India in the Crosshairs: New Pakistan-Linked Cyber Espionage Campaigns Exposed

Listen to this Post

Featured ImageA Quiet but Dangerous Shift in South Asian Cyber Warfare

Indian government organizations are facing a new wave of sophisticated cyber-espionage campaigns that signal a worrying evolution in regional threat activity. Security researchers have uncovered two previously undocumented operations that blend social engineering, cloud abuse, and custom malware, pointing to a Pakistan-based threat actor operating with unfamiliar techniques. The findings suggest not just another routine phishing effort, but a calculated attempt to quietly infiltrate high-value government targets in India while evading modern detection systems.

the Original Report

Two Covert Campaigns Identified by Researchers

Cybersecurity firm Zscaler ThreatLabz revealed that Indian government entities were targeted in two distinct campaigns, dubbed Gopher Strike and Sheet Attack, first observed in September 2025. These operations demonstrate a coordinated effort to compromise systems using methods that differ from previously tracked threat actors in the region.

Possible Links to Pakistan-Based Threat Groups

According to Zscaler researchers Sudeep Singh and Yin Hong Chang, the activity shows some overlap with the known Pakistan-linked APT36 group. However, analysts assess with medium confidence that these campaigns may originate from a new subgroup or an entirely separate Pakistan-aligned threat actor operating in parallel.

Sheet Attack and Abuse of Trusted Cloud Services

The Sheet Attack campaign relies heavily on legitimate platforms such as Google Sheets, Firebase, and email services for command-and-control communication. By blending malicious traffic with trusted cloud services, the attackers significantly reduce the chances of raising red flags during routine network monitoring.

Gopher Strike’s Phishing-Based Infection Chain

In contrast, Gopher Strike begins with phishing emails carrying PDF attachments. These documents display a blurred image overlaid with a convincing pop-up that urges recipients to download an Adobe Acrobat Reader DC update, creating a sense of urgency and legitimacy.

Geofencing and Targeted Payload Delivery

The fake update mechanism is highly selective. The malicious ISO file is only delivered if the request originates from an Indian IP address and the system uses a Windows User-Agent. These server-side checks effectively block automated security scanners and sandbox tools from retrieving the payload.

Introduction of the GOGITTER Downloader

Once executed, the ISO deploys GOGITTER, a Golang-based downloader. This malware creates a persistent Visual Basic Script in multiple public and user directories and repeatedly contacts command-and-control servers every 30 seconds for further instructions.

Persistence and GitHub-Based Infrastructure

GOGITTER establishes persistence through scheduled tasks and checks for a secondary payload, adobe_update.zip. If missing, it downloads the archive from a private GitHub repository created in mid-2025, highlighting the attacker’s reliance on trusted developer platforms.

Deployment of GITSHELLPAD Backdoor

After infection confirmation, the malware extracts and runs edgehost.exe, deploying GITSHELLPAD, a lightweight Golang backdoor. This tool communicates with attacker-controlled GitHub repositories, polling for commands every 15 seconds and supporting file transfers, command execution, and directory navigation.

Advanced Post-Exploitation Tools

Zscaler also observed attackers deploying additional tools, including RAR archives with system reconnaissance utilities and GOSHELL, a custom Golang loader used to deploy Cobalt Strike Beacon after multiple decoding stages.

Evasion Through File Size Manipulation

Notably, GOSHELL’s executable size was artificially inflated to nearly 1 GB using junk data, likely to bypass antivirus detection. The loader only activates on specific hostnames and removes its traces after execution, reducing forensic evidence on compromised systems.

What Undercode Say:

A Strategic Evolution Rather Than a One-Off Attack

These campaigns reflect a clear strategic shift rather than isolated incidents. The attackers are not merely chasing opportunistic access but appear focused on long-term intelligence collection within Indian government networks.

Cloud Services as the New Stealth Channel

The abuse of Google Sheets, Firebase, and GitHub highlights how modern espionage groups are increasingly weaponizing trusted cloud ecosystems. Blocking such platforms outright is unrealistic, giving attackers a reliable and low-noise communication channel.

Geographic Filtering Signals Precise Intelligence

The use of India-only IP filtering suggests prior reconnaissance and strong confidence in target selection. This level of precision indicates access to intelligence that goes beyond mass phishing campaigns.

Golang Malware on the Rise

The heavy use of Golang-based malware such as GOGITTER, GITSHELLPAD, and GOSHELL reflects a growing trend. Golang binaries are harder to analyze, portable across systems, and often less scrutinized by legacy security tools.

GitHub as a Double-Edged Sword

Private GitHub repositories provide attackers with version control, redundancy, and plausible legitimacy. At the same time, they complicate takedown efforts, especially when repositories are short-lived or frequently rotated.

Cobalt Strike Still Dominates Post-Exploitation

Despite years of exposure, Cobalt Strike remains a favorite for advanced threat actors. Its modularity and familiarity make it a reliable choice once initial access is secured.

Artificial File Inflation as an Evasion Technique

Inflating malware size to extreme levels is an unusual but clever tactic. Many security products deprioritize or skip scanning excessively large binaries, creating a blind spot attackers are now exploiting.

Implications for Indian Government Cyber Defense

These attacks underline the need for behavior-based detection rather than signature-based defenses. Traditional perimeter security is increasingly ineffective against campaigns that blend seamlessly into legitimate traffic.

Regional Cyber Tensions Are Escalating

The suspected Pakistan linkage, even if indirect, adds another layer to ongoing cyber tensions in South Asia. Such campaigns are likely part of broader intelligence-gathering strategies rather than purely criminal operations.

Detection Requires Context, Not Just Alerts

Isolated alerts may not reveal the full attack chain. Only by correlating phishing activity, unusual cloud API usage, and scheduled task creation can defenders uncover the bigger picture.

A Warning Sign for Other Sectors

While government entities are the primary targets, the techniques used here are easily transferable to defense contractors, critical infrastructure, and policy think tanks.

The Cost of Underestimating “Medium Confidence”

Even assessments made with medium confidence deserve serious attention. Historically, many high-impact cyber campaigns were initially underestimated before their full scope became clear.

🔍 Fact Checker Results

Verification of Key Claims

✅ Zscaler ThreatLabz publicly reported the Gopher Strike and Sheet Attack campaigns.
✅ The described malware families and GitHub-based C2 infrastructure align with observed tactics.
❌ No public attribution conclusively confirms a specific Pakistan state sponsor at this time.

📊 Prediction

What Comes Next in This Campaign

📈 These operations are likely to expand beyond initial targets as tooling matures.
📈 Increased use of cloud-hosted C2 channels will challenge traditional detection models.
📈 Similar Golang-based loaders may soon appear in other regional espionage campaigns.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon