T1547.013 XDG Autostart Entries is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to the use of XDG Autostart Entries in Linux systems to automatically execute applications when a user logs into their desktop environment.
The XDG Autostart mechanism utilizes .desktop files stored in specific directories, such as /etc/xdg/autostart or ~/.config/autostart. These files define the applications that should start automatically during the user’s session initialization. This functionality is primarily intended to provide convenience by launching user applications automatically, but it can also be exploited by adversaries for malicious purposes.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Adversaries targeting Linux systems exploit XDG Autostart Entries to achieve persistence by ensuring that malicious applications are executed automatically upon user login. By manipulating the .desktop files in XDG Autostart directories, attackers can cause their malicious programs to run each time the user’s desktop environment starts, giving them consistent access.
Adversaries typically alter existing autostart entries or create new ones to launch their malicious payloads silently during login. This technique allows them to ensure that their malicious code is executed every time the user logs in, without any user intervention. By taking advantage of the system’s built-in functionality for legitimate auto-start applications, adversaries can effectively maintain a stealthy presence and evade detection from users and basic security monitoring tools.
A notable example of this technique was documented in early React2Shell exploitation in December 2025 [1]. Conducted by the EtherRAT malware, the adversary uses XDG Autostart Entries for persistence on infected Linux systems.
EtherRAT created a .desktop file in the ~/.config/autostart/ directory with random filenames to avoid detection:
|
# Code Snippet for XDG Autostart Persistence |
Here is the technical explanation.
Autostart File: The .desktop file was created in the ~/.config/autostart/ directory, which is monitored by Linux desktop environments like GNOME. This directory automatically executes any .desktop files during user login, ensuring the malware is triggered without user interaction.
Hidden and NoDisplay Flags: The Hidden=true and NoDisplay=true flags were set in the .desktop file, preventing the entry from appearing in application menus or the UI, making it invisible to the user and avoiding detection by casual inspection.
Exec=${P}: The Exec field defined the exact command to execute, where ${P} referred to the path of the malicious payload. This ensured that the malware payload was executed automatically every time the user logged in, leveraging the autostart mechanism for persistence.
By using this method, EtherRAT ensured it ran undetected, establishing long-term access to the system with minimal chance of removal.
A notable example of this technique was observed in campaigns conducted by the Transparent Tribe, also known as APT36, between late 2023 and April 2024 [2]. This group targeted Indian government, defense, and aerospace sectors, using Python-based ELF downloaders to create .desktop files in the ~/.config/autostart directory. These files were specifically crafted to execute malicious payloads whenever a user logged in, ensuring persistent access to compromised systems. To evade detection, the .desktop files were designed to mimic legitimate system files, reflecting the group's advanced operational methods and ability to blend malicious activity into normal system behavior.
In a similar but more recent case, the DISGOMOJI malware, identified in June 2024, also leveraged XDG Autostart Entries to maintain persistence on Linux systems [3]. As part of its attack strategy, DISGOMOJI dropped .desktop files such as GNOME_Core.desktop or GNOME_GNU.desktop into the ~/.config/autostart directory. These files were designed to ensure the malware's automatic execution at every user login, even after system reboots. To obfuscate its presence further, DISGOMOJI padded the content of the .desktop files with tens of thousands of # characters, which do not affect functionality but serve to confuse investigators or delay forensic analysis.
An example of the .desktop file content added by DISGOMOJI is as follows:
|
[Desktop Entry] |
This configuration ensures that the executable /home/user/.x86_64-linux-gnu/vmcoreinfo is run automatically whenever the desktop environment loads. By leveraging XDG Autostart Entries in this manner, DISGOMOJI achieves a stealthy and reliable persistence mechanism, enabling its malicious activities to continue uninterrupted without requiring further interaction from the attacker.
Together, these examples highlight the versatility and effectiveness of XDG Autostart Entries as a persistence technique on Linux systems, making it a preferred choice for advanced threat actors.
[1] “EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks,” Dec. 08, 2025. Available: https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks. [Accessed: Dec. 17, 2025]
[2] “Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages,” BlackBerry, May 22, 2024. Available: https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors. [Accessed: Dec. 16, 2024]
[3] Volexity, “DISGOMOJI Malware Used to Target Indian Government,” Volexity, Jun. 13, 2024. Available: https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/. [Accessed: Dec. 16, 2024]