Close Menu
Cybercrime and Ransomware

APT36 Launches Golang-Based DeskRAT Malware Campaign Against Indian Government

Staff WriterBy No Comments4 Mins Read3 Views

Summary Points

  1. A Pakistan-linked threat actor, Transparent Tribe (APT36), targeted Indian government entities in 2025 using spear-phishing with ZIP files and cloud links to deliver Golang malware called DeskRAT, supporting remote commands and persistent Linux backdoors.
  2. DeskRAT employs multiple persistence methods and remotely manages tasks like file browsing, data exfiltration, and payload execution, with C2 servers using stealthy, non-public domain name servers to evade detection.
  3. The campaign also includes Windows variants of StealthServer with anti-debug, anti-analysis features, and Linux variants with commands for file management and execution, indicating cross-platform malware evolution.
  4. These developments are part of broader regional cyber activity, involving sophisticated threat groups like Bitter APT, SideWinder, OceanLotus, and Mysterious Elephant, targeting governments, critical infrastructure, and exfiltrating sensitive communications including WhatsApp data.

The Issue

In 2025, Pakistan-linked cyber actors, specifically the group known as Transparent Tribe (or APT36), launched a series of targeted spear-phishing attacks against Indian government agencies, aiming to infiltrate their networks using a new form of malware called DeskRAT, written in the Go programming language. These cybercriminals sent deceptive emails with ZIP attachments or links to cloud-hosted archives that, once opened, displayed a false PDF while secretly executing malicious code. This code was designed to target Bharat Operating System Solutions (BOSS) Linux systems, establishing persistent remote access through various methods such as systemd services, cron jobs, or auto-start directories, all orchestrated to exfiltrate data and maintain covert command-and-control channels. The malware’s communication with its command servers was carefully hidden, transitioning from using public platforms like Google Drive to dedicated command servers to evade detection. The report, sourced from cybersecurity firm Sekoia, highlights the group’s sophisticated approach, utilizing multiple command structures and adaptable techniques across both Linux and Windows environments, amid a broader regional pattern of cyber espionage campaigns targeting critical sectors in South and Southeast Asia.

The reporting emphasizes a worrying evolution in the threat landscape, where a highly capable hacking collective is deploying custom malware, exploiting vulnerabilities, and implementing complex persistence mechanisms with high operational tempo. Parallel campaigns from other regional groups—such as Bitter APT, SideWinder, OceanLotus, and Mysterious Elephant—have similarly targeted government agencies, military infrastructure, and private enterprises across China, Pakistan, Myanmar, and neighboring nations, often seeking to steal sensitive communications, credentials, and reconnaissance data like WhatsApp and Chrome cookies. These operations, as detailed by cybersecurity experts, showcase an alarming trend of state-sponsored, cross-platform cyber espionage, underlining the increasing sophistication and geopolitical stakes of cyber threats in the Asian region.

Risks Involved

The cyberattack titled ‘APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign’ underscores a critical vulnerability that could similarly threaten any organization, including your business, by exposing sensitive data and disrupting operations through sophisticated malware often delivered via clandestine tactics. Such attacks leverage advanced tools like Golang-based malware to bypass traditional security measures, enabling cybercriminals to silently infiltrate networks, exfiltrate confidential information, or even disable key systems. If your business becomes a target, the consequences could be severe—ranging from intellectual property theft and financial loss to damaging your reputation and losing customer trust—that can substantially impair future growth and stability. Therefore, understanding the evolving threat landscape and implementing proactive, multi-layered cybersecurity defenses are essential to safeguarding your assets and ensuring operational resilience against such malicious campaigns.

Possible Next Steps

In the rapidly evolving cybersecurity landscape, prompt remediation of threats such as the ‘APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign’ is critical to prevent extensive damage, data breaches, and operational disruptions. Swift action not only curtails the threat actor’s window of opportunity but also reinforces an organization’s resilience against future attacks.

Detection & Analysis

  • Implement continuous monitoring tools to identify unusual activity.
  • Conduct forensic analysis to understand malware characteristics and infiltration vector.
  • Employ threat intelligence to track threat actor tactics, techniques, and procedures (TTPs).

Containment & Eradication

  • Isolate affected systems immediately to prevent lateral movement.
  • Remove malware artifacts and close exploited vulnerabilities.
  • Reset compromised credentials and disable malicious accounts.

Recovery & Restoration

  • Reinstall or restore systems from trusted backups.
  • Patch software and firmware to address vulnerabilities used by the malware.
  • Monitor restored systems for signs of re-infection.

Prevention & Hardening

  • Enforce strict access controls and multi-factor authentication.
  • Update and patch all software regularly to mitigate known exploits.
  • Conduct employee cybersecurity awareness training to recognize spear-phishing attempts.

Policy & Coordination

  • Review and strengthen incident response plans aligned with NIST CSF principles.
  • Collaborate with national cybersecurity agencies for threat intelligence sharing.
  • Conduct regular security audits and penetration testing to identify weak points.

Continue Your Cyber Journey

Discover cutting-edge developments in Emerging Tech and industry Insights.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.