Threat Research

APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1

ZScaler
APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1

Zscaler ThreatLabz identified two Pakistan-linked campaigns in September 2025—Gopher Strike and Sheet Attack—targeting Indian government entities and using novel Golang tools and private GitHub repositories for C2 and payload staging. The Gopher Strike chain uses spearphishing PDFs leading to an ISO that delivers a Golang downloader (GOGITTER), a GitHub-based backdoor (GITSHELLPAD), and a Golang shellcode loader (GOSHELL) that ultimately deploys a Cobalt Strike Beacon. #GOGITTER #GITSHELLPAD #GOSHELL #CobaltStrike #APT36 #IndianGovernment

Keypoints

  • Two targeted campaigns (Gopher Strike, Sheet Attack) observed in Sept 2025 likely originate from a Pakistan-linked actor targeting Indian government entities.
  • Initial access in Gopher Strike used spearphishing PDFs with a fake “Download and Install” prompt that delivers an ISO only to Windows clients originating from India.
  • GOGITTER is a new Golang downloader that drops an embedded VBScript (windows_api.vbs), creates a scheduled task for persistence, and downloads adobe_update.zip from a private GitHub repo using an embedded token.
  • GITSHELLPAD (edgehost.exe) is a Golang backdoor that uses private GitHub repositories as a bidirectional C2 channel (info.txt/command.txt/result.txt) and supports remote shell, upload/download, and command execution.
  • GOSHELL is a large, padded Golang loader that conditionally runs on hardcoded hostnames, decodes multiple shellcode stages, and ultimately loads a stageless Cobalt Strike Beacon (HTTPS, port 443).
  • Threat actor staging and C2 infrastructure include private GitHub repos, multiple Adobe-themed domains, CloudFront-hosted payloads, and GitHub REST API abuse for command/exfiltration.
  • Zscaler detections flag the activity as Win64.Backdoor.GITSHELLPAD, Win64.Downloader.GOGITTER, and Win64.Backdoor.GOSHELL; Part 2 will cover Sheet Attack and generative-AI use in malware development.

