Gopher Strike: Unveiling the Sophisticated Cyber Assault on Indian Government by Pakistani APT Groups
In a significant escalation of cyber warfare, advanced persistent threat (APT) actors from Pakistan have orchestrated a series of coordinated attacks against Indian government organizations. This campaign, dubbed Gopher Strike, emerged in September 2025 and showcases the increasing sophistication of state-sponsored cyber operations targeting sensitive governmental infrastructure.
The Attack Vector: Phishing Emails and Deceptive Documents
The assault initiates with meticulously crafted phishing emails that masquerade as official government communications. These emails contain deceptive PDF documents displaying blurred images of legitimate documents, employing social engineering tactics to deceive recipients. Victims are prompted to download an ISO file under the guise of an Adobe Acrobat update by clicking a button labeled Download and Install.
Payload Delivery: The Role of GOGITTER
Once the ISO file is activated, it deploys hidden malware designed to establish persistent access to the compromised systems. Central to this infection mechanism are three custom-built tools written in Golang, working in unison to gain control over targeted machines.
Zscaler analysts have identified GOGITTER as the initial downloader component. This tool fetches additional payloads from threat actor-controlled GitHub repositories using embedded authentication tokens. Upon deployment, GOGITTER creates a VBScript file named windows_api.vbs, which continuously polls command-and-control (C2) servers every 30 seconds, awaiting new instructions to execute on the infected machine.
Innovative Persistence: GITSHELLPAD’s GitHub-Based Communication
A standout feature of the Gopher Strike campaign is GITSHELLPAD, a lightweight backdoor that leverages private GitHub repositories for all C2 communications. This method allows the threat actors to conceal malicious traffic within legitimate-looking GitHub activity, significantly complicating detection efforts by security monitoring tools.
Upon infection, GITSHELLPAD registers the victim by creating a new directory in the threat actor’s private repository, formatted as SYSTEM-[hostname]. It then adds an info.txt file containing Base64-encoded system information about the compromised machine. The backdoor polls GitHub’s API every 15 seconds for new instructions stored in a command.txt file, enabling operators to remotely execute reconnaissance commands, download additional tools, or stage further malware deployments.
This design is particularly effective as it avoids traditional network indicators while maintaining reliable two-way communication through a service that many organizations trust and whitelist for legitimate development purposes.
Final Stage: Deployment of Cobalt Strike via GOSHELL
The culmination of the attack involves deploying the Cobalt Strike Beacon through GOSHELL, a custom shellcode loader. This loader executes only on machines with specific hardcoded hostnames, ensuring that the payload is restricted to intended targets.
Broader Context: APT36’s Continued Targeting of Indian Government Entities
The Gopher Strike campaign is not an isolated incident. Pakistan-linked APT groups, notably APT36 (also known as Transparent Tribe), have a history of targeting Indian government infrastructure. In early August 2025, APT36 launched a sophisticated phishing campaign leveraging typo-squatted domains designed to mimic official government login portals. Unsuspecting users were redirected to counterfeit pages replicating the National Informatics Centre’s Kavach authentication interface, complete with legitimate logos and layouts. By harvesting one-time passwords (OTPs) in real-time, the attackers bypassed multi-factor authentication, gaining unfettered access to sensitive email accounts.
Cyfirma analysts identified the primary malicious domain, registered on July 14, 2025, which resolved to IP addresses flagged for phishing. Supporting infrastructure, including additional domains registered in March and May 2025, followed a uniform naming convention and hosting pattern, indicating a coordinated campaign.
SideWinder APT’s Masquerade as the Income Tax Department
Another notable campaign involves the SideWinder APT group, which targeted Indian entities by impersonating the Income Tax Department of India. The attack began with tax-themed emails urging recipients to review an inspection document. These messages included links leading to fake tax portals that closely mimicked the official Income Tax site. Victims were prompted to download an Inspection.zip file, which, when executed, planted a silent Windows backdoor on their machines. Once active, the malware could steal files, capture data, and provide remote control to the attackers.
APT36’s Use of Customized Malware
APT36 has also been observed employing customized malware to attack Indian government servers. The group utilizes a Windows backdoor known as ElizaRAT, delivered as .NET binaries in password-protected Google Drive archives. ElizaRAT functions as a remote administration tool, enabling unauthorized access to infected machines. The malware establishes persistence by creating Windows shortcuts in the Startup directory, disguising itself as a Text Editing APP for Windows. Additionally, APT36 has developed Python-based ELF binaries targeting Linux systems, indicating a strategic evolution in their operational tactics.
Implications and Recommendations
The Gopher Strike campaign, along with other operations by Pakistani APT groups, underscores the escalating cyber threats faced by Indian government entities. These sophisticated attacks highlight the need for enhanced cybersecurity measures, including:
– Employee Training: Regular training sessions to recognize phishing attempts and social engineering tactics.
– Advanced Threat Detection: Deployment of advanced threat detection systems capable of identifying and mitigating novel malware strains.
– Network Monitoring: Continuous monitoring of network traffic to detect unusual activities, especially those involving trusted platforms like GitHub.
– Incident Response Planning: Establishing robust incident response plans to quickly address and contain breaches.
By implementing these measures, organizations can bolster their defenses against the evolving tactics of state-sponsored threat actors.
