Background

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft. The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025.

Key Findings

• The activity is assessed to potentially originate from a new subgroup or another Pakistan-linked group operating in parallel with the known APT36 group.

• The Gopher Strike campaign uses PDFs containing malicious links and fake prompts to trick victims into downloading an ISO file with a payload.

• The Sheet Attack campaign leverages legitimate services like Google Sheets, Firebase, and email for command-and-control (C2).

• The Gopher Strike payload includes a Golang-based downloader (GOGITTER), a shellcode loader (GOSHELL), and a backdoor (GITSHELLPAD) that abuses GitHub repositories for C2.

• GITSHELLPAD was found targeting Indian government entities using private GitHub repositories for C2.

• The Sheet Attack campaign is assessed to involve the use of generative AI in malware development.

Background

While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, researchers assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel.

Gopher Strike Campaign Details

The Gopher Strike campaign uses PDFs containing malicious links and fake prompts to trick victims into downloading an ISO file with a payload. The malicious payload embedded within the ISO image is a Golang-based downloader dubbed GOGITTER that's responsible for creating a Visual Basic Script (VBScript) file and setting up persistence using a scheduled task.

GOGITTER also downloads a RAR archive from a private GitHub repository, which includes utilities to gather system information and a Golang-based loader called GOSHELL used to deliver Cobalt Strike Beacon.

GITSHELLPAD Backdoor

Perhaps the most stealthy tool in the attackers' kit is GITSHELLPAD, a lightweight Golang-based backdoor that leverages threat actor-controlled private GitHub repositories for C2. It polls the C2 server every 15 seconds to access the contents of a file named "command.txt" and supports various commands to change directories, run commands, upload and download files, and more.

Sheet Attack Campaign

The Sheet Attack campaign is said to involve the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). While details about this campaign are forthcoming in a subsequent report, Zscaler ThreatLabz has indicated that it involves the use of generative AI in malware development.

Conclusion

The discovery of these new Pakistan-linked cyber campaigns targeting Indian government entities underscores the persistent and evolving threat landscape in the region. Defenders are advised to closely monitor network traffic for connections to private GitHub repositories and scrutinize incoming PDF attachments for ISO payloads.

Sources

• https://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.html

• https://securityonline.info/gopher-strike-new-pakistan-linked-cyber-campaigns-target-indian-government/

• https://x.com/TheCyberSecHub/status/2016207150897606798

• https://www.socdefenders.ai/item/8e39b94f-411e-4626-ab17-9e3609321f8c

• https://www.reddit.com/r/SecOpsDaily/comments/1qoldq2/experts_detect_pakistanlinked_cyber_campaigns/