Today’s roundup

• Pakistan‑Linked APT36 Uses Linux .desktop Payloads to Target Indian Government
• CISA Seeks Biden‑Era SBOM Minimum Requirements Guideline Change

Summary

Washington’s Cybersecurity and Infrastructure Security Agency is updating its 2021 SBOM baselines for the Biden administration, tightening the definition of government‑grade BSI for critical software supply chains.
Pakistan‑linked APT36, operating under the codename Transparent Tribe, has deployed weaponized Linux .desktop files disguised as PDF documents to deliver a custom ELF RAT into Indian government and defense systems.
The payload pulls a hex‑encoded dropper from a domain linked to the threat actor, decodes it, and establishes a command‑and‑control channel to ModGovIndia.space on port 4000 via stealthy DNS/UDP.
The campaign was first observed on 1 August 2025 and remains ongoing; it provides the agency with exfiltration capabilities, screenshot capture and webcam recording.
The use of BOSS Linux and autostart exploits indicates a tactical shift toward exploiting indigenous operating systems, complementing the group’s existing Windows‑based attacks.
These developments signal expanding threat activity against Indian state critical infrastructure and the need for hardened SBOM controls in the U.S. sector.