The threat involves APT36, a Pakistan-linked advanced persistent threat group, targeting Indian government and civilian infrastructure sectors such as railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing campaigns using deceptive .desktop files disguised as PDF documents to execute malicious scripts on victim machines. These files exploit user trust and social engineering to bypass security controls and initiate payload execution. Two variants of the attack have been identified, differing in their command and control (C2) server architecture—one using a single C2 server and another employing redundant C2 servers to enhance resilience and persistence. The primary malware deployed is the Poseidon backdoor, which is built on the Mythic framework, a modular and flexible post-exploitation toolset. Poseidon enables persistent access, lateral movement within networks, credential theft, and data exfiltration. The campaign also involves over 100 phishing domains impersonating Indian government organizations, primarily hosted by AlexHost, to increase the credibility of phishing lures and facilitate credential harvesting or malware delivery. The campaign has been active since early July 2025 and represents a significant threat to Indian public sector entities and critical infrastructure. The attack techniques align with multiple MITRE ATT&CK tactics and techniques including phishing (T1566), execution via user execution (T1204), persistence (T1547), lateral movement (T1071), and defense evasion (T1070, T1027). The use of .desktop files as lures is novel and leverages Linux desktop environments, indicating targeting of systems running Linux or Unix-like OSes, which are common in infrastructure environments. The absence of known exploits in the wild suggests the threat relies heavily on social engineering and custom malware deployment rather than exploiting publicly known vulnerabilities.

For European organizations, the direct impact of this specific campaign may be limited given the targeting focus on Indian infrastructure and government entities. However, the tactics and malware used by APT36, including the Poseidon backdoor and sophisticated phishing with desktop lures, represent a broader threat model that could be adapted against European critical infrastructure or government targets. The use of novel delivery mechanisms such as .desktop files disguised as PDFs could bypass traditional email security filters and endpoint protections if similar campaigns were launched in Europe. European organizations operating in sectors like energy, transportation, and government should be aware of the potential for similar threat actor tactics to be used against them. Additionally, the hosting provider AlexHost, used for phishing domains, may also host malicious infrastructure targeting European entities, warranting monitoring. The lateral movement and persistence capabilities of the Poseidon backdoor pose risks of prolonged undetected intrusions, data theft, and operational disruption if deployed successfully. The campaign underscores the need for vigilance against social engineering and the importance of securing Linux-based infrastructure components, which are prevalent in European critical sectors.

1. Implement advanced email filtering and sandboxing solutions that can detect and block phishing emails containing deceptive .desktop files or other unusual attachments. 2. Educate users, especially those in critical infrastructure sectors, on the risks of opening unexpected attachments, particularly files with uncommon extensions like .desktop, even if they appear to be PDFs. 3. Enforce strict application whitelisting and execution policies on Linux and Unix-like systems to prevent unauthorized script execution from user directories or email downloads. 4. Monitor network traffic for unusual outbound connections, especially to known or suspicious C2 servers, and implement DNS filtering to block access to phishing domains impersonating government organizations. 5. Deploy endpoint detection and response (EDR) solutions capable of identifying behaviors associated with the Mythic framework and Poseidon backdoor, such as lateral movement, credential dumping, and persistence mechanisms. 6. Regularly audit and harden Linux-based infrastructure, ensuring timely patching and removal of unnecessary services to reduce attack surface. 7. Collaborate with hosting providers like AlexHost to identify and take down phishing domains used in such campaigns. 8. Conduct threat hunting exercises focused on detecting indicators of compromise related to APT36 tactics and Poseidon backdoor activity. 9. Implement multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 10. Establish incident response plans tailored to address advanced persistent threats targeting infrastructure and government sectors.