INDIAN government entities have been targeted in two campaigns attributed to a Pakistan‑based threat actor, identified by Zscaler ThreatLabz as Gopher Strike and Sheet Attack, first noted in September 2025. According to Zscaler ThreatLabz, Sheet Attack uses legitimate services such as Google Sheets, Firebase and email for its command-and-control, while Gopher Strike is believed to start with phishing emails delivering PDFs that present a harmless-looking update pop‑up.
The operation employs a Golang downloader named GOGITTER to create a VBScript file in multiple user folders and to fetch commands from two private C2 servers, with persistence via a scheduled task that runs the VBScript every 50 minutes. A lightweight backdoor, GITSHELLPAD, polls its C2 every 15 seconds, supports six commands including cd, run, upload and download, and uploads results to a private GitHub repository; the command file is deleted after execution.
The attackers also download RAR archives containing system information utilities and a bespoke loader named GOSHELL, which is used to deliver Cobalt Strike Beacon, with the malware’s PE overlay inflated to about 1 gigabyte to evade detection.