APT36 Hacks BOSS Linux to Spy on Indian Defense Data

Pakistan-linked threat actor APT36, also known as Transparent Tribe, has expanded its cyber-espionage operations by targeting India’s BOSS Linux systems. In a marked evolution of tactics, the group now deploys phishing campaigns leveraging weaponized ZIP files instead of relying solely on Windows-based attacks. The campaign, dubbed “APT36 Hacks BOSS Linux,” aims to infiltrate government systems used by Indian defense personnel.

The attack begins with phishing emails containing a ZIP archive named “Cyber-Security-Advisory.zip.” Once extracted, a disguised .desktop file silently launches a malicious ELF binary labeled BOSS.elf. The malware, written in Go, performs system reconnaissance, captures screenshots, and communicates persistently with a command-and-control server at IP 101.99.92[.]182:12520. Through functions like main.sendResponse and junkcalc2, the malware exfiltrates sensitive data while evading detection.

APT36 Hacks BOSS Linux systems using techniques aligned with MITRE ATT&CK standards. Security teams should enhance email defenses and deploy Linux-specific detection tools.

APT36 Attacking BOSS Linux Systems With Weaponized ZIP Files to Steal Sensitive Data