Ddos 
A sophisticated new wave of cyberespionage campaigns targeting the Indian government has been exposed, utilizing custom-built tools and legitimate infrastructure to evade detection. Security researchers at Zscaler ThreatLabz have uncovered two distinct operations, dubbed “Gopher Strike” and “Sheet Attack,” which appear to be the work of a threat actor operating out of Pakistan.
The campaigns, first detected in September 2025, introduce a suite of previously undocumented malware tools, signaling a potential evolution or expansion of the region’s cyber capabilities.
While the tactics bear resemblance to APT36 (also known as Transparent Tribe)—a well-known Pakistan-linked Advanced Persistent Threat group—researchers suggest this might be a fresh entity.
“We assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel,” the report states.
The first campaign, Gopher Strike, is notable for its reliance on Golang, a programming language increasingly favored by malware authors for its cross-platform capabilities and resistance to reverse engineering.
The attack chain begins with a deception. “The Gopher Strike campaign uses PDFs containing malicious links and fake prompts to trick victims into downloading an ISO file with a payload”.
Once inside, the attackers deploy a trio of custom tools:
- GOGITTER: A Golang-based downloader that serves as the initial foothold.
- GOSHELL: A shellcode loader used to deploy the infamous Cobalt Strike Beacon.
- GITSHELLPAD: Perhaps the most stealthy tool in the kit, this backdoor abuses a trusted developer platform to hide its communications.
According to the report, GITSHELLPAD was found “targeting Indian government entities using private GitHub repositories for C2”. By routing traffic through GitHub, the attackers can blend their command-and-control signals with legitimate network traffic, making detection incredibly difficult for defenders.
While Gopher Strike focuses on stealthy infrastructure, the second campaign, Sheet Attack, hints at a more futuristic threat. Although details are forthcoming in a subsequent report, Zscaler ThreatLabz teased that this campaign involves “the use of generative AI in malware development”.
This suggests that threat actors in the region are not just relying on established techniques but are actively experimenting with next-generation tools to enhance their offensive capabilities.
The discovery underscores the persistent and evolving threat landscape in South Asia. Zscaler ThreatLabz has stated that these campaigns were identified “In September 2025,” indicating that these operations are recent and likely ongoing.
Government entities in the region are advised to scrutinize network traffic for connections to private GitHub repositories and inspect incoming PDF attachments for ISO payloads.
Related Posts:
- Pakistan-Linked APT Exploits Youth Laptop Scheme in Cyberattack Targeting India
- Google Workspace Introduces Workspace Flows and AI Enhancements
- Pakistan-Linked TransparentTribe APT Deploys AI-Assisted DeskRAT Malware Against India’s BOSS Linux Systems
- Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
