Sindoor Dropper: New Phishing Campaign
Essential information
- Published
- 02/09/2025 08:34
- Modified
- 02/09/2025 09:33
- Tags
- 2025-09-02 apt36 linux meshagent obfuscation phishing sindoor spear-phishing
- Related entities
- 14 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 3 others
Description
A sophisticated phishing campaign targeting Indian organizations has been uncovered, utilizing spear-phishing techniques reminiscent of Operation Sindoor. The campaign employs a Linux-focused infection method using weaponized .desktop files, a tactic previously associated with APT36. When executed, these files initiate a complex, obfuscated chain that ultimately delivers a MeshAgent payload, granting the attacker full remote access to the compromised system. The campaign showcases an evolution in regional threat actor tactics, particularly in targeting Linux environments. By combining localized spear-phishing lures with advanced obfuscation techniques, the adversaries increase their chances of bypassing defenses and gaining footholds in sensitive networks. The attack chain involves multiple stages of encryption and decryption, anti-VM checks, and the use of legitimate remote administration tools to complicate detection and response efforts.