MITRE Techniques

  • [T1583.001 ] Resource Development, Acquire Infrastructure – Domains acquired for C2 and hosting (‘govt-filesharing[.]site and ingov.myartsonline[.]com were acquired for C2 communication.’)
  • [T1583.006 ] Resource Development, Acquire Infrastructure: Web Services – Used private GitHub repositories as a C2 channel and payload host (‘private GitHub repositories as a C2 channel and to host the second-stage payload adobe_update.zip.’)
  • [T1585.003 ] Resource Development, Establish Accounts: Cloud Accounts – Created GitHub accounts and private repos for C2 and payload staging (‘created GitHub accounts to host private repositories for C2 communication and payload staging.’)
  • [T1587.001 ] Resource Development, Develop Capabilities: Malware – Developed custom Golang tools (GOGITTER, GITSHELLPAD, GOSHELL) (‘developed custom malware such as the GOGITTER downloader and GITSHELLPAD.’)
  • [T1588.002 ] Resource Development, Obtain Capabilities: Tool – Obtained and used a leaked Cobalt Strike (‘obtained and used a leaked version of Cobalt Strike.’)
  • [T1608.001 ] Resource Development, Stage Capabilities: Upload Malware – Staged adobe_update.zip in a private GitHub repository (‘staged malware by uploading the adobe_update.zip archive to a private GitHub repository.’)
  • [T1566.002 ] Initial Access, Phishing: Spearphishing Link – Phishing PDFs with a lure linking to a malicious ISO (‘used phishing PDFs which contained a lure with a “Download and Install” button, linking to a malicious ISO file.’)
  • [T1059.003 ] Execution, Command and Scripting Interpreter: Windows Command Shell – GITSHELLPAD executed system commands via cmd (‘executed commands such as net user, systeminfo, and taskkill using a command shell.’)
  • [T1059.005 ] Execution, Command and Scripting Interpreter: Visual Basic – GOGITTER dropped and executed windows_api.vbs which fetched and ran VBScript commands (‘dropped a VBScript file, windows_api.vbs, and created a scheduled task to execute it. This script then fetched and ran additional VBScript commands from a C2 server using the Execute function.’)
  • [T1106 ] Execution, Native API – GOSHELL used QueueUserAPC to execute second-stage shellcode in-process (‘used the QueueUserAPC native API call to execute the second-stage shellcode within its own process.’)
  • [T1053.005 ] Persistence, Scheduled Task/Job: Scheduled Task – Created a scheduled task to run windows_api.vbs every 50 minutes (‘created a scheduled task … to execute the dropped windows_api.vbs script every 50 minutes.’)
  • [T1140 ] Defense Evasion, Deobfuscate/Decode Files or Information – Loader decodes shellcode and Beacon using HEX decoding and XOR (‘the Cobalt Strike Beacon loader decodes the second-stage shellcode and the Beacon payload using HEX-decoding and XOR operations.’)
  • [T1036.004 ] Defense Evasion, Masquerading: Masquerade Task or Service – Scheduled task named to resemble Edge update (‘creates a scheduled task, MicrosoftEdge_ConfigurationUpdate_, to mimic a legitimate Microsoft Edge update task for persistence.’)
  • [T1036.005 ] Defense Evasion, Masquerading: Match Legitimate Resource Name or Location – Dropped files use legitimate-looking names (‘drops files with names intended to appear legitimate, such as windows_api.vbs, adobe_update.zip, and edgehost.exe.’)
  • [T1055.004 ] Defense Evasion, Process Injection: Asynchronous Procedure Call – Used APC to execute shellcode in-process (‘executed a second-stage shellcode within its own process using the QueueUserAPC API call.’)
  • [T1070.004 ] Defense Evasion, Indicator Removal: File Deletion – Deleted downloaded archives after use (‘executed the command del /f /q svchost.rar to delete downloaded archive files.’)
  • [T1480.001 ] Execution Guardrails: Environmental Keying – GOSHELL only runs on hardcoded hostnames (‘GOSHELL only executes on specific hostnames by comparing the victim’s hostname against a hardcoded list.’)
  • [T1027.001 ] Defense Evasion, Obfuscated Files or Information: Binary Padding – GOSHELL inflated to ~1GB with junk bytes to evade detection (‘size was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable (PE) overlay.’)
  • [T1027.009 ] Defense Evasion, Obfuscated Files or Information: Embedded Payloads – Binaries contained embedded scripts and shellcode (‘GOGITTER downloader binary contained embedded payloads such as the windows_api.vbs. The GOSHELL shellcode loader contained an embedded second-stage shellcode as well as Cobalt Strike Beacon.’)
  • [T1027.013 ] Defense Evasion, Obfuscated Files or Information: Encrypted/Encoded File – Cobalt Strike payload obfuscated with a 4-byte XOR key (‘Cobalt Strike payload was obfuscated using a 4-byte XOR key (0x51211104).’)
  • [T1027.015 ] Defense Evasion, Obfuscated Files or Information: Compression – Payloads delivered in ZIP/RAR archives (‘the second-stage payload was delivered as a ZIP archive … Post-compromise tools were also downloaded in RAR archives.’)
  • [T1553.005 ] Defense Evasion, Subvert Trust Controls: Mark-of-the-Web Bypass – Payload distributed as an ISO to bypass MOTW controls (‘the malicious payload was distributed as an ISO file, a known method of bypassing Mark-of-the-Web Bypass (MOTW) controls.’)
  • [T1033 ] Discovery, System Owner/User Discovery – Executed whoami for user enumeration (‘executed the whoami command as part of post-compromise user reconnaissance activities.’)
  • [T1082 ] Discovery, System Information Discovery – Executed systeminfo and wmic to gather system details (‘executed post-compromise commands such as systeminfo and wmic logicaldisk get name to gather detailed information about the system.’)
  • [T1016 ] Discovery, System Network Configuration Discovery – Used arp -a and curl ifconfig.me/ip to discover network information (‘executed the command arp -a and curl ifconfig.me/ipwmic logicaldisk get name to discover the victim’s network configurations.’)
  • [T1016.001 ] Discovery, System Network Configuration Discovery: Internet Connection Discovery – Used curl to test connectivity to C2 (‘executed the command curl -I https://adobe-acrobat[.]in to check for an internet connection to their C2 server.’)
  • [T1087.001 ] Discovery, Account Discovery: Local Account – Enumerated local accounts with net user (‘executed the net user command to enumerate local accounts.’)
  • [T1057 ] Discovery, Process Discovery – Used tasklist to enumerate running processes (‘executed the tasklist command to gather information on active processes.’)
  • [T1018 ] Discovery, Remote System Discovery – Used arp -a to identify other local systems (‘executed the arp -a command to discover other systems on the local network.’)
  • [T1560.003 ] Collection, Archive Collected Data: Archive via Custom Method – Beacon configured to XOR-encrypt C2 output (‘the Cobalt Strike Beacon used was configured to encrypt its C2 output using a XOR mask.’)
  • [T1071.001 ] Command and Control, Application Layer Protocol: Web Protocols – VBScript used HTTP and Beacon used HTTPS for C2 (‘the malicious VBScript fetched commands via HTTP, and the Cobalt Strike Beacon used HTTPS for C2.’)
  • [T1102.002 ] Command and Control, Web Service: Bidirectional Communication – GITSHELLPAD used GitHub REST API as a bidirectional C2 channel (‘GITSHELLPAD uses a private GitHub repository as a bidirectional C2 channel.’)
  • [T1573.001 ] Command and Control, Encrypted Channel: Symmetric Cryptography – Beacon used XOR masking for C2 encryption (‘Cobalt Strike Beacon was configured to use XOR to encrypt its C2 communications.’)
  • [T1573.002 ] Command and Control, Encrypted Channel: Asymmetric Cryptography – Beacon used HTTPS for secure C2 transport (‘Cobalt Strike Beacon used HTTPS for its C2 channel.’)
  • [T1132.001 ] Command and Control, Data Encoding: Standard Encoding – GITSHELLPAD Base64-encoded system info in info.txt (‘GITSHELLPAD Base64-encoded the victim’s system information before writing it to the info.txt file in the private GitHub C2 repository.’)
  • [T1105 ] Command and Control, Ingress Tool Transfer – Used curl to download post-compromise tools (‘after the initial compromise, the threat actor used curl to download post-compromise tools onto the victim’s machine.’)
  • [T1665 ] Command and Control, Hide Infrastructure – Payload servers respond only to Indian IPs with Windows User-Agent (‘the server hosting the malicious payloads only responds to requests originating from IP addresses in India who have a User-Agent header indicating a Windows platform.’)
  • [T1008 ] Command and Control, Fallback Channels – windows_api.vbs contained primary and fallback C2 URLs (‘the windows_api.vbs script was configured with both a primary and a backup C2 URL.’)
  • [T1567.001 ] Exfiltration, Exfiltration Over Web Service: Exfiltration to Code Repository – Exfiltrated files to private GitHub repos (‘GITSHELLPAD exfiltrated files to a private, threat actor-controlled GitHub repository.’)

