Google flags malicious use of Linux .desktop files

Google Threat Intelligence has exposed a new cyberattack method exploiting .desktop files, typically benign configuration files in Linux environments, to deploy malware through system-level commands and browser redirection, GBHackers News reports.

First flagged by Zscaler researchers in 2023, the attack abuses the Exec field in these files to initiate malicious activity masked behind decoy PDFs hosted on Google Drive. Analysts observed a surge of such files in early 2025, prompting Google to publish advanced threat-hunting strategies. These include queries targeting process chains like xdg-open and exo-helper-2, often used to open URLs in browsers while deploying hidden payloads. The malicious files are typically padded with thousands of comment lines to obscure their true intent. Detection tactics focus on suspicious file content patterns and behavioral indicators linked to URL-based payloads, aiding defenders in identifying threats across various Linux desktop environments. While some of the identified samples trace back to countries like India and Australia, the use of proxies makes attribution inconclusive.