Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities

AndyC 28 January 2026

Ravie LakshmananJan 27, 2026Threat Intelligence / Cyber Espionage

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft.

Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities

Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities

Ravie LakshmananJan 27, 2026Threat Intelligence / Cyber Espionage

Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft.

The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025.

“While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel,” researchers Sudeep Singh and Yin Hong Chang said.

Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that’s superimposed by a seemingly harmless pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC.

Cybersecurity

The main purpose of the image is to give the users an impression that it’s necessary to install the update in order to access the document’s contents. Clicking the “Download and Install” button in the fake update dialog triggers the download of an ISO image file only when the requests originate from IP addresses located in India and the User-Agent string corresponds to Windows.

“These server-side checks prevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered to intended targets,” Zscaler said.

The malicious payload embedded within the ISO image is a Golang-based downloader dubbed GOGITTER that’s responsible for creating a Visual Basic Script (VBScript) file if it does not already exist in the following locations: “C:UsersPublicDownloads,” “C:UsersPublicPictures,” and “%APPDATA%.” The script is designed to fetch VBScript commands every 30 seconds from two pre-configured C2 servers.

GOGITTER also sets up persistence using a scheduled task that’s configured to run the aforementioned VBScript file every 50 minutes. In addition, it ascertains the presence of another file named “adobe_update.zip” in the same three folders. If the ZIP file is not present, it pulls the archive from a private GitHub repository (“github[.]com/jaishankai/sockv6”). The GitHub account was created on June 7, 2025.

Once the download is successful, the attack chain sends an HTTP GET request to the domain “adobe-acrobat[.]in” likely to signal the threat actors that the endpoint has been infected. GOGITTER then extracts and executes “edgehost.exe” from the ZIP file. A lightweight Golang-based backdoor, GITSHELLPAD, leverages threat actor-controlled private GitHub repositories for C2.

Specifically, it polls the C2 server every 15 seconds by means of a GET request to access the contents of a file named “command.txt.” It supports six different commands –

  • cd .., to change working directory to the parent directory
  • cd, to change directory to the specified path
  • run, to run a command in the background without capturing the output
  • upload, to upload a local file specified by the path to the GitHub repository
  • download, to download a file to the specified path
  • default case, to run a command using cmd /c and capture the output
Cybersecurity

The results of the command execution are stored in a file called “result.txt” and uploaded to the GitHub account via an HTTP PUT request. The “command.txt” is then deleted from the GitHub repository once the command is successfully executed.

Zscaler said it observed the threat actor also downloading RAR archives using cURL commands after gaining access to the victim’s machine. The archives include utilities to gather system information and drop GOSHELL, a bespoke Golang-based loader used to deliver Cobalt Strike Beacon after multiple rounds of decoding. The tools are wiped from the machine after use.

“GOSHELL’s size was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable (PE) overlay, likely to evade detection by antivirus software,” the cybersecurity company said. “GOSHELL only executes on specific hostnames by comparing the victim’s hostname against a hard-coded list.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware

WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware

AndyC 28 January 2026
ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

AndyC 28 January 2026
CTEM in Practice: Prioritization, Validation, and Outcomes That Matter

CTEM in Practice: Prioritization, Validation, and Outcomes That Matter

AndyC 28 January 2026
Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

Microsoft Office Zero-Day (CVE-2026-21509) – Emergency Patch Issued for Active Exploitation

AndyC 28 January 2026
Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

AndyC 28 January 2026
China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023

China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023

AndyC 28 January 2026

You may have missed

When Hospitals Go Dark and Browsers Turn Rogue

When Hospitals Go Dark and Browsers Turn Rogue

AndyC 28 January 2026
Fixes released for a serious Microsoft Office zero-day flaw

NDSS 2025 – On the Robustness Of LDP Protocols For Numerical Attributes Under Data Poisoning Attacks

AndyC 28 January 2026
French authorities to ban Teams, Zoom, other video apps for gov’t use

Power shortages, carbon capture, and AI automation: What’s ahead for data centers in 2026

AndyC 28 January 2026
Celebrating Data Privacy Week with NIST’s Privacy Engineering Program

Celebrating Data Privacy Week with NIST’s Privacy Engineering Program

AndyC 28 January 2026
Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

AndyC 28 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.