Key Takeaways
- Indian government entities have been targeted in two campaigns, Gopher Strike and Sheet Attack, by a threat actor operating in Pakistan.
- The campaigns use previously undocumented tradecraft and may originate from a new subgroup or another Pakistan-linked group.
- The attacks leverage phishing emails, legitimate services like Google Sheets and Firebase, and command-and-control (C2) servers to deliver malicious payloads.
- The malicious payloads include Golang-based downloaders and backdoors, such as GOGITTER and GITSHELLPAD, which allow the threat actors to execute commands and exfiltrate data.
- The threat actors use various techniques to evade detection, including server-side checks, scheduled tasks, and artificially inflating the size of executables.
Introduction to the Threat Actor
The Indian government has been the target of two sophisticated cyber campaigns, codenamed Gopher Strike and Sheet Attack, which were identified by Zscaler ThreatLabz in September 2025. The campaigns are attributed to a threat actor operating in Pakistan, which has used previously undocumented tradecraft to carry out the attacks. Researchers Sudeep Singh and Yin Hong Chang believe that the activity may originate from a new subgroup or another Pakistan-linked group operating in parallel with the known Advanced Persistent Threat (APT) group, APT36.
Gopher Strike Campaign
The Gopher Strike campaign is characterized by the use of phishing emails that deliver PDF documents containing a blurred image with a pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC. The image is designed to give the user the impression that the update is necessary to access the document’s contents. However, clicking the "Download and Install" button triggers the download of an ISO image file, which contains a malicious payload. The ISO file is only delivered to intended targets, as the server-side checks ensure that the file is only downloaded from IP addresses located in India and with a User-Agent string corresponding to Windows.
Sheet Attack Campaign
The Sheet Attack campaign, on the other hand, gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2) purposes. The campaign is assessed to have leveraged phishing emails as a starting point to deliver malicious payloads, which include Golang-based downloaders and backdoors. The malicious payloads are designed to create a Visual Basic Script (VBScript) file, which fetches commands from pre-configured C2 servers every 30 seconds. The script also sets up persistence using a scheduled task, which runs the VBScript file every 50 minutes.
Malicious Payloads and Techniques
The malicious payloads used in the Gopher Strike and Sheet Attack campaigns include GOGITTER, a Golang-based downloader, and GITSHELLPAD, a lightweight Golang-based backdoor. GOGITTER is responsible for creating a VBScript file and setting up persistence, while GITSHELLPAD leverages threat actor-controlled private GitHub repositories for C2. The backdoor polls the C2 server every 15 seconds to access the contents of a file named "command.txt," which contains commands to be executed on the compromised machine. The results of the command execution are stored in a file called "result.txt" and uploaded to the GitHub account via an HTTP PUT request.
Evasion Techniques
The threat actors behind the Gopher Strike and Sheet Attack campaigns have used various techniques to evade detection. These include server-side checks, scheduled tasks, and artificially inflating the size of executables. For example, the GOSHELL loader, which is used to deliver Cobalt Strike Beacon, has its size artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable (PE) overlay. This is likely done to evade detection by antivirus software. Additionally, GOSHELL only executes on specific hostnames by comparing the victim’s hostname against a hard-coded list.
Conclusion
The Gopher Strike and Sheet Attack campaigns demonstrate the sophistication and creativity of threat actors operating in Pakistan. The use of previously undocumented tradecraft, legitimate services, and evasion techniques highlights the need for organizations to stay vigilant and adapt their defenses to counter emerging threats. The campaigns also underscore the importance of monitoring and analyzing network traffic, as well as implementing robust security measures to prevent and detect malicious activity. By understanding the tactics, techniques, and procedures (TTPs) used by threat actors, organizations can improve their defenses and reduce the risk of falling victim to similar attacks.