Indian government entities have been targeted in two cyber espionage campaigns attributed to a Pakistan-based threat actor employing previously undocumented techniques, according to new findings from Zscaler ThreatLabz.
The campaigns, dubbed ‘Gopher Strike’ and ‘Sheet Attack,’ were discovered in September 2025. While the activity shows overlaps with the known Pakistan-linked advanced persistent threat group APT36, researchers said the operations may point to a new subgroup or another threat actor operating in parallel.
Sheet Attack relies on legitimate platforms such as Google Sheets, Firebase, and email for command-and-control (C&C), allowing the attackers to blend malicious traffic with normal network activity. Gopher Strike, on the other hand, begins with phishing emails delivering PDF files that display a blurred image and a fake prompt urging users to download an Adobe Acrobat Reader DC update.
Clicking the “Download and Install” button triggers the download of a malicious ISO file if the request comes from an Indian IP address and a Windows-based user agent. According to Zscaler, the server-side checks are designed to evade automated malware analysis tools and restrict delivery to intended targets.
The ISO file contains a Golang-based downloader called ‘GOGITTER,’ which creates a Visual Basic Script (VBScript) file in multiple public and application data directories. The script periodically retrieves commands from attacker-controlled C&C servers and is configured to run persistently via a scheduled task.
If a secondary payload archive (adobe_update.zip) is not found locally, GOGITTER downloads it from a private GitHub repository. The archive deploys GITSHELLPAD, a lightweight Golang backdoor that also uses private GitHub repositories for C&C, polling for commands and uploading execution results before removing traces.
Zscaler additionally observed the attackers deploying reconnaissance tools and GOSHELL, a custom Golang loader used to deliver Cobalt Strike Beacon. GOSHELL was artificially inflated to nearly 1 GB to evade antivirus detection and configured to execute only on specific hostnames.