Executive Summary

On November 29, 2025, threat intelligence firm CYFIRMA published a report detailing a new cyber-espionage campaign by APT36, a threat actor widely attributed to the state of Pakistan. The group, also known as Transparent Tribe, is actively targeting Indian government and strategic sector organizations with a previously unseen Python-based malware. The malware is compiled as an Executable and Linkable Format (ELF) binary, specifically designed to run on Linux-based systems. This marks a tactical evolution for APT36, expanding its operational capabilities beyond its typical Windows-based toolset to conduct intelligence gathering in a wider range of target environments.

Threat Overview

APT36 has a long history of targeting Indian military and governmental entities, aligning with the geopolitical interests of Pakistan. This latest campaign continues that focus but with an updated toolkit. The use of a Python-based ELF malware suggests the threat actor is adapting to the increasing prevalence of Linux servers and desktops within its target organizations. By developing cross-platform or platform-specific tools, APT36 can bypass defenses focused solely on Windows threats and establish persistence in diverse network environments. The campaign's objective remains consistent with past operations: long-term espionage and the exfiltration of sensitive government data.

Technical Analysis

The core of this campaign is the new Python ELF malware. Key technical aspects include:

1. Execution: The malware is delivered through common vectors like spear-phishing. Once on a target system, it is executed. The use of Python (T1059.006 - Python) offers the attackers flexibility and access to a wide range of libraries for network communication, encryption, and data handling.
2. Defense Evasion: Compiling the Python script into an ELF binary can help obfuscate the source code (T1027 - Obfuscated Files or Information) and may evade security tools that are less adept at analyzing ELF files compared to Windows PEs.
3. Command and Control: The malware establishes a C2 channel to receive commands and exfiltrate data. This is typically done over standard web protocols like HTTP/S (T1071.001 - Web Protocols) to blend in with normal network traffic.
4. Collection: Once active, the malware likely performs reconnaissance and collects sensitive files based on commands from the C2 server, fulfilling its espionage objective (T1560 - Archive Collected Data).

Impact Assessment

• National Security Risk: The infiltration of Indian government networks poses a direct threat to national security, potentially exposing state secrets, military plans, and diplomatic communications.
• Strategic Intelligence Loss: Successful espionage provides the Pakistani state with strategic advantages by giving them insight into India's internal government and military affairs.
• Persistent Threat: The development of new tools indicates a committed and evolving adversary, ensuring that APT36 will remain a persistent threat to Indian entities for the foreseeable future.

Detection & Response

• Linux Endpoint Monitoring: Enhance monitoring on Linux servers and endpoints. Use tools like auditd and EDRs with Linux support to perform Process Analysis. Monitor for the execution of untrusted ELF binaries and suspicious Python script execution.
• Network Analysis: Implement Network Traffic Analysis with SSL/TLS inspection to detect C2 communications, even when encrypted. Look for beaconing patterns to unknown or newly registered domains.
• Threat Intelligence Integration: Ingest the Indicators of Compromise (IoCs) from the CYFIRMA report into SIEM, firewall, and proxy blocklists to detect and prevent connections to APT36 infrastructure.

Mitigation

• Application Control: On critical Linux systems, use security frameworks like SELinux or AppArmor to enforce strict application control policies. This can be configured to prevent the execution of any unauthorized binaries, a form of Executable Allowlisting (D3-EAL).
• Least Privilege: Ensure that user accounts and services on Linux systems run with the minimum necessary privileges to reduce the impact of a compromise.
• User Training: As phishing is a likely delivery vector, ongoing User Training is essential to prevent the initial infection.
• Egress Filtering: Strictly control outbound network traffic from sensitive government networks, blocking all traffic except that which is explicitly required for business purposes.