Google Threat Intelligence has launched a new blog series aimed at empowering security professionals with advanced threat hunting techniques, kicking off with a deep dive into detecting malicious .desktop files on Linux systems. <\/p>\n
.desktop files, standard configuration files in Linux desktop environments<\/a>, define how applications are launched and displayed.<\/p>\n Following the Desktop Entry Specification, these plain text files typically include keys like Name, Exec, Icon, and Type, starting with the [Desktop Entry] header. However, recent uploads to Google Threat Intelligence reveal a new wave of malicious .desktop files that deviate significantly from this norm.<\/p>\n .desktop\u00a0file includes the following sections and keys:<\/p>\n These files, linked to campaigns possibly related to Zscaler\u2019s 2023 findings, incorporate thousands of lines of junk code\u2014often the # character\u2014to obfuscate their true purpose. <\/p>\n Hidden within this noise is a legitimate .desktop structure, with the Exec key executing malicious commands upon user interaction, such as double-clicking the file. <\/p>\n A common tactic involves using Google Drive to host decoy PDF files, which distract victims while additional malware stages are downloaded in the background.<\/p>\n According to Google report<\/a> shared via Google community, When executed, these malicious .desktop files often use the xdg-open command to launch a Google Drive-hosted PDF via the system\u2019s default browser, typically Firefox in the XFCE environment used by Google\u2019s sandbox. <\/p>\n The process chain involves:<\/p>\n This behavior, illustrated in sandbox analyses, provides multiple hunting opportunities. For instance, the use of exo-helper-2 with arguments like \u2013launch WebBrowser and a Google Drive URL is a strong indicator of suspicious activity.<\/p>\n Google Threat Intelligence proposes several query-based hunting methods to detect these files, leveraging behavioral and content analysis:<\/p>\n Below is a table summarizing the threat hunting strategies for detecting malicious .desktop files as outlined by Google Threat Intelligence, including the query details and their purposes.<\/p>\n Google Threat Intelligence identified several .desktop files uploaded in 2025, potentially linked to the Zscaler-attributed campaign, though attribution remains unconfirmed. Notable samples include:<\/p>\n These files, often uploaded from India or Australia (potentially via proxies), underscore the global reach of this threat.<\/p>\n Google Threat Intelligence\u2019s blog series equips defenders with practical, query-driven approaches to hunt malicious .desktop files. Combining behavioral analysis, process tracking, and content inspection enables proactive identification of threats across Linux environments.<\/p>\n The provided queries are adaptable, encouraging security teams to refine them for internal threat hunting or translate them to other platforms. As .desktop file abuse continues to evolve, such strategies are critical for staying ahead of sophisticated malware campaigns.<\/p>\n The post Google Threat Intelligence Launches Actionable Technique To Hunt for Malicious .Desktop Files<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n[Desktop Entry]\nName=Application Name\nComment=Short description\nExec=\/path\/to\/executable %U\nIcon=icon-name\nTerminal=false\nType=Application\nCategories=Utility;Application;<\/code><\/pre>\nAnatomy of the Attack<\/strong><\/h2>\n
\n
![\"File](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh6U0G2kLNDFzzt_3stn-hMglbEi5ST2GBr87frpNwKKbAWHHYM1-NAd02Q7H4WBoDwvzcFmx0aCaZGnGRP804G8CEXGpoiddfwQXvpgz7Aof9QaSOfhvHneyTWfyWfTvC0ANcf11oU7uTuWmwXic89cCBobhsDyX71D7jtc6dcKVjgr4KlpJLIgKe69CaS\/s16000\/malicious%2520file.png?ssl=1\")
Threat Hunting Strategies<\/strong><\/h2>\n
\n\n
\n Hunting Strategy<\/th>\n Query<\/th>\n Purpose<\/th>\n<\/tr>\n \n Targeting exo-helper-2 Processes<\/td>\n behavior_processes:\u201d\u2013launch WebBrowser\u201d behavior_processes:\u201dhttps:\/\/drive.google.com\/\u201d<\/td>\n Identifies samples (e.g., .desktop and ELF files) triggering Google Drive URLs, offering a focused detection rule for XFCE environments.<\/td>\n<\/tr>\n \n Broadening to All URL-Opening Processes<\/td>\n (behavior:\u201dxdg-open\u201d or behavior:\u201dexo-open\u201d or behavior:\u201dexo-helper-2\u2033 or behavior:\u201dgio open\u201d or behavior:\u201dkde-open\u201d) and behavior_processes:\u201dhttps:\/\/drive.google.com\/\u201d<\/td>\n Extends detection to GNOME (gio open) and KDE (kde-open) environments, capturing a wider range of malicious behaviors involving Google Drive URLs.<\/td>\n<\/tr>\n \n Leveraging xdg-open Artifacts (1)<\/td>\n behavior:\u201d\/usr\/bin\/grep grep -i ^xfce_desktop_window\u201d filename:\u201d*.desktop\u201d<\/td>\n Pinpoints .desktop files by detecting commands executed by xdg-open to identify XFCE environments, as seen in sandbox reports.<\/td>\n<\/tr>\n \n Leveraging xdg-open Artifacts (2)<\/td>\n behavior:\u201d\/usr\/bin\/grep grep -i ^xfce_desktop_window\u201d behavior_processes:\u201dhttps:\/\/drive.google.com\/\u201d<\/td>\n Combines XFCE environment detection with Google Drive URL behavior to identify related malicious samples.<\/td>\n<\/tr>\n \n Leveraging xdg-open Artifacts (3)<\/td>\n behavior:\u201d\/usr\/bin\/grep grep -i ^xfce_desktop_window\u201d (behavior_processes:\u201dhttps:\/\/drive.google.com\/\u201d or (behavior_processes:\u201dhttp\u201d behavior_processes:\u201d.pdf\u201d))<\/td>\n Expands detection by combining XFCE environment detection with behaviors involving Google Drive or other PDF-hosting URLs.<\/td>\n<\/tr>\n \n Content-Based Detection<\/td>\n content:{45 78 65 63 3d 62 61 73 68 20 2d 63 20 22} content:{4e 61 6d 65 3d} content:{2e 70 64 66} content:{5b 44 65 73 6b 74 6f 70 20 45 6e 74 72 79 5d}<\/td>\n Targets common strings in malicious .desktop files (Exec=bash -c \u201c, Name=, .pdf, [Desktop Entry]) using hexadecimal patterns.<\/td>\n<\/tr>\n \n Generic .Desktop File Hunting<\/td>\n content:{5b4465736b746f7020456e7472795d}@0 p:1+<\/td>\n Detects .desktop files acting as downloaders or loaders by targeting the [Desktop Entry] header, uncovering samples like those initiating cryptocurrency miners.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n \n
Arm your business against phishing & suspicious artifacts\u00a0<\/strong> with top threat intelligence,\u00a0test TI Lookup with 50 trial requests<\/a>\u00a0<\/code><\/strong><\/p>\n