Listen to this Post
A Quiet but Dangerous Shift in South Asian Cyber Warfare
Indian government organizations are facing a new wave of sophisticated cyber-espionage campaigns that signal a worrying evolution in regional threat activity. Security researchers have uncovered two previously undocumented operations that blend social engineering, cloud abuse, and custom malware, pointing to a Pakistan-based threat actor operating with unfamiliar techniques. The findings suggest not just another routine phishing effort, but a calculated attempt to quietly infiltrate high-value government targets in India while evading modern detection systems.
the Original Report
Two Covert Campaigns Identified by Researchers
Cybersecurity firm Zscaler ThreatLabz revealed that Indian government entities were targeted in two distinct campaigns, dubbed Gopher Strike and Sheet Attack, first observed in September 2025. These operations demonstrate a coordinated effort to compromise systems using methods that differ from previously tracked threat actors in the region.
Possible Links to Pakistan-Based Threat Groups
According to Zscaler researchers Sudeep Singh and Yin Hong Chang, the activity shows some overlap with the known Pakistan-linked APT36 group. However, analysts assess with medium confidence that these campaigns may originate from a new subgroup or an entirely separate Pakistan-aligned threat actor operating in parallel.
Sheet Attack and Abuse of Trusted Cloud Services
The Sheet Attack campaign relies heavily on legitimate platforms such as Google Sheets, Firebase, and email services for command-and-control communication. By blending malicious traffic with trusted cloud services, the attackers significantly reduce the chances of raising red flags during routine network monitoring.
Gopher Strike’s Phishing-Based Infection Chain
In contrast, Gopher Strike begins with phishing emails carrying PDF attachments. These documents display a blurred image overlaid with a convincing pop-up that urges recipients to download an Adobe Acrobat Reader DC update, creating a sense of urgency and legitimacy.
Geofencing and Targeted Payload Delivery
The fake update mechanism is highly selective. The malicious ISO file is only delivered if the request originates from an Indian IP address and the system uses a Windows User-Agent. These server-side checks effectively block automated security scanners and sandbox tools from retrieving the payload.
Introduction of the GOGITTER Downloader
Once executed, the ISO deploys GOGITTER, a Golang-based downloader. This malware creates a persistent Visual Basic Script in multiple public and user directories and repeatedly contacts command-and-control servers every 30 seconds for further instructions.
Persistence and GitHub-Based Infrastructure
GOGITTER establishes persistence through scheduled tasks and checks for a secondary payload, adobe_update.zip. If missing, it downloads the archive from a private GitHub repository created in mid-2025, highlighting the attacker’s reliance on trusted developer platforms.
Deployment of GITSHELLPAD Backdoor
After infection confirmation, the malware extracts and runs edgehost.exe, deploying GITSHELLPAD, a lightweight Golang backdoor. This tool communicates with attacker-controlled GitHub repositories, polling for commands every 15 seconds and supporting file transfers, command execution, and directory navigation.
Advanced Post-Exploitation Tools
Zscaler also observed attackers deploying additional tools, including RAR archives with system reconnaissance utilities and GOSHELL, a custom Golang loader used to deploy Cobalt Strike Beacon after multiple decoding stages.
Evasion Through File Size Manipulation
Notably, GOSHELL’s executable size was artificially inflated to nearly 1 GB using junk data, likely to bypass antivirus detection. The loader only activates on specific hostnames and removes its traces after execution, reducing forensic evidence on compromised systems.
What Undercode Say:
A Strategic Evolution Rather Than a One-Off Attack
These campaigns reflect a clear strategic shift rather than isolated incidents. The attackers are not merely chasing opportunistic access but appear focused on long-term intelligence collection within Indian government networks.
Cloud Services as the New Stealth Channel
The abuse of Google Sheets, Firebase, and GitHub highlights how modern espionage groups are increasingly weaponizing trusted cloud ecosystems. Blocking such platforms outright is unrealistic, giving attackers a reliable and low-noise communication channel.
Geographic Filtering Signals Precise Intelligence
The use of India-only IP filtering suggests prior reconnaissance and strong confidence in target selection. This level of precision indicates access to intelligence that goes beyond mass phishing campaigns.
Golang Malware on the Rise
The heavy use of Golang-based malware such as GOGITTER, GITSHELLPAD, and GOSHELL reflects a growing trend. Golang binaries are harder to analyze, portable across systems, and often less scrutinized by legacy security tools.
GitHub as a Double-Edged Sword
Private GitHub repositories provide attackers with version control, redundancy, and plausible legitimacy. At the same time, they complicate takedown efforts, especially when repositories are short-lived or frequently rotated.
Cobalt Strike Still Dominates Post-Exploitation
Despite years of exposure, Cobalt Strike remains a favorite for advanced threat actors. Its modularity and familiarity make it a reliable choice once initial access is secured.
Artificial File Inflation as an Evasion Technique
Inflating malware size to extreme levels is an unusual but clever tactic. Many security products deprioritize or skip scanning excessively large binaries, creating a blind spot attackers are now exploiting.
Implications for Indian Government Cyber Defense
These attacks underline the need for behavior-based detection rather than signature-based defenses. Traditional perimeter security is increasingly ineffective against campaigns that blend seamlessly into legitimate traffic.
Regional Cyber Tensions Are Escalating
The suspected Pakistan linkage, even if indirect, adds another layer to ongoing cyber tensions in South Asia. Such campaigns are likely part of broader intelligence-gathering strategies rather than purely criminal operations.
Detection Requires Context, Not Just Alerts
Isolated alerts may not reveal the full attack chain. Only by correlating phishing activity, unusual cloud API usage, and scheduled task creation can defenders uncover the bigger picture.
A Warning Sign for Other Sectors
While government entities are the primary targets, the techniques used here are easily transferable to defense contractors, critical infrastructure, and policy think tanks.
The Cost of Underestimating “Medium Confidence”
Even assessments made with medium confidence deserve serious attention. Historically, many high-impact cyber campaigns were initially underestimated before their full scope became clear.
🔍 Fact Checker Results
Verification of Key Claims
✅ Zscaler ThreatLabz publicly reported the Gopher Strike and Sheet Attack campaigns.
✅ The described malware families and GitHub-based C2 infrastructure align with observed tactics.
❌ No public attribution conclusively confirms a specific Pakistan state sponsor at this time.
📊 Prediction
What Comes Next in This Campaign
📈 These operations are likely to expand beyond initial targets as tooling matures.
📈 Increased use of cloud-hosted C2 channels will challenge traditional detection models.
📈 Similar Golang-based loaders may soon appear in other regional espionage campaigns.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




