Campaigns
Cyber Campaign Exploits BOSS Linux in Indian Military Systems

Cyber Campaign Exploits BOSS Linux in Indian Military Systems

APT36TransparentTribeBOSSLinuxIndianDefense
This cyber campaign targets Indian military systems running BOSS Linux through a sophisticated phishing-based malware attack. The attackers aim to infiltrate critical infrastructure by exploiting vulnerabilities in the open-source OS. Once inside, the malware enables unauthorized access, potential data exfiltration, and disruption of military operations. The campaign highlights growing threats to national defense networks and the need for stronger cybersecurity measures in Linux-based government systems.

Indicators of Compromise

modgovindia.space
securestore.cv

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1036 - Masquerading
ID Data Source Data Component Detects
DS0017 Command Command Execution Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [62]
DS0022 File File Metadata Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters "‫", "[U+202E]", and "%E2%80%AE". [63] In Linux, the file command may be used to check the file signature. [64]
File Modification Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associated with Masquerading.
DS0007 Image Image Metadata Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [65]
DS0009 Process OS API Execution Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.
Process Creation Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")

Process Metadata Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.
DS0002 User Account User Account Creation Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.
T0853 - Scripting
ID Data Source Data Component Detects

Observed Countries2

IN (397)
PK (127)