Ravie LakshmananJan 27, 2026Threat Intelligence / Cyber Espionage
Indian authorities entities have been focused in two campaigns undertaken by a risk actor that operates in Pakistan utilizing beforehand undocumented tradecraft.
The campaigns have been codenamed Gopher Strike and Sheet Assault by Zscaler ThreatLabz, which recognized them in September 2025.
“Whereas these campaigns share some similarities with the Pakistan-linked Superior Persistent Menace (APT) group, APT36, we assess with medium confidence that the exercise recognized throughout this evaluation would possibly originate from a brand new subgroup or one other Pakistan-linked group working in parallel,” researchers Sudeep Singh and Yin Hong Chang mentioned.
Sheet Assault will get its title from using reliable companies like Google Sheets, Firebase, and e-mail for command-and-control (C2). Then again, Gopher Strike is assessed to have leveraged phishing emails as a place to begin to ship PDF paperwork containing a blurred picture that is superimposed by a seemingly innocent pop-up instructing the recipient to obtain an replace for Adobe Acrobat Reader DC.
The principle objective of the picture is to present the customers an impression that it is necessary to put in the replace so as to entry the doc’s contents. Clicking the “Obtain and Set up” button within the pretend replace dialog triggers the obtain of an ISO picture file solely when the requests originate from IP addresses positioned in India and the Person-Agent string corresponds to Home windows.
“These server-side checks forestall automated URL evaluation instruments from fetching the ISO file, making certain that the malicious file is simply delivered to supposed targets,” Zscaler mentioned.
The malicious payload embedded throughout the ISO picture is a Golang-based downloader dubbed GOGITTER that is liable for making a Visible Fundamental Script (VBScript) file if it doesn’t exist already within the following places: “C:UsersPublicDownloads,” “C:UsersPublicPictures,” and “%APPDATA%.” The script is designed to fetch VBScript instructions each 30 seconds from two pre-configured C2 servers.
GOGITTER additionally units up persistence utilizing a scheduled activity that is configured to run the aforementioned VBScript file each 50 minutes. As well as, it ascertains the presence of one other file named “adobe_update.zip” in the identical three folders. If the ZIP file isn’t current, it pulls the archive from a non-public GitHub repository (“github[.]com/jaishankai/sockv6”). The GitHub account was created on June 7, 2025.
As soon as the obtain is profitable, the assault chain sends an HTTP GET request to the area “adobe-acrobat[.]in” more likely to sign the risk actors that the endpoint has been contaminated. GOGITTER then extracts and executes “edgehost.exe” from the ZIP file. A light-weight Golang-based backdoor, GITSHELLPAD, leverages risk actor-controlled personal GitHub repositories for C2.
Particularly, it polls the C2 server each 15 seconds via a GET request to entry the contents of a file named “command.txt.” It helps six completely different instructions –
cd .., to vary working listing to the mother or father listing
cd, to vary listing to the required path
run, to run a command within the background with out capturing the output
add, to add a neighborhood file specified by the trail to the GitHub repository
obtain, to obtain a file to the required path
default case, to run a command utilizing cmd /c and seize the output
The outcomes of the command execution are saved in a file known as “end result.txt” and uploaded to the GitHub account through an HTTP PUT request. The “command.txt” is then deleted from the GitHub repository as soon as the command is efficiently executed.
Zscaler mentioned it noticed the risk actor additionally downloading RAR archives utilizing cURL instructions after having access to the sufferer’s machine. The archives embrace utilities to assemble system data and drop GOSHELL, a bespoke Golang-based loader used to ship Cobalt Strike Beacon after a number of rounds of decoding. The instruments are wiped from the machine after use.
“GOSHELL’s dimension was artificially inflated to roughly 1 gigabyte by including junk bytes to the Transportable Executable (PE) overlay, more likely to evade detection by antivirus software program,” the cybersecurity firm mentioned. “GOSHELL solely executes on particular hostnames by evaluating the sufferer’s hostname in opposition to a hard-coded listing.”
