAgent complicates detection and response, as its functionality overlaps with legitimate remote\r\nadministration.\r\nIOCs\r\nIn the following section, we provide Indicators of Compromise (IOCs) and detection rules for the Sindoor dropper\r\ncampaign. Security teams and incident responders can use them to help spot potential infections in their environments. The\r\nlist includes file hashes, filenames, and YARA rules designed to detect the obfuscation methods and payload delivery\r\ntechniques observed in this campaign.\r\nOrganizations are encouraged to monitor for these IOCs in their security solutions, SIEMs, and endpoint detection\r\nplatforms. Regularly updating detection signatures and correlating these indicators with network and host activity can help\r\nto identify and contain infections at an early stage.\r\nSha-256 of the decrypted and unpacked samples\r\nFile name sha256 Description\r\naccess 231957a5b5b834f88925a1922dba8b4238cf13b0e92c17851a83f40931f264c1 AES decryptor\r\nmayuw 9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b AES decryptor\r\nshjdfhd 0f4ef1da435d5d64ccc21b4c2a6967b240c2928b297086878b3dcb3e9c87aa23 Stage2 downloader\r\ninter_ddns 38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4 Stage3 downloader\r\nserver2 05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8 MeshAgent\r\nFiles\r\nmayuw\r\nshjdfhd\r\ninter_ddns\r\nNote_Warfare_Ops_Sindoor.pdf.desktop\r\n/tmp/Note_Warfare.pdf\r\nYARA\r\nrule SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25 {\r\n meta:\r\n description = \"Detects ELF obfuscation technique used by Sindoor dropper related to APT 36\"\r\n author = \"Pezier Pierre-Henri\"\r\n date = \"2025-08-29\"\r\n score = 70\r\n reference = \"Internal Research\"\r\n hash = \"6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443\"\r\n strings:\r\n $s1 = \"UPX!\"\r\n condition:\r\n filesize \u003c 10MB\r\n and uint16(0) == 0\r\n and uint16(4) \u003e 0\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 5 of 7\n\nand $s1 in (0xc0..0x100)\r\n}\r\nrule SUSP_LNX_Sindoor_DesktopFile_Aug25 {\r\n meta:\r\n description = \"Detects ELF obfuscation technique used by Sindoor dropper related to APT 36\"\r\n author = \"Pezier Pierre-Henri\"\r\n date = \"2025-08-29\"\r\n score = 70\r\n reference = \"Internal Research\"\r\n hash = \"9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59\"\r\n strings:\r\n $hdr = \"[Desktop Entry]\"\r\n $s1 = \"printf '\\\\\\\\x7FELF' | dd of\"\r\n $s2 = \"Future_Note_Warfare_OpSindoor.pdf\"\r\n condition:\r\n filesize \u003c 100KB\r\n and $hdr\r\n and any of ($s*)\r\n}\r\nrule MAL_Sindoor_Decryptor_Aug25 {\r\n meta:\r\n description = \"Detects AES decryptor used by Sindoor dropper related to APT 36\"\r\n author = \"Pezier Pierre-Henri\"\r\n date = \"2025-08-29\"\r\n score = 80\r\n reference = \"Internal Research\"\r\n hash = \"9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b\"\r\n strings:\r\n $s1 = \"Go build\"\r\n $s2 = \"main.rc4EncryptDecrypt\"\r\n $s3 = \"main.processFile\"\r\n $s4 = \"main.deriveKeyAES\"\r\n $s5 = \"use RC4 instead of AES\"\r\n condition:\r\n filesize \u003c 100MB\r\n and (\r\n uint16(0) == 0x5a4d // Windows\r\n or uint32be(0) == 0x7f454c46 // Linux\r\n or (uint32be(0) == 0xcafebabe and uint32be(4) \u003c 0x20) // Universal mach-O App with dont-match-java-c\r\n or uint32(0) == 0xfeedface // 32-bit mach-O\r\n or uint32(0) == 0xfeedfacf // 64-bit mach-O\r\n )\r\n and all of them\r\n}\r\nrule MAL_Sindoor_Downloader_Aug25 {\r\n meta:\r\n description = \"Detects Sindoor downloader related to APT 36\"\r\n author = \"Pezier Pierre-Henri\"\r\n date = \"2025-08-29\"\r\n score = 80\r\n reference = \"Internal Research\"\r\n hash = \"38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4\"\r\n strings:\r\n $s1 = \"Go build\"\r\n $s2 = \"main.downloadFile.deferwrap\"\r\n $s3 = \"main.decrypt\"\r\n $s4 = \"main.HiddenHome\"\r\n $s5 = \"main.RealCheck\"\r\n condition:\r\n filesize \u003c 100MB\r\n and (\r\n uint16(0) == 0x5a4d // Windows\r\n or uint32be(0) == 0x7f454c46 // Linux\r\n or (uint32be(0) == 0xcafebabe and uint32be(4) \u003c 0x20) // Universal mach-O App with dont-match-java-c\r\n or uint32(0) == 0xfeedface // 32-bit mach-O\r\n or uint32(0) == 0xfeedfacf // 64-bit mach-O\r\n )\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 6 of 7\n\nand all of them\r\n}\r\nAppendices\r\nModule decryption:\r\nimport zlib\r\nimport magic\r\nimport tempfile\r\nimport re\r\nimport base64\r\nimport pathlib\r\nimport sys\r\ntry:\r\n data = pathlib.Path(sys.argv[1]).read_bytes()\r\nexcept IndexError:\r\n print(\"Usage: python decrypt_mesh_modules.py \u003cpath_to_encrypted_file\u003e\")\r\n sys.exit(1)\r\ndef decode_module_data(encoded_str: str) -\u003e str:\r\n data = base64.b64decode(encoded_str)\r\n while magic.from_buffer(data) == \"zlib compressed data\":\r\n data = zlib.decompress(data)\r\n return data.decode()\r\nwith tempfile.TemporaryDirectory() as _tempdir:\r\n #for module in re.findall(rb\"addCompressedModule.*?'(.*?').*Buffer.from\\('(.*?)'\\)\", data):\r\n for module_name, module_data in re.findall(rb\"addCompressedModule.*?'(.*?').*?'(.*?')\", data):\r\n module_name = module_name.decode()\r\n print(\"Decoding module:\", module_name)\r\n module_data = decode_module_data(module_data.decode())\r\n pathlib.Path(_tempdir, module_name + '.js').write_text(module_data)\r\n input(f\"Data saved to {_tempdir}. Press a key to delete...\")\r\nAbout the author:\r\nPierre-Henri Pezier\r\nPierre‑Henri Pezier is an IT Security Engineer and Threat Researcher with over a decade of experience in offensive security,\r\nreverse engineering, malware analysis and secure software development. He began reverse-engineering software in the early\r\n2010s, a passion that expanded into analyzing advanced threats, developing decryptors, and writing detection rules. With a\r\nbackground in both offensive and defensive security, Pierre‑Henri has worked on malware classification engines, sandbox\r\nenvironments, and EDR evasion techniques.\r\nSource: https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nhttps://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/" ], "report_names": [ "sindoor-dropper-new-phishing-campaign" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434286, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80f3c75cdb57bc409e4cc9d5370d922f40862d0d.pdf", "text": "https://archive.orkl.eu/80f3c75cdb57bc409e4cc9d5370d922f40862d0d.txt", "img": "https://archive.orkl.eu/80f3c75cdb57bc409e4cc9d5370d922f40862d0d.jpg" } }