{
	"id": "e171ea2c-6a04-463a-897c-ffecd289729f",
	"created_at": "2026-04-06T00:12:51.464925Z",
	"updated_at": "2026-04-10T13:11:59.831818Z",
	"deleted_at": null,
	"sha1_hash": "93fdb804218d8645c2336d4eaa8edcdff01f5ab8",
	"title": "Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 956417,
	"plain_text": "Cyber Espionage in India: Decoding APT-36's New Linux Malware\r\nCampaign\r\nBy Tejaswini Sandapolla\r\nPublished: 2023-04-17 · Archived: 2026-04-05 16:09:10 UTC\r\nThe Uptycs threat research team has discovered a new Linux malware, Poseidon, deployed by the APT-36 group,\r\nalso known as Transparent Tribe. This Pakistan-based advanced persistent threat group is notorious for targeting\r\nIndian government organizations, military personnel, and defense contractors.\r\nTransparent Tribe used the Kavach authentication tool as a cover to deliver the Poseidon payload. Kavach is a\r\ntwo-factor authentication (2FA) solution provided by the Indian government for secure access to their email\r\nservices. Transparent Tribe created a backdoored version of Kavach to target Linux users working for Indian\r\ngovernment agencies. When a user interacts with the malicious version of Kavach, the genuine login page is\r\ndisplayed to distract them. Meanwhile, the payload is downloaded in the background, compromising the user's\r\nsystem.\r\nPoseidon is a second-stage payload malware associated with Transparent Tribe. It is a general-purpose backdoor\r\nthat provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include\r\nlogging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the\r\nsystem in various ways. Primarily, Poseidon is distributed through malicious websites disguised as legitimate\r\nIndian government sites.\r\nUptycs research found that the malware infrastructure, such as malicious domains, is linked to earlier APT-36\r\ncampaigns. This highlights the group's continued focus on the aforementioned Indian targets. Repercussions of\r\nthis APT-36 attack could be significant, leading to loss of sensitive information, compromised systems, financial\r\nlosses, and reputational damage.\r\nMoreover, as the Transparent Tribe is thought to be state-sponsored, its activities could escalate tensions between\r\nnations, potentially resulting in retaliatory cyberattacks. This highlights the importance of implementing robust\r\ncybersecurity measures and remaining vigilant against the ever-evolving threat landscape.\r\nFAQs\r\nQ: What is APT-36 and who are its main targets?\r\nAPT-36, aka Transparent Tribe, primarily targets Indian government organizations, military personnel, and\r\ndefense contractors. Its objective is usually to gather sensitive information, conduct cyber espionage, and\r\ncompromise the security of its targets.\r\nQ: What are some previous APT-36 campaign examples?\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 1 of 11\n\nAPT-36 is known to have exploited various platforms, including Windows and Android. The bad actors often\r\ncreate fake websites and documents that mimic legitimate government entities or organizations. This can trick\r\ntargeted users into revealing their credentials or downloading malware onto their systems. It has also used custom-developed malware such as the Crimson RAT (remote access trojan) for cyber espionage.\r\nQ: How can organizations know if they are infected with Poseidon?\r\nOrganizations can determine if they are infected with Poseidon by looking for specific indicators of compromise\r\n(IOCs) associated with the malware campaign. Uptycs threat research team has provided a list of IOCs related to\r\nPoseidon.\r\nQ: How can users protect themselves from attacks by Transparent Tribe and other threat actors?\r\nUsers can protect themselves by following these best practices:\r\nBe cautious of unsolicited emails; verify the sender's authenticity before clicking on any links or opening\r\nattachments.\r\nRegularly update software and operating systems with the latest patches and security updates.\r\nEmploy strong, unique passwords; enable two-factor authentication where possible.\r\nUse reputable antivirus software and keep it up to date.\r\nBe vigilant when visiting websites; double-check the validity of URLs (e.g., spelling) before downloading\r\nfiles or entering sensitive information.