TransparentTribe targets Indian military organisations with DeskRAT

Sekoia.io TDR describes an active TransparentTribe (APT36) phishing campaign (June–Sept 2025) targeting Indian government/defense Linux systems (BOSS). Attackers delivered a multi-stage chain via ZIP archives containing a malicious DESKTOP dropper that downloads and executes a Golang RAT called DeskRAT; the RAT uses insecure WebSocket C2 (stealth servers), supports file collection/exfiltration, remote execution, and multiple Linux persistence techniques. The report includes technical indicators, C2 details, decoy documents, and detection/hunting artifacts.