APT36's Updated Arsenal

This report documents a low-volume but active APT36 campaign (May–Aug 2023) leveraging malicious Linux .desktop files distributed in ZIP archives to deliver cross-platform Linux payloads (Mythic Poseidon binaries) and decoy PDFs to Indian government targets; the files perform background downloads, set execution permissions, establish persistence via cron, and connect to identified C2 servers. The report includes sample metadata (MD5 hashes, filenames), attacker infrastructure (domains and IPs), decoded command lines, and analysis of an inflated-file evasion technique used to bypass scanners.