\r\nQ: How does Uptycs XDR detect and protect against  Poseidon malware?\r\nUptycs XDR (extended detection and response) protects against the Poseidon malware used in this APT-36\r\ncampaign. Uptycs uses advanced capabilities, including built-in YARA rules and contextual detections, to identify\r\nand analyze malware threats. By leveraging Uptycs XDR, your organization can effectively safeguard your\r\nsystems and data from APT-36 and other advanced threats.\r\nTechnical Analysis\r\nThe Uptycs threat research team has uncovered an ELF malware sample (MD5:\r\nc82bf2c50900b89b66e9f62d68c415ab). It’s a compiled Python executable (Pyinstaller) of nearly 5 MB in size.\r\nUpon extraction, a possible entry point is at Kavach.pyc (Figure 1). Next we’ll decompile it to produce its source\r\ncode.\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 2 of 11\n\nFigure 1 – Extraction of .pyc files from pyinstaller executable\r\nSeen in the Figure 2 Python code, the ELF file distracts the user by opening the legitimate Kavach login page\r\n(Figure 3). This is where 2FA is provided to Indian users wanting to access their government email service. But in\r\nthe background, a malicious “bosshelp” file is downloaded from hxxps://sharing1[.]filesharetalk.com/bosshelp to\r\nthe user’s ~/.local/share directory.\r\nFigure 2 – Decompiled Python code\r\nThis creates a crontab to periodically log the victim's machine “loginname” in /dev/shm/mycron.\r\nFigure 3 – Legitimate Kavach login page to trick users\r\nLet's now examine the “bosshelp” second stage payload.\r\nPayload 2\r\nThis payload (MD5: aeb3ad3426794d4e90de4d139e92ee4d) is a Golang ELF binary; GO version 1.17.8 is an\r\nunsigned Poseidon payload in MythicAgents. Upon execution, it initiates the following check-in connection with\r\nC2:\r\n“Checkin” keyword\r\nProcess name\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 3 of 11\n\nOS\r\nPID\r\nIP Address\r\nHostname\r\nUUID\r\n“Amd64aring” keyword\r\n(The integrity level is 3 if the process is elevated; otherwise it’s level 2.)\r\nFigure 4 – C2 check-in\r\n1. The check-in data is encrypted by the RSA key pair generated by theGenerateRSAKeyPair() function.\r\n2. Then a 3b54bd24-92a5-4b91-ad15-de771a497372 UUID (assigned by Mythic during creation) is\r\nappended.\r\n3. The data is now sent to the Mythic C2 server at 70[.]34[.]214[.]252.\r\nThe C2 was offline during our analysis. But the binary contained a switch case (Figure 5) having a number of\r\ntasks (e.g., keylogging, injecting, screen capture, uploading/downloading files). Each task is associated with a\r\nTaskID shown in the following table.\r\nFigure 5 – Switch case to perform various tasks\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 4 of 11\n\nCOMMAND CODE (DECIMAL) TASK DESCRIPTION\r\n4 Shell Execute shell commands\r\n5 Screencapture_run Take a screenshot of victim’s desktop\r\n6 Keylog_Run Logging keystrokes\r\n7 Download Download file from remote system\r\n8 Upload Upload file to remote machine\r\n9 LibInject Inject a library\r\n10 Ps_run List processes running on machine\r\n11 Sleep_run Sleep time\r\n12 cat_run Read contents inside the file\r\n13 cd_run Change directory\r\n14 ls List contents inside the directory\r\n15 jxa_run Javascript for automation\r\n16 keys_run Retrieve keys from Kerberos keychain\r\n17 triagedirectory Search target directory\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 5 of 11\n\n18 sshauth\r\nAuthenticate to host using username\r\nand password pair\r\n19 portscan Scan target for open ports\r\n20 main.getJoblisting Get list of current running jobs\r\n21 main.killJob Kill a process with given PID\r\n22 cp_run Copy a file\r\n23 drives_run\r\nList currently mounted drives along\r\nwith their description\r\n24 getuser_run List information about current user\r\n25 mkdir Create directory.\r\n26 mv Move a file\r\n27 pwd Print working directory\r\n28 rm Delete a file\r\n29 getenv Retrieve current environment variables\r\n30 setenv Set environment variables\r\n31 unsetenv Delete environment variable\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 6 of 11\n\n32 kill_run Kill process with given PID\r\n33 curl_run Execute curl command\r\n34 xpc_run Cross-process communication\r\n35 socks Support for SOCKS proxies\r\n36 listtask_run Get list of running tasks\r\n37 list_entitlements_Run\r\nList entitlements (permissions associated\r\nwith a particular PID)\r\n38 Execute_memory Execute shellcode directly from the memory\r\n39 jsimport_run To load specified javascript module\r\n43 dyld_inject_Run Inject dynamic library\r\nThis payload serves as an all-purpose backdoor. An attacker can use it to take control of an infected host, record\r\nkeystrokes, insert new stages, launch screen captures, or remotely monitor computers in a variety of ways using\r\nabove commands.