Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/APT Hackers Attacking Indian Government Using GOGITTER Tool and GITSHELLPAD Malware
Threats

APT Hackers Attacking Indian Government Using GOGITTER Tool and GITSHELLPAD Malware

Advanced Persistent Threat (APT) actors operating from Pakistan have launched coordinated attacks against Indian government organizations, deploying newly discovered tools and malware specifically...

Emy Elsamnoudy
Emy Elsamnoudy
January 27, 2026 3 Min Read
33 0

Advanced Persistent Threat (APT) actors operating from Pakistan have launched coordinated attacks against Indian government organizations, deploying newly discovered tools and malware specifically designed to bypass security defenses.

The campaign, identified as Gopher Strike, emerged in September 2025 and represents a significant escalation in targeted cyber operations against sensitive government infrastructure.

This coordinated assault demonstrates the growing sophistication of state-sponsored threat actors who continue refining their technical capabilities and operational procedures.

The attack chain begins with carefully crafted phishing emails containing deceptive PDF documents that impersonate legitimate government communications.

These PDFs display blurred images of official documents and use social engineering tactics to trick recipients into downloading an ISO file by clicking a button labeled “Download and Install,” which appears to request a fake Adobe Acrobat update.

Example of a PDF file used in the Gopher Strike campaign (Source - Zscaler)
Example of a PDF file used in the Gopher Strike campaign (Source – Zscaler)

The malicious ISO file remains dormant until activated, containing hidden malware designed to establish persistent access to compromised systems.

The infection mechanism relies on three custom-built tools written in Golang that work in concert to establish control over targeted machines.

Zscaler analysts and researchers identified GOGITTER as the initial downloader component that fetches additional payloads from threat actor-controlled GitHub repositories using embedded authentication tokens.

Once deployed, GOGITTER creates a VBScript file called windows_api.vbs that continuously polls command-and-control servers every 30 seconds, checking for new instructions to execute on the infected machine.

GITSHELLPAD’s Innovative GitHub-Based Persistence Mechanism

GITSHELLPAD represents the campaign’s most distinctive element, functioning as a lightweight backdoor that leverages private GitHub repositories for all command-and-control communication.

This approach allows the threat actor to hide malicious traffic within legitimate-looking GitHub activity, making detection significantly more difficult for security monitoring tools.

Upon infection, GITSHELLPAD registers the victim by creating a new directory in the threat actor’s private repository using the format SYSTEM-[hostname], then adds an info.txt file containing Base64-encoded system information about the compromised machine.

The backdoor polls GitHub’s API every 15 seconds for new instructions stored in a command.txt file, allowing operators to remotely execute reconnaissance commands, download additional tools, or stage further malware deployments.

This design proves particularly effective because it avoids traditional network indicators while maintaining reliable two-way communication through a service millions of organizations already trust and whitelist for legitimate development purposes.

Gopher Strike campaign leads to the deployment of Cobalt Strike (Source - Zscaler)
Gopher Strike campaign leads to the deployment of Cobalt Strike (Source – Zscaler)

The final stage involves deploying Cobalt Strike Beacon through GOSHELL, a custom shellcode loader that executes only on machines with specific hardcoded hostnames, further restricting the payload to intended targets.

Security researchers continue tracking this evolving threat to protect government networks against future attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates

Next Post

Critical Vulnerability in Python PLY Library Enables Remote Code Execution – PoC Published

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us