Indian government entities were targeted in two campaigns—Gopher Strike and Sheet Attack—using previously undocumented tradecraft attributed to a Pakistan-linked group operating in parallel to APT36. The intrusions use phishing and legitimate services for C2, deploy Golang tools that establish persistence and GitHub-based command-and-control, and ultimately deliver loaders to deploy Cobalt Strike. #GOGITTER #GITSHELLPAD
Keypoints
- Two campaigns, Gopher Strike and Sheet Attack, targeted Indian government entities using novel tradecraft.
- Sheet Attack abused legitimate services like Google Sheets, Firebase, and email for command-and-control operations.
- Gopher Strike used phishing PDF documents with a fake Adobe update to deliver an ISO only to Windows hosts in India via server-side checks.
- The Golang downloader GOGITTER creates and schedules a VBScript for persistence, fetches payloads from a private GitHub repo, and signals infection to an “adobe-acrobat[.]in” domain.
- GITSHELLPAD polls GitHub-hosted command.txt for instructions and uploads results, while GOSHELL acts as a loader for Cobalt Strike and uses size inflation and hostname checks to evade detection.
Read More: https://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.html