\r\nThreat Intelligence\r\nhxxps://sharing1[.]filesharetalk.com is the site from which the bosshelp Poseidon payload is downloaded (not to\r\nbe confused with the legitimate filesharingtalk[.]com domain). Its passive DNS replication 153.92.220.48 is\r\nlinked to APT 36.\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 7 of 11\n\nFigure 6 – DNS replication of sharing1[.]filesharetalk.com\r\nThe next table shows suspicious domains masquerading as various government sites hosted on the same IP\r\n(153.92.220.48). All were used in earlier APT-36 campaigns.\r\nSUSPICIOUS\r\nDOMAINS\r\nLEGIT\r\nDOMAINS\r\nOTHER AV DETECTIONS FOR SUSPICIOUS\r\nDOMAINS\r\ngovscholarships[.]in scholarships.gov.in 3\r\nkavach-app[.]in kavach.mail.gov.in 11\r\nsupremo-portal[.]in supremo.nic.in 6\r\nSimilar Campaigns\r\nMD5:382285738bae358060011ad847e845d2 (Name: confirmationId_ksb) masquerades as the Kendriya Sainik\r\nboard site as seen in Figure7\r\nSuspicious Site present in the malicious pyinstaller file: www[.]ksboard[.]in\r\nLegit site: ksb[.]gov[.]in.\r\nMD5:02796a813b79928c95b2475798a14688(Name:confirmationId_rodra) masquerades as RODRA (Retired\r\nOfficers Digital Records Archive) as seen in Fig 8.\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 8 of 11\n\nSuspicious Site present in the malicious pyinstaller file: www[.]rodra[.]in.\r\nThe legitimate site is rodra[.]gov[.]in.\r\nFigure 7 – Decompiled Python code from malicious pyinstaller confirmationId_ksb\r\nFigure 8 – Decompiled Python code from malicious pyinstaller confirmationId_rodra\r\nConclusion\r\nTransparent Tribe is an APT group that targets users working within the Indian government. It has previously\r\nexecuted many payloads in Windows and Android. Now APT 36 has started targeting Linux users, too. Sites such\r\nas Kavach, Rodra, and KSB were used in social engineering attacks to trick targeted users. Users should be\r\nextremely careful and double-check URLs before opening or downloading files.\r\nWe could see new features/advancements from this APT group in the future. The Uptycs threat research team\r\ncontinuously monitors related malware campaigns to safeguard our clients and inform the broader security\r\ncommunity.\r\nUptycs XDR Detection\r\nIn addition to having YARA built-in and being armed with other advanced detection capabilities, Uptycs XDR\r\nusers can easily scan for Poseidon. XDR contextual detection provides important details about identified malware.\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 9 of 11\n\nUsers can navigate to the toolkit data section in the detection alert, then click a detected item to reveal its profile\r\n(Figure 9).\r\nFigure 9 – Uptycs EDR detection\r\nIOC\r\nHashes\r\nFile Name MD5\r\nKavach c82bf2c50900b89b66e9f62d68c415ab\r\nconfirmationId_ksb 382285738bae358060011ad847e845d2\r\nconfirmationId_rodra 02796a813b79928c95b2475798a14688\r\nBosshelp aeb3ad3426794d4e90de4d139e92ee4d\r\nBossstart 21316422f8c7f0f3ab2b9a282cdacd03\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 10 of 11\n\nBosstype 7b163e400e481519d74e06c1116a5200\r\nKavachelf 9b64528352dd683e55eb308919a596fa\r\nURLS \u0026 IP\r\nsharing1[.]filesharetalk.com/bosshelp\r\nksboard[.]in\r\nrodra[.]in\r\ntt1[.]apktrial[.]com\r\n70[.]34[.]214[.]252\r\nSource: https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nhttps://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware"
	],
	"report_names": [
		"cyber_espionage_in_india_decoding_apt_36_new_linux_malware"
	],
	"threat_actors": [
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434371,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93fdb804218d8645c2336d4eaa8edcdff01f5ab8.pdf",
		"text": "https://archive.orkl.eu/93fdb804218d8645c2336d4eaa8edcdff01f5ab8.txt",
		"img": "https://archive.orkl.eu/93fdb804218d8645c2336d4eaa8edcdff01f5ab8.jpg"
	}
}