A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.
The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025.
The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF (“CDS_Directive_Armed_Forces.pdf”) using Mozilla Firefox while simultaneously executing the main payload.
Both the artifacts are pulled from an external server “modgovindia[.]com” and executed. Like before, the campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems, with the remote access trojan capable of establishing command-and-control (C2) using WebSockets.
The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory (“$HOME/.config/autostart”), and configuring .bashrc to launch the trojan by means of a shell script written to the “$HOME/.config/system-backup/” directory.
DeskRAT supports five different commands –
- ping, to send a JSON message with the current timestamp, along with “pong” to the C2 server
- heartbeat, to send a JSON message containing heartbeat_response and a timestamp
- browse_files, to send directory listings
- start_collection, to search and send files matching a predefined set of extensions and which are below 100 MB in size
- upload_execute, to drop an additional Python, shell, or desktop payload and execute it
“DeskRAT’s C2 servers are named as stealth servers,” the French cybersecurity company said. “In this context, a stealth server refers to a name server that does not appear in any publicly visible NS records for the associated domain.”
“While the initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now transitioned to using dedicated staging servers.”
The findings follow a report from QiAnXin XLab, which detailed the campaign’s targeting of Windows endpoints with a Golang backdoor it tracks as StealthServer through phishing emails containing booby-trapped Desktop file attachments, suggesting a cross-platform focus.
It’s worth noting that StealthServer for Windows comes in three variants –
- StealthServer Windows-V1 (Observed in July 2025), which employs several anti-analysis and anti-debug techniques to avoid detection; establishes persistence using scheduled tasks, a PowerShell script added to the Windows Startup folder, and Windows Registry changes; and uses TCP to communicate with the C2 server in order to enumerate files and upload/download specific files
- StealthServer Windows-V2 (Observed in late August 2025), which adds new anti‑debug checks for tools like OllyDbg, x64dbg, and IDA, while keeping the functionality intact
- StealthServer Windows-V3 (Observed in late August 2025), which uses WebSocket for communication and has the same functionality as DeskRAT
XLab said it also observed two Linux variants of StealthServer, one of which is DeskRAT with support for an extra command called “welcome.” The second Linux version, on the other hand, uses HTTP for C2 communications instead of WebSocket. It features three commands –
- browse, to enumerate files under a specified directory
- upload, to upload a specified file
- execute, to execute a bash command
It also recursively searches for files matching a set of extensions right from the root directory (“/”) and then transmits them as it encounters them in an encrypted format via a HTTP POST request to “modgovindia[.]space:4000.” This indicates the Linux variant could have been an earlier iteration of DeskRAT, since the latter features a dedicated “start_collection” command to exfiltrate files.
“The group’s operations are frequent and characterized by a wide variety of tools, numerous variants, and a high delivery cadence,” QiAnXin XLab said.
Attacks from Other South and East Asian Threat Clusters
The development comes amid the discovery of various campaigns orchestrated by South Asia-focused threat actors in recent weeks –
- A phishing campaign undertaken by Bitter APT targeting government, electric power, and military sectors in China and Pakistan with malicious Microsoft Excel attachments or RAR archives that exploit CVE-2025-8088 to ultimately drop a C# implant named “cayote.log” that can gather system information and run arbitrary executables received from an attacker-controlled server.
- A new wave of targeted activity undertaken by SideWinder targeting the maritime sector and other verticals in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar with credential-harvesting portals and weaponized lure documents that deliver multi-platform malware as part of a “concentrated” campaign codenamed Operation SouthNet.
- An attack campaign undertaken by a Vietnam-aligned hacking group known as OceanLotus (aka APT-Q-31) that delivers the Havoc post-exploitation framework in attacks targeting enterprises and government departments in China and neighboring Southeast Asian countries.
- An attack campaign undertaken by Mysterious Elephant (aka APT-K-47) in early 2025 that uses a combination of exploit kits, phishing emails, and malicious documents to gain initial access to target government entities and foreign affairs sectors in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka using a PowerShell script that drops BabShell (a C++ reverse shell), which then launches MemLoader HidenDesk (a loader that executes a Remcos RAT payload in memory) and MemLoader Edge (another malicious loader that embeds VRat, a variant of the open-source RAT vxRat).
Notably, these intrusions have also focused on exfiltrating WhatsApp communications from compromised hosts using a number of modules – viz., Uplo Exfiltrator and Stom Exfiltrator – that are devoted to capturing various files exchanged through the popular messaging platform.
Another tool used by the threat actor is ChromeStealer Exfiltrator, which, as the name implies, is capable of harvesting cookies, tokens, and other sensitive information from Google Chrome, as well as siphon files related to WhatsApp.
The disclosure paints a picture of a hacking group that has evolved beyond relying on tools from other threat actors into a sophisticated threat operation, wielding its own arsenal of custom malware. The adversary is known to share tactical overlaps with Origami Elephant, Confucius, and SideWinder, all of which are assessed to be operating with Indian interests in mind.
“Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region,” Kaspesky said. “The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.”
