Google Threat Intelligence has launched a new blog series. It aims to help security professionals with threat hunting. The series starts with detecting malicious .desktop files. These files are found on Linux systems. Standard .desktop files define application launch and display. However, recent uploads show new malicious versions. These malicious files use junk code to hide their purpose. Hidden commands execute when users interact with the file. Decoy PDFs on Google Drive often distract victims.
The attack often uses the xdg-open command. This command launches a Google Drive-hosted PDF in a browser. The process involves xdg-open, exo-open, and then exo-helper-2. Exo-helper-2 launches Firefox with the Google Drive URL. This behavior, seen in sandbox analyses, offers hunting clues. For example, exo-helper-2 with specific arguments is suspicious. These arguments include launching a web browser with a Google Drive URL. This is common in XFCE environments.
Google suggests several query-based threat hunting methods.
These methods use behavioral and content analysis. One strategy targets exo-helper-2 processes opening Google Drive URLs. Another extends detection to other Linux desktop environments. This includes GNOME and KDE systems. Leveraging xdg-open artifacts also helps identify malicious files. Content-based detection looks for common strings in these files. Generic .desktop file hunting targets the file header.
This can uncover downloaders or loaders.
Google identified several malicious .desktop files uploaded in 2025. These could be linked to a campaign Zscaler found. Attribution for these samples is currently unconfirmed. Notable samples had deceptive names like “Revised SOP for Webex Meeting”. These files were often uploaded from India or Australia. This indicates the global reach of this threat. Google’s blog series provides practical, query-driven hunting approaches. These strategies are vital as .desktop file abuse evolves.
Reference:
