Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Deliver

APT36 (Transparent Tribe) is leveraging malicious Linux .desktop shortcuts embedded in spearphishing ZIP attachments to download a hex-encoded Go dropper from Google Drive, write it to /tmp with a timestamped filename, make it executable, and run it while opening a decoy PDF in Firefox. The dropper includes anti-analysis routines, persistence mechanisms, and continuous WebSocket-based C2 beaconing to ws://seemysitelive.store:8080/ws; the report provides file hashes, domain/IP, attacker Google Drive links, behavioral indicators, ATT&CK mappings, and remediation recommendations.