Coordinated attacks against Indian government organizations have been carried out by advanced persistent threat actors operating out of Pakistan, utilizing malware and recently discovered tools that are intended to evade security measures This article explores security measures gopher. . The Gopher Strike campaign, which first surfaced in September 2025, is a notable increase in targeted cyber operations against critical government infrastructure.

Learn more Software for endpoint detection and response Tools for cloud security Malware elimination service Services for penetration testing Guide to Hacker Tools Modules for hardware security Apps for secure messaging VPN for Fortinet Features of the security author Solutions for network security This concerted attack shows how state-sponsored threat actors are becoming more sophisticated as they continue to improve their operational methods and technical prowess. The attack chain starts with carefully constructed phishing emails that pretend to be official government correspondence and contain misleading PDF documents.

In order to trick recipients into downloading an ISO file by clicking a button labeled "Download and Install," which seems to request a phony Adobe Acrobat update, these PDFs use social engineering techniques and display blurry images of official documents. An illustration of a PDF file from the Gopher Strike campaign (Source: Zscaler) The malicious ISO file, which contains hidden malware intended to create long-term access to compromised systems, is dormant until it is activated. The infection mechanism is based on three Golang-written, specially designed tools that cooperate to take control of the targeted machines.

Researchers and Zscaler analysts discovered that GOGITTER is the first downloader component that uses embedded authentication tokens to retrieve additional payloads from GitHub repositories under threat actor control.

After deployment, GOGITTER generates a VBScript file named windows_api.vbs that polls command-and-control servers every 30 seconds to see if there are any new commands to run on the compromised system. The Novel GitHub-Based Persistence Mechanism of GITSHELLPAD The campaign's most notable component is GITSHELLPAD, a lightweight backdoor that uses private GitHub repositories for all command-and-control communication. This method makes it much harder for security monitoring tools to detect malicious activity by enabling the threat actor to conceal it within GitHub activity that appears to be legitimate.

After infection, GITSHELLPAD registers the victim by adding an info.txt file with Base64-encoded system information about the compromised machine and creating a new directory in the threat actor's private repository with the format SYSTEM-[hostname].

The backdoor enables operators to remotely carry out reconnaissance commands, download extra tools, or stage additional malware deployments by polling GitHub's API every 15 seconds for new instructions stored in a command.txt file. Because it avoids conventional network indicators while preserving dependable two-way communication via a service that millions of organizations already trust and whitelist for legitimate development purposes, this design works especially well. Cobalt Strike is deployed as a result of the Gopher Strike campaign (Source: Zscaler).

In order to further limit the payload to the intended targets, Cobalt Strike Beacon is deployed using GOSHELL, a custom shellcode loader that only runs on computers with particular hardcoded hostnames. In order to defend government networks from upcoming attacks, security researchers keep monitoring this developing threat.

Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.