Google Threat Intelligence Launches Actionable Technique To Hunt for Malicious .Desktop Files
Google Threat Intelligence has launched a new blog series aimed at empowering security professionals with advanced threat hunting techniques, kicking off with a deep dive into detecting malicious .desktop files on Linux systems. .desktop files, standard configuration files in Linux desktop environments, define how applications are launched and displayed. Following the Desktop Entry Specification, these […] The post Google Threat Intelligence Launches Actionable Technique To Hunt for Malicious .Desktop Files appeared first on Cyber Security News.
Google Threat Intelligence has launched a new blog series aimed at empowering security professionals with advanced threat hunting techniques, kicking off with a deep dive into detecting malicious .desktop files on Linux systems.
.desktop files, standard configuration files in Linux desktop environments, define how applications are launched and displayed.
Following the Desktop Entry Specification, these plain text files typically include keys like Name, Exec, Icon, and Type, starting with the [Desktop Entry] header. However, recent uploads to Google Threat Intelligence reveal a new wave of malicious .desktop files that deviate significantly from this norm.
.desktop file includes the following sections and keys:
[Desktop Entry]
Name=Application Name
Comment=Short description
Exec=/path/to/executable %U
Icon=icon-name
Terminal=false
Type=Application
Categories=Utility;Application;These files, linked to campaigns possibly related to Zscaler’s 2023 findings, incorporate thousands of lines of junk code—often the # character—to obfuscate their true purpose.
Hidden within this noise is a legitimate .desktop structure, with the Exec key executing malicious commands upon user interaction, such as double-clicking the file.
A common tactic involves using Google Drive to host decoy PDF files, which distract victims while additional malware stages are downloaded in the background.
Anatomy of the Attack
According to Google report shared via Google community, When executed, these malicious .desktop files often use the xdg-open command to launch a Google Drive-hosted PDF via the system’s default browser, typically Firefox in the XFCE environment used by Google’s sandbox.
The process chain involves:
- xdg-open: Identifies the desktop environment and delegates to environment-specific helpers.
- exo-open: In XFCE, forwards the request to open the URL.
- exo-helper-2: Uses MIME type configurations to launch Firefox with the Google Drive URL.
This behavior, illustrated in sandbox analyses, provides multiple hunting opportunities. For instance, the use of exo-helper-2 with arguments like –launch WebBrowser and a Google Drive URL is a strong indicator of suspicious activity.
Threat Hunting Strategies
Google Threat Intelligence proposes several query-based hunting methods to detect these files, leveraging behavioral and content analysis:
Below is a table summarizing the threat hunting strategies for detecting malicious .desktop files as outlined by Google Threat Intelligence, including the query details and their purposes.
Hunting Strategy Query Purpose Targeting exo-helper-2 Processes behavior_processes:”–launch WebBrowser” behavior_processes:”https://drive.google.com/” Identifies samples (e.g., .desktop and ELF files) triggering Google Drive URLs, offering a focused detection rule for XFCE environments. Broadening to All URL-Opening Processes (behavior:”xdg-open” or behavior:”exo-open” or behavior:”exo-helper-2″ or behavior:”gio open” or behavior:”kde-open”) and behavior_processes:”https://drive.google.com/” Extends detection to GNOME (gio open) and KDE (kde-open) environments, capturing a wider range of malicious behaviors involving Google Drive URLs. Leveraging xdg-open Artifacts (1) behavior:”/usr/bin/grep grep -i ^xfce_desktop_window” filename:”*.desktop” Pinpoints .desktop files by detecting commands executed by xdg-open to identify XFCE environments, as seen in sandbox reports. Leveraging xdg-open Artifacts (2) behavior:”/usr/bin/grep grep -i ^xfce_desktop_window” behavior_processes:”https://drive.google.com/” Combines XFCE environment detection with Google Drive URL behavior to identify related malicious samples. Leveraging xdg-open Artifacts (3) behavior:”/usr/bin/grep grep -i ^xfce_desktop_window” (behavior_processes:”https://drive.google.com/” or (behavior_processes:”http” behavior_processes:”.pdf”)) Expands detection by combining XFCE environment detection with behaviors involving Google Drive or other PDF-hosting URLs. Content-Based Detection content:{45 78 65 63 3d 62 61 73 68 20 2d 63 20 22} content:{4e 61 6d 65 3d} content:{2e 70 64 66} content:{5b 44 65 73 6b 74 6f 70 20 45 6e 74 72 79 5d} Targets common strings in malicious .desktop files (Exec=bash -c “, Name=, .pdf, [Desktop Entry]) using hexadecimal patterns. Generic .Desktop File Hunting content:{5b4465736b746f7020456e7472795d}@0 p:1+ Detects .desktop files acting as downloaders or loaders by targeting the [Desktop Entry] header, uncovering samples like those initiating cryptocurrency miners.
Google Threat Intelligence identified several .desktop files uploaded in 2025, potentially linked to the Zscaler-attributed campaign, though attribution remains unconfirmed. Notable samples include:
- Opportunity for Exercise, Re Exercise of Option for pay Fixation.desktop (SHA1: c2f0f011eabb4fae94e7a5973f1f05208e197db983a09e2f7096bcff69a794d1, April 30, 2025, India)
- Revised SOP for Webex Meeting – MOD.desktop (SHA1: 8d61ce3651eb070c8cdb76a334a16e53ad865572, April 15, 2025, India)
- Award Medal Declaration Form.desktop (SHA1: 1814730cb451b930573c6a52f047301bff0b84d1, April 8, 2025, Australia)
These files, often uploaded from India or Australia (potentially via proxies), underscore the global reach of this threat.
Google Threat Intelligence’s blog series equips defenders with practical, query-driven approaches to hunt malicious .desktop files. Combining behavioral analysis, process tracking, and content inspection enables proactive identification of threats across Linux environments.
The provided queries are adaptable, encouraging security teams to refine them for internal threat hunting or translate them to other platforms. As .desktop file abuse continues to evolve, such strategies are critical for staying ahead of sophisticated malware campaigns.
Arm your business against phishing & suspicious artifacts with top threat intelligence, test TI Lookup with 50 trial requests
The post Google Threat Intelligence Launches Actionable Technique To Hunt for Malicious .Desktop Files appeared first on Cyber Security News.
