Indian government entities were targeted in two cyber campaigns discovered by Zscaler ThreatLabz in September 2025. The campaigns, codenamed Gopher Strike and Sheet Attack, likely originate from a Pakistan-linked threat actor with possible connections to APT36. A new report from CloudSEK documents APT36's use of Crimson RAT malware in May 2025, exploiting the Pahalgam terror attack to infiltrate Indian defense networks through phishing campaigns. Researchers assessed with medium confidence that the activity identified in the September campaigns might come from a new subgroup or another Pakistan-linked operator working in parallel.
The server performs checks before delivering the payload. The ISO file only downloads if the request originates from an IP address in India and the User-Agent string corresponds to Windows. These server-side filters prevent automated URL analysis tools from fetching the malware. Security scanners running outside India or on non-Windows systems receive nothing.
The ISO image contains GOGITTER, a Golang-based downloader. Once executed, GOGITTER creates a Visual Basic Script file in three locations if it does not already exist. The locations are C:\Users\Public\Downloads, C:\Users\Public\Pictures, and %APPDATA%. The VBScript fetches commands every 30 seconds from two pre-configured command and control servers.
GOGITTER establishes persistence through a scheduled task configured to run the VBScript file every 50 minutes. The malware then checks for a file named adobe_update.zip in the same three folders. If the ZIP file is absent, GOGITTER pulls the archive from a private GitHub repository at github[.]com/jaishankai/sockv6. The GitHub account was created on June 7, 2025.
After successful download, the attack chain sends an HTTP GET request to the domain adobe-acrobat[.]in. This request likely signals to the threat actors that the endpoint has been compromised. GOGITTER then extracts and executes edgehost.exe from the ZIP archive. This executable is GITSHELLPAD, a lightweight Golang-based backdoor that uses threat actor-controlled private GitHub repositories for command and control.
GitHub as Command Infrastructure
GITSHELLPAD polls the command and control server every 15 seconds by sending a GET request to access the contents of a file named command.txt. The backdoor supports six different commands. The cd .. command changes the working directory to the parent directory. The cd command changes to a specified path. The run command executes commands in the background without capturing output. The upload command sends local files to the GitHub repository. The download command retrieves files to a specified path. The default case runs commands using cmd /c and captures the output.
Command execution results are stored in a file called result.txt and uploaded to the GitHub account via HTTP PUT requests. After successful execution, the command.txt file is deleted from the repository. This method allows attackers to control infected machines through legitimate GitHub infrastructure while avoiding traditional command and control detection methods.
Zscaler observed the threat actor downloading RAR archives using cURL commands after gaining access to victim machines. The archives include utilities designed to gather system information and deploy GOSHELL, a custom Golang-based loader. GOSHELL delivers Cobalt Strike Beacon after multiple rounds of decoding. The tools are removed from the machine after use.
GOSHELL was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable overlay. This technique evades antivirus software that may skip scanning extremely large files due to performance considerations. GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hard-coded list. This targeting prevents the malware from running on researcher systems or sandbox environments.
Sheet Attack Campaign
Sheet Attack takes a different approach to command and control infrastructure. This campaign uses legitimate services including Google Sheets, Firebase, and email for command and control communications. The use of trusted services makes detection more difficult because security tools typically allow traffic to Google services by default.
Both campaigns demonstrate sophisticated evasion techniques. Geo-targeting ensures payloads only reach intended victims. User-agent filtering blocks automated analysis tools. File size inflation bypasses antivirus scanning limits. Hostname whitelisting prevents execution in analysis environments. Abuse of legitimate services like GitHub and Google Sheets blends malicious traffic with normal business activity.
The threat actor's operational security includes wiping tools after use and leveraging private repositories that require authentication to access. Command files are deleted immediately after execution. The June 2025 creation date of the GitHub account suggests recent infrastructure setup specifically for these campaigns.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
Which campaigns targeted Indian government entities
Two campaigns called Gopher Strike and Sheet Attack were discovered in September 2025 by Zscaler ThreatLabz. Both campaigns are likely linked to Pakistan-based threat actors.
How did the fake Adobe update filter victims
The server checked IP addresses and User-Agent strings before delivering malware. The ISO file only downloaded for requests from Indian IP addresses using Windows systems.
What is GOGITTER
GOGITTER is a Golang-based downloader that creates VBScript files, establishes persistence through scheduled tasks, and pulls additional payloads from private GitHub repositories.
How does GITSHELLPAD use GitHub for command and control
GITSHELLPAD polls a file called command.txt every 15 seconds on GitHub repositories, executes commands, uploads results to result.txt, and deletes command files after execution.
Why was GOSHELL inflated to 1 gigabyte
The file size was artificially increased by adding junk bytes to evade antivirus software that skips scanning extremely large files for performance reasons.