Advanced persistent threat actors operating from Pakistan have launched coordinated attacks against Indian government organizations using newly discovered tools and malware designed to bypass security defenses.
The campaign, identified as Gopher Strike, emerged in September 2025 and represents a significant escalation in targeted cyber operations against sensitive government infrastructure.
This coordinated assault demonstrates the growing sophistication of state-sponsored threat actors who continue refining their technical capabilities and operational procedures.
The attack chain begins with carefully crafted phishing emails containing deceptive PDF documents that impersonate legitimate government communications.
These PDFs display blurred images of official documents and use social engineering tactics to trick recipients into downloading an ISO file by clicking a button labeled “Download and Install,” which appears to request a fake Adobe Acrobat update.
.webp "APT Hackers Attacking Indian Government Using GOGITTER tool and GITSHELLPAD Malware 2")
The malicious ISO file remains dormant until activated, containing hidden malware designed to establish persistent access to compromised systems.
The infection mechanism relies on three custom-built tools written in Golang that work in concert to establish control over targeted machines.
Zscaler analysts and researchers identified GOGITTER as the initial downloader component that fetches additional payloads from threat actor-controlled GitHub repositories using embedded authentication tokens.
Once deployed, GOGITTER creates a VBScript file called windows_api.vbs that continuously polls command-and-control servers every 30 seconds, checking for new instructions to execute on the infected machine.
GITSHELLPAD’s Innovative GitHub-Based Persistence Mechanism
GITSHELLPAD represents the campaign’s most distinctive element, functioning as a lightweight backdoor that leverages private GitHub repositories for all command-and-control communication.
This approach allows the threat actor to hide malicious traffic within legitimate-looking GitHub activity, making detection significantly more difficult for security monitoring tools.
Upon infection, GITSHELLPAD registers the victim by creating a new directory in the threat actor’s private repository using the format SYSTEM-[hostname], then adds an info.txt file containing Base64-encoded system information about the compromised machine.
The backdoor polls GitHub’s API every 15 seconds for new instructions stored in a command.txt file, allowing operators to remotely execute reconnaissance commands, download additional tools, or stage further malware deployments.
This design proves particularly effective because it avoids traditional network indicators while maintaining reliable two-way communication through a service millions of organizations already trust and whitelist for legitimate development purposes.
.webp "APT Hackers Attacking Indian Government Using GOGITTER tool and GITSHELLPAD Malware 4")
The final stage involves deploying Cobalt Strike Beacon through GOSHELL, a custom shellcode loader that executes only on machines with specific hardcoded hostnames, further restricting the payload to intended targets.
Security researchers continue tracking this evolving threat to protect government networks against future attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
