The Pakistani APT36 cyberspies are using Linux .desktop files to load malware in new attacks against government and defense entities in India.

The activity, documented in reports by CYFIRMA and CloudSEK , aims at data exfiltration and persistent espionage access. APT 36 has previously used .desktop files to load malware in targeted espionage operations in South Asia.

The attacks were first spotted on August 1, 2025, and based on the latest evidence, are still ongoing.

Desktop file abuse

Although the attacks described in the two reports use different infrastructure and samples (based on hashes), the techniques, tactics and procedures (TTPs), attack chains, and apparent goals are the same.

Victims receive ZIP archives through phishing emails containing a malicious .desktop file di

See Full Page