APT36 hackers abuse Linux .desktop files to install malware in new attacks

10 points by Santosh83 268 days ago | 2 comments

> Victims receive ZIP archives through phishing emails containing a malicious .desktop file disguised as a PDF document, and named accordingly.

How does the disguise work?

hdgvhicv 268 days ago | |

Some desktop environments hide file extensions. This bad behaviour dates back 30 years.

File is foo.pdf.desktop in a zip file. zip unzipped, DE hides .desktop and shows “foo.pdf”

User double clicks thinking it’s a safe pdf but it’s actually a script or other payload which does bad things.