ZSCALER ThreatLabz researchers have uncovered two distinct operations, Gopher Strike and Sheet Attack, purportedly conducted by a Pakistan-linked threat actor and aimed at Indian government entities. The campaigns, first detected in September 2025, employ custom tools and legitimate infrastructure to evade detection, with Gopher Strike relying on Golang for cross‑platform capabilities and stealth.
The Gopher Strike chain starts with PDFs containing malicious links and fake prompts that prompt victims to download an ISO payload, after which GOGITTER acts as the initial foothold, followed by GOSHELL to deploy a Cobalt Strike Beacon and GITSHELLPAD, a backdoor that communicates via private GitHub repositories to hide C2 traffic.
According to the report, GITSHELLPAD was found targeting Indian government entities using private GitHub repositories for C2, routing traffic through GitHub to blend with legitimate network activity. While Sheet Attack is described as involving generative AI in malware development, researchers say this could indicate a move toward next‑generation tooling by a fresh Pakistan‑linked group, possibly operating in parallel with known actors such as APT36.