Advanced persistent threat actors operating from Pakistan have launched coordinated attacks against Indian government organizations using newly discovered tools and malware designed to bypass security defenses. <\/p>\n
The campaign, identified as Gopher Strike, emerged in September 2025 and represents a significant escalation in targeted cyber operations against sensitive government infrastructure. <\/p>\n
This coordinated assault demonstrates the growing sophistication of state-sponsored threat actors who continue refining their technical capabilities and operational procedures.<\/p>\n
The attack chain begins with carefully crafted phishing emails<\/a> containing deceptive PDF documents that impersonate legitimate government communications. <\/p>\n These PDFs display blurred images of official documents and use social engineering tactics to trick recipients into downloading an ISO file by clicking a button labeled \u201cDownload and Install,\u201d which appears to request a fake Adobe Acrobat update.<\/p>\n The malicious ISO file remains dormant until activated, containing hidden malware<\/a> designed to establish persistent access to compromised systems.<\/p>\n The infection mechanism relies on three custom-built tools written in Golang that work in concert to establish control over targeted machines. <\/p>\n Zscaler analysts and researchers identified<\/a> GOGITTER as the initial downloader component that fetches additional payloads from threat actor-controlled GitHub repositories using embedded authentication tokens. <\/p>\n Once deployed, GOGITTER creates a VBScript file called windows_api.vbs that continuously polls command-and-control servers every 30 seconds, checking for new instructions to execute on the infected machine.<\/p>\n GITSHELLPAD represents the campaign\u2019s most distinctive element, functioning as a lightweight backdoor that leverages private GitHub repositories for all command-and-control communication. <\/p>\n This approach allows the threat actor to hide malicious traffic within legitimate-looking GitHub activity, making detection significantly more difficult for security monitoring tools. <\/p>\n Upon infection, GITSHELLPAD registers the victim by creating a new directory in the threat actor\u2019s private repository using the format SYSTEM-[hostname], then adds an info.txt file containing Base64-encoded system information about the compromised machine.<\/p>\n The backdoor polls GitHub\u2019s API every 15 seconds for new instructions stored in a command.txt file, allowing operators to remotely execute reconnaissance<\/a> commands, download additional tools, or stage further malware deployments. <\/p>\n This design proves particularly effective because it avoids traditional network indicators while maintaining reliable two-way communication through a service millions of organizations already trust and whitelist for legitimate development purposes.<\/p>\n The final stage involves deploying Cobalt Strike<\/a> Beacon through GOSHELL, a custom shellcode loader that executes only on machines with specific hardcoded hostnames, further restricting the payload to intended targets. <\/p>\n Security researchers continue tracking this evolving threat to protect government networks against future attacks.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post APT Hackers Attacking Indian Government Using GOGITTER Tool and GITSHELLPAD Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Example](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZjYv-iuYovCVpb5rJYS5C03ftZSz4sTECvLxJvYP7gSFZDg98jhMb1lc5JbhqovD70htKzzRTmKR7DBqJfyoGKZlG5h3sVXzvjf_9QLww4LK1jPTgwpbD358jsBlNOsowVVTjMDrP5ogbHRnYQmcRAdoJmJ88CChYnoY1nhBdT4p2vQ5tRuw_b5Fkk0g\/s16000\/Gopher%2520Strike%2520campaign%2520leads%2520to%2520the%2520deployment%2520of%2520Cobalt%2520Strike%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
GITSHELLPAD\u2019s Innovative GitHub-Based Persistence Mechanism<\/strong><\/h2>\n
![\"Gopher](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisKWY24Ws74cVYKJjclNfKzZV3t-lWHOkc9nFYvfNyS4lyH9cRLhqjGGduJejwz1Xj0b4jjIpcmIYz6qgFBuwTGlPfnLKj0w6dAiSsbBgXxKdC8meCkuBO0yXH_jvdn3nle4DJo8ZwQA8mIaTAs2p-xpDA8NC4k7u55jLlqNIS_1UokFRp4xkxTcLWTEg\/s16000\/Example%2520of%2520a%2520PDF%2520file%2520used%2520in%2520the%2520Gopher%2520Strike%2520campaign%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")