Google Menace Intelligence has launched a brand new weblog sequence geared toward empowering safety professionals with superior menace searching methods, kicking off with a deep dive into detecting malicious .desktop recordsdata on Linux methods.
.desktop recordsdata, normal configuration recordsdata in Linux desktop environments, outline how functions are launched and displayed.
Following the Desktop Entry Specification, these plain textual content recordsdata sometimes embody keys like Title, Exec, Icon, and Kind, beginning with the [Desktop Entry] header. Nonetheless, latest uploads to Google Menace Intelligence reveal a brand new wave of malicious .desktop recordsdata that deviate considerably from this norm.
.desktop file consists of the next sections and keys:
[Desktop Entry]
Title=Software Title
Remark=Quick description
Exec=/path/to/executable %U
Icon=icon-name
Terminal=false
Kind=Software
Classes=Utility;Software;
These recordsdata, linked to campaigns presumably associated to Zscaler’s 2023 findings, incorporate 1000’s of traces of junk code—typically the # character—to obfuscate their true goal.
Hidden inside this noise is a official .desktop construction, with the Exec key executing malicious instructions upon person interplay, equivalent to double-clicking the file.
A standard tactic entails utilizing Google Drive to host decoy PDF recordsdata, which distract victims whereas further malware phases are downloaded within the background.
Anatomy of the Assault
In line with Google report shared through Google group, When executed, these malicious .desktop recordsdata typically use the xdg-open command to launch a Google Drive-hosted PDF through the system’s default browser, sometimes Firefox within the XFCE surroundings utilized by Google’s sandbox.
The method chain entails:
xdg-open: Identifies the desktop surroundings and delegates to environment-specific helpers.
exo-open: In XFCE, forwards the request to open the URL.
exo-helper-2: Makes use of MIME sort configurations to launch Firefox with the Google Drive URL.
This habits, illustrated in sandbox analyses, offers a number of searching alternatives. For example, using exo-helper-2 with arguments like –launch WebBrowser and a Google Drive URL is a robust indicator of suspicious exercise.
File construction
Menace Looking Methods
Google Menace Intelligence proposes a number of query-based searching strategies to detect these recordsdata, leveraging behavioral and content material evaluation:
Under is a desk summarizing the menace searching methods for detecting malicious .desktop recordsdata as outlined by Google Menace Intelligence, together with the question particulars and their functions.
Looking StrategyQueryPurposeTargeting exo-helper-2 Processesbehavior_processes:”–launch WebBrowser” behavior_processes:” samples (e.g., .desktop and ELF recordsdata) triggering Google Drive URLs, providing a centered detection rule for XFCE environments.Broadening to All URL-Opening Processes(habits:”xdg-open” or habits:”exo-open” or habits:”exo-helper-2″ or habits:”gio open” or habits:”kde-open”) and behavior_processes:” detection to GNOME (gio open) and KDE (kde-open) environments, capturing a wider vary of malicious behaviors involving Google Drive URLs.Leveraging xdg-open Artifacts (1)habits:”/usr/bin/grep grep -i ^xfce_desktop_window” filename:”*.desktop”Pinpoints .desktop recordsdata by detecting instructions executed by xdg-open to establish XFCE environments, as seen in sandbox reviews.Leveraging xdg-open Artifacts (2)habits:”/usr/bin/grep grep -i ^xfce_desktop_window” behavior_processes:” XFCE surroundings detection with Google Drive URL habits to establish associated malicious samples.Leveraging xdg-open Artifacts (3)habits:”/usr/bin/grep grep -i ^xfce_desktop_window” (behavior_processes:” or (behavior_processes:”http” behavior_processes:”.pdf”))Expands detection by combining XFCE surroundings detection with behaviors involving Google Drive or different PDF-hosting URLs.Content material-Primarily based Detectioncontent:{45 78 65 63 3d 62 61 73 68 20 second 63 20 22} content material:{4e 61 6d 65 3d} content material:{2e 70 64 66} content material:{5b 44 65 73 6b 74 6f 70 20 45 6e 74 72 79 5d}Targets widespread strings in malicious .desktop recordsdata (Exec=bash -c “, Title=, .pdf, [Desktop Entry]) utilizing hexadecimal patterns.Generic .Desktop File Huntingcontent:{5b4465736b746f7020456e7472795d}@0 p:1+Detects .desktop recordsdata appearing as downloaders or loaders by focusing on the [Desktop Entry] header, uncovering samples like these initiating cryptocurrency miners.
Google Menace Intelligence recognized a number of .desktop recordsdata uploaded in 2025, probably linked to the Zscaler-attributed marketing campaign, although attribution stays unconfirmed. Notable samples embody:
Alternative for Train, Re Train of Choice for pay Fixation.desktop (SHA1: c2f0f011eabb4fae94e7a5973f1f05208e197db983a09e2f7096bcff69a794d1, April 30, 2025, India)
Revised SOP for Webex Assembly – MOD.desktop (SHA1: 8d61ce3651eb070c8cdb76a334a16e53ad865572, April 15, 2025, India)
Award Medal Declaration Type.desktop (SHA1: 1814730cb451b930573c6a52f047301bff0b84d1, April 8, 2025, Australia)
These recordsdata, typically uploaded from India or Australia (probably through proxies), underscore the worldwide attain of this menace.
Google Menace Intelligence’s weblog sequence equips defenders with sensible, query-driven approaches to hunt malicious .desktop recordsdata. Combining behavioral evaluation, course of monitoring, and content material inspection permits proactive identification of threats throughout Linux environments.
The offered queries are adaptable, encouraging safety groups to refine them for inner menace searching or translate them to different platforms. As .desktop file abuse continues to evolve, such methods are important for staying forward of refined malware campaigns.
Arm your enterprise in opposition to phishing & suspicious artifacts with high menace intelligence, take a look at TI Lookup with 50 trial requests
