Targeted Cyber Attacks: DeskRAT Malware Campaign Unveiled
Overview of Recent Threat Activities
A new wave of cyber espionage is emerging, spearheaded by a threat actor linked to Pakistan that has been actively targeting Indian governmental bodies. These campaigns, primarily conducted through spear-phishing techniques, employ a Golang-based malware known as DeskRAT. Reports from Sekoia reveal that these operations have been ongoing since August 2025, implicating a state-sponsored group dubbed Transparent Tribe, or APT36, which has been operational since at least 2013.
The Mechanism Behind DeskRAT
The phishing tactic involves crafting emails that either include a ZIP file or a link leading to an archive hosted on recognized cloud services, such as Google Drive. Upon downloading the ZIP file, victims are met with a Desktop file designed to execute malicious commands. This deceptive file mimics a PDF titled “CDS_Directive_Armed_Forces.pdf,” opened via Mozilla Firefox, while simultaneously activating the malware payload.
An interesting aspect of DeskRAT’s functionality is its focus on BOSS (Bharat Operating System Solutions) Linux systems. The malware can establish a command-and-control (C2) connection using WebSockets, making it especially tricky to detect.
Persistence Mechanisms and Command Capabilities
DeskRAT offers a multifaceted approach to maintaining persistence on infected systems. It’s capable of setting up a systemd service, creating cron jobs, adding itself to the Linux autostart directory, and modifying the .bashrc file to trigger the trojan through a script. This arsenal enables the malware to endure reboots and system updates, posing an ongoing risk to cybersecurity.
Moreover, DeskRAT can execute five primary commands:
- Ping: Sends a JSON message along with a timestamp to the C2 server.
- Heartbeat: Transmits a status update containing heartbeat response and timestamp.
- Browse Files: Provides directory listings back to the attacker.
- Start Collection: Searches for files with certain extensions under 100 MB and sends them to the C2 server.
- Upload Execute: Downloads additional payloads and executes them.
Sekoia describes the C2 servers utilized as “stealth servers,” indicating they do not appear in publicly accessible NS records attached to the hosting domain—a strategy designed to evade detection.
Cross-Platform Focus and Other Variants
Recent analyses by QiAnXin XLab uncovered a cross-platform approach in the cyber operations conducted by Transparent Tribe. Specifically, the group has developed variants of the StealthServer for Windows, each showing enhanced anti-detection measures while retaining malicious functionalities. Over the past months, three different versions have been observed:
- StealthServer Windows-V1: Implements anti-analysis techniques and establishes persistence through various Windows features.
- StealthServer Windows-V2: Introduces further anti-debug protocols while maintaining the core functionalities.
- StealthServer Windows-V3: Adopts WebSocket for communication, aligning it closely with the Linux-based DeskRAT.
The Linux variant of StealthServer showcases different command capabilities, including the ability to browse and upload specified files, suggesting a prior version of DeskRAT before its recent enhancements.
The Bigger Picture: Regional Cyber Threat Landscape
This increase in cyber activities corresponds with a broader trend of cyber espionage from South Asian threat actors. Other noteworthy campaigns include:
- Bitter APT: Targeting military, electric power sectors in China and Pakistan through malicious Excel attachments exploiting CVE-2025-8088.
- SideWinder’s operations against Southeast Asian maritime sectors, employing deceptive lures and credential-stealing portals.
- OceanLotus’s attacks introducing the Havoc framework against government departments.
- Mysterious Elephant’s sophisticated intrusion methods to access sensitive governmental communications across South Asia.
Evolving Tactics of Cyber Criminals
Notably, threat actors have begun exfiltrating sensitive communications, including messages from WhatsApp and related files, using specialized modules like Uplo Exfiltrator. They have also adopted tools such as ChromeStealer Exfiltrator to harvest crucial data from browsers, underscoring their commitment to evolving their malware arsenal.
Conclusion
The emergence of sophisticated malware campaigns such as DeskRAT calls for heightened vigilance and enhanced security measures. As these threats grow and adapt, individuals and organizations alike must remain proactive in safeguarding their digital environments from increasingly elaborate attack strategies.
