Pakistan-Affiliated Hackers Deploy New Linux Malware in Indian Government Cyber Espionage Campaign

Sophisticated Cyber Espionage Campaign Targets Indian Government

Security researchers have uncovered a sophisticated cyber-espionage campaign targeting Indian government entities running Linux systems, according to a new report from threat intelligence firm Sekoia.io. The operation, which began in June 2025, primarily targets systems running the Bharat Operating System Solutions (BOSS) Linux distribution endorsed by the Indian government.

Sophisticated Cyber Espionage Campaign Targets Indian Government
Pakistan-Linked Hacking Group Behind Attacks
New DeskRAT Malware Deployed
Sophisticated Phishing Tactics
Advanced Command Infrastructure
Defensive Recommendations

Pakistan-Linked Hacking Group Behind Attacks

The campaign has been attributed to the Pakistan-based hacking group TransparentTribe, also known as APT36, sources indicate. This group has been active since at least 2013 and is known to conduct espionage aligned with Pakistan’s military and strategic objectives, according to security analysts. The current operation represents an evolution in the group’s tactics and malware capabilities.

New DeskRAT Malware Deployed

Researchers identified a new remote access tool called “DeskRAT” being used in the campaign. Unlike earlier TransparentTribe operations that relied on legitimate cloud storage services, this campaign uses dedicated staging servers to distribute malware. The final payload is a Golang-based remote access Trojan capable of multiple surveillance functions, the report states.

Security analysts noted that the malware’s code included functions suggesting possible use of large language models (LLMs) in its development. “The widespread use of LLMs by attackers compresses malware development cycles, such as RATs and C2, creating a time imbalance where attackers can deploy faster than researchers can manually reverse and detect,” the Sekoia team warned in their report.

Sophisticated Phishing Tactics

The campaign employs carefully crafted phishing emails containing malicious ZIP archives with deceptive documents referencing Indian defense matters and regional unrest. Researchers believe the operation coincided with protests in Ladakh and New Delhi in August and September 2025, which were used as lures to increase the likelihood of successful phishing attempts., according to industry reports

Once opened, the infected file executes a Bash command sequence that downloads, decodes and runs the binary payload before displaying a decoy PDF to the user. These decoy PDFs referenced real defense-related communications and government directives, analysts suggest.

Advanced Command Infrastructure

Researchers observed a new, sophisticated command interface used by operators to manage compromised systems. Its dashboard allows real-time monitoring, file collection and remote access across infected hosts, indicating significant advancement in the group’s operational capabilities., according to recent developments

The findings suggest a continued focus on Linux environments and a trend toward purpose-built malware and infrastructure among state-aligned threat groups. Security analysts assess with high confidence that this campaign seeks to collect intelligence from Indian military and government networks during periods of political tension between the neighboring countries.

Defensive Recommendations

Security researchers emphasize the need for defenders to adapt to the changing threat landscape. “It’s a clear indication that the defender needs to adapt and leverage LLM for those tasks,” the Sekoia team noted in their assessment. The campaign highlights the ongoing cyber tensions between India and Pakistan and the increasing sophistication of state-aligned hacking groups targeting government infrastructure.