Do Son 
Google Threat Intelligence has published a new set of advanced threat-hunting techniques aimed at uncovering malicious .desktop files—an unconventional yet increasingly exploited attack vector. These plain-text configuration files, traditionally used in Linux to define application launch shortcuts, are now being weaponized as conduits for delivering malicious code.
The tactic was first documented by Zscaler’s team in 2023, when researchers discovered that threat actors had begun embedding harmful commands within the Exec variable of .desktop files, disguising the malicious activity as legitimate PDF file launches hosted on Google Drive. Owing to seamless integration with utilities like xdg-open, gio open, exo-open, and kde-open, these weaponized files stealthily launch the user’s browser while concurrently fetching secondary payloads.
A recent surge in suspicious .desktop file uploads to Google’s analysis platform prompted a deeper investigation. The analysis revealed that these files are often padded with thousands of # characters interspersed between legitimate lines, a tactic designed to obfuscate their true purpose. Though they conform to the Desktop Entry specification, hidden within are commands that invoke the Bash shell and execute scripts to retrieve malicious code.
Google Threat Intelligence has presented a comprehensive report detailing behavioral execution chains for such files. In one observed sequence, a command is passed from xdg-open to exo-open, and then to exo-helper-2, which opens a link in Firefox. Simultaneously, a concealed installation of cryptocurrency miners or other malicious ELF binaries may be triggered. This approach heavily exploits default Linux behaviors, relying on the system’s inherent trust in .desktop files.
To mitigate such threats, Google experts have proposed a series of targeted threat-hunting queries. For instance, analysts can search for arguments like --launch WebBrowser paired with Google Drive URLs—an indicator of potential malicious behavior. Other queries focus on behavioral signatures involving utilities such as xdg-open, exo-open, and kde-open, alongside telltale commands like /usr/bin/grep -i ^xfce_desktop_window or /usr/bin/xprop -root.
For broader detection, the report recommends scanning for the key string [Desktop Entry] at the beginning of files or constructs like Exec=bash -c, especially when accompanied by content download operations. These patterns assist in identifying both self-launching applications and loaders for malicious libraries.
The report also highlights newly submitted samples from 2025, which appear to be linked to the original attack documented by Zscaler. Although the file upload origins span multiple countries, this does not necessarily reflect the victims’ locations, as attackers often leverage proxies and VPNs to mask their infrastructure.
This evolving threat landscape underscores the critical importance of vigilance, even when dealing with familiar file formats and routine execution flows—channels through which attackers increasingly chart their path into targeted systems.
Donate