xfce_desktop_window” (behavior_processes:” ; or (behavior_processes:”http” behavior_processes:”.pdf”))Expands detection by combining XFCE environment detection with behaviors involving Google Drive or other PDF-hosting URLs.Content-Based Detectioncontent:{45 78 65 63 3d 62 61 73 68 20 2d 63 20 22} content:{4e 61 6d 65 3d} content:{2e 70 64 66} content:{5b 44 65 73 6b 74 6f 70 20 45 6e 74 72 79 5d}Targets common strings in malicious .desktop files (Exec=bash -c “, Name=, .pdf, [Desktop Entry]) using hexadecimal patterns.Generic .Desktop File Huntingcontent:{5b4465736b746f7020456e7472795d}@0 p:1+Detects .desktop files acting as downloaders or loaders by targeting the [Desktop Entry] header, uncovering samples like those initiating cryptocurrency miners. Google Threat Intelligence has launched a new blog series aimed at empowering security professionals with advanced threat hunting techniques, kicking off with a deep dive into detecting malicious .desktop files on Linux systems. Below is a table summarizing the threat hunting strategies for detecting malicious .desktop files as outlined by Google Threat Intelligence, including the query details and their purposes. According to Google report shared via Google community, When executed, these malicious .desktop files often use the xdg-open command to launch a Google Drive-hosted PDF via the system’s default browser, typically Firefox in the XFCE environment used by Google’s sandbox. Google Threat Intelligence’s blog series equips defenders with practical, query-driven approaches to hunt malicious .desktop files. However, recent uploads to Google Threat Intelligence reveal a new wave of malicious .desktop files that deviate significantly from this norm. Google Threat Intelligence identified several .desktop files uploaded in 2025, potentially linked to the Zscaler-attributed campaign, though attribution remains unconfirmed.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 14 May 2025 09:15:12 +0000