A new malware campaign, dubbed \u201cSindoor Dropper,\u201d is targeting Linux systems<\/a> using sophisticated spear-phishing techniques and a multi-stage infection chain.<\/p>\n The campaign leverages lures themed around the recent India-Pakistan conflict, known as Operation Sindoor, to entice victims into executing malicious files.<\/p>\n This activity\u2019s standout feature is its reliance on weaponized The attack begins when a user opens a malicious According to Nextron system analysis, upon execution, it opens a benign decoy PDF to maintain the illusion of legitimacy while silently initiating a complex, heavily obfuscated infection process in the background.<\/p>\n This process is designed to evade both static and dynamic analysis, with the initial payload reportedly having zero detections on VirusTotal at the time of its discovery.<\/p>\n The The decryptor, a Go binary packed with UPX, is intentionally corrupted by stripping its ELF magic bytes, likely to bypass security scans on platforms like Google Docs. The This kicks off a multi-stage process where each component decrypts and runs the next. The chain includes basic anti-virtual machine checks, such as verifying board and vendor names, blacklisting specific MAC address prefixes, and checking machine uptime.<\/p>\n All strings within the droppers are obfuscated using a combination of Base64 encoding and DES-CBC encryption to further hinder analysis.<\/p>\n The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool. Once deployed, MeshAgent connects to a command-and-control (C2) server hosted on an Amazon Web Services (AWS) EC2<\/a> instance at This gives the attacker full remote access to the compromised system, enabling them to monitor user activity, move laterally across the network, and exfiltrate sensitive data, Nextron said<\/a>.<\/p>\n The Sindoor Dropper campaign highlights an evolution in threat actor tradecraft, demonstrating a clear focus on Linux environments, which phishing campaigns have less targeted.<\/p>\n By combining timely, region-specific social engineering with advanced evasion techniques, the attackers increase their likelihood of successfully compromising sensitive networks.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n.desktop<\/code> files, a method previously associated with the advanced persistent threat (APT) group APT36, also known as Transparent Tribe or Mythic Leopard.<\/p>\n.desktop<\/code> file, named \u201cNote_Warfare_Ops_Sindoor.pdf.desktop,\u201d which masquerades as a standard PDF document<\/a>.<\/p>\n![\"'Sindoor](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhkttIfXOHY4h8dR05Vlv0Ni3ubqmxr1rGIM60i5vkwlDl15hAP5_yQKA4YtuDpo6PMbhJNwMVx9MmkflNQ0uG-qBhnjhLaabNqBZUAl7H8ge4x9u9G1-Q2yqAgLodkKB7zppSDzzoUDg0ssHjPiupTDG0G3kpkylU8oetWAxtGrNgT1BA0wsU4nPKkSvYB\/w640-h528\/Infection%2520chain.png?ssl=1\")
\u2018Sindoor Dropper\u2019 Malware Targets Linux Systems<\/strong><\/h2>\n
.desktop<\/code> file downloads several components, including an AES decryptor (mayuw<\/code>) and an encrypted downloader (shjdfhd<\/code>).<\/p>\n.desktop<\/code> file restores these bytes on the victim\u2019s machine to make the binary executable again.<\/p>\nwss:\/\/boss-servers.gov.in.indianbosssystems.ddns[.]net:443\/agent.ashx<\/code>. <\/p>\nIOCs for Sindoor Dropper<\/strong><\/h2>\n
\n\n
\n \nIOC Type<\/th>\n Indicator<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n File Hash<\/strong><\/td>\n 9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59<\/code><\/td>\nInitial phishing payload ( Note_Warfare_Ops_Sindoor.pdf.desktop<\/code>) <\/td>\n<\/tr>\n\n File Hash<\/strong><\/td>\n 9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b<\/code><\/td>\nDecrypted AES decryptor ( mayuw<\/code>) <\/td>\n<\/tr>\n\n File Hash<\/strong><\/td>\n 0f4ef1da435d5d64ccc21b4c2a6967b240c2928b297086878b3dcb3e9c87aa23<\/code><\/td>\nStage 2 downloader ( shjdfhd<\/code>) <\/td>\n<\/tr>\n\n File Hash<\/strong><\/td>\n 38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4<\/code><\/td>\nStage 3 downloader ( inter_ddns<\/code>) and the decrypted MeshAgent payload (server2<\/code>) <\/td>\n<\/tr>\n\n File Hash<\/strong><\/td>\n 05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8<\/code><\/td>\nMeshAgent final payload ( server2<\/code>) <\/td>\n<\/tr>\n\n File Hash<\/strong><\/td>\n ba5b485552ab775ce3116d9d5fa17f88452c1ae60118902e7f669fd6390eae97<\/code><\/td>\nDecoy PDF document ( \/tmp\/Note_Warfare.pdf<\/code>) <\/td>\n<\/tr>\n\n Filename<\/strong><\/td>\n Note_Warfare_Ops_Sindoor.pdf.desktop<\/code><\/td>\nThe initial weaponized .desktop<\/code> file used for phishing<\/td>\n<\/tr>\n\n Filename<\/strong><\/td>\n \/tmp\/Note_Warfare.pdf<\/code><\/td>\nThe benign decoy document displayed to the victim<\/td>\n<\/tr>\n \n Filename<\/strong><\/td>\n mayuw<\/code><\/td>\nAES decryptor payload<\/td>\n<\/tr>\n \n Filename<\/strong><\/td>\n shjdfhd<\/code><\/td>\nEncrypted Stage 2 downloader<\/td>\n<\/tr>\n \n Filename<\/strong><\/td>\n access<\/code><\/td>\nAES decryptor for the next stage <\/td>\n<\/tr>\n \n Filename<\/strong><\/td>\n inter_ddns<\/code><\/td>\nStage 3 downloader <\/td>\n<\/tr>\n \n Filename<\/strong><\/td>\n server2<\/code><\/td>\nThe final MeshAgent payload <\/td>\n<\/tr>\n \n Network<\/strong><\/td>\n wss:\/\/boss-servers.gov.in.indianbosssystems.ddns[.]net:443\/agent.ashx<\/code><\/td>\nCommand-and-control (C2) server URL for the MeshAgent payload <\/td>\n<\/tr>\n \n Network<\/strong><\/td>\n indianbosssystems.ddns[.]net<\/code><\/td>\nMalicious C2 domain <\/td>\n<\/tr>\n \n Network<\/strong><\/td>\n 54.144.107[.]42<\/code><\/td>\nIP address of the C2 server, hosted on AWS <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n