Indicators of Compromise

  • [File Hashes ] Phishing PDFs and dropped binaries – b531b8d72561cb5c88d97986e450bbaeccd0228e9c1bdb4c355d67c98a3233bb (phishing PDF), 0d86b8039cffc384856e17912f3086166a11c0e5f1d1e22e89b4921c7a371dbf (phishing PDF)
  • [Filenames ] Dropped scripts/binaries used in the attack – windows_api.vbs (VBScript C2 agent), edgehost.exe (GITSHELLPAD backdoor) and adobe_update.zip (staged payload archive)
  • [Domains ] C2 and payload hosting domains – govt-filesharing[.]site, ingov.myartsonline[.]com, and other domains used for hosting/staging and C2 (e.g., adobe-acrobat[.]in, adobereader-upgrade[.]in, adobecloud[.]site, listsoft-update[.]site, d2i8rh3pkr4ltc.cloudfront[.]net)
  • [URLs ] Specific C2 and download URLs observed – hxxps://adobe-acrobat[.]in/ninevmc987.php?file=…, hxxp://workspace1.myartsonline[.]com/hpc5985.php?key=… (used for VBScript/GOGITTER C2 and payload delivery)
  • [GitHub Repository ] Private repository raw hosting for staged payloads – hxxps://raw.githubusercontent[.]com/jaishankai/sockv6/main/adobe_update.zip (GOGITTER downloads adobe_update.zip using embedded token)
  • [Persistence Artifact ] Scheduled task pattern used for persistence – MicrosoftEdge_ConfigurationUpdate_ (task created to run windows_api.vbs every 50 minutes)

Read more: https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell