Threat Advisories:
Gopher Strike and Sheet Attack Campaigns Targeting Indian Government January 2026 Linux Patch Roundup CVE-2026-21509: Microsoft Office Zero-Day Under Active Exploitation CVE-2026-20045: Critical Cisco Unified Communications Actively Exploited Evelyn Stealer’s Stealth Campaign Against Developers Malicious Chrome Extensions Hijacking Enterprise HR Platforms Geopolitics as Bait: LOTUSLITE Backdoor Targets U.S. Entities Admin Access Without Credentials Puts 40,000+ WordPress Sites at Risk Ni8mare in n8n: CVE-2026-21858 Bug Exposing 100,000 Servers to Risk VoidLink: A Cloud-Native Linux Framework Built for Stealth and Scale CVE-2025-64155: Critical FortiSIEM RCE with Public Exploits Available Microsoft’s January 2026 Patch Tuesday AsyncRAT Behind the Cloudflare Curtain Chinese APT Espionage Turns Telecom Systems Into Covert Relay Nodes MuddyWater’s Rust Implants Target the Middle East CVE-2025-37164: Critical RCE in HPE OneView Under Active Exploitation Astaroth Reimagined: Weaponizing WhatsApp for Scalable Banking Fraud GoBruteforcer Exposed: How Weak Credentials Power a Silent Linux Botnet CVE-2026-0625: A Decade-Long Risk in D-Link DSL Routers Enabling Full System Compromise PHALT#BLYX: Fake BSOD Campaign Targets Hospitality
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Gopher Strike and Sheet Attack Campaigns Targeting Indian Government

Red | Attack Report
Download PDF

Summary

A Pakistan-linked threat actor launched two parallel cyber-espionage campaigns, Gopher Strike and Sheet Attack, targeting Indian government entities beginning in September 2025. These campaigns blend social engineering with cloud-native command-and-control infrastructure to remain hidden in plain sight. The operations begin with weaponized PDFs masquerading as official government documents and fake Adobe updates, selectively delivering payloads only to Indian Windows systems to evade automated analysis. Gopher Strike abuses private GitHub repositories to deploy Golang-based loaders and backdoors that culminate in hands-on intrusion and Cobalt Strike activity, while Sheet Attack leverages trusted services such as Google Sheets, Firebase, and Microsoft Graph for command execution, data theft, and exfiltration. The combination of novel tooling, cloud service abuse, and interactive post-compromise behavior, alongside signs of AI-assisted development, signals a notable evolution beyond classic APT36 tradecraft, suggesting a parallel Pakistan-aligned espionage operation operating with greater precision and stealth against Indian government targets.

Attack Details

Parallel Cyber-Espionage Campaigns Against Indian Government

In September 2025, two parallel cyber-espionage campaigns, tracked as Gopher Strike and Sheet Attack, were observed targeting Indian government entities. Both operations are attributed to a Pakistan-linked threat actor and show partial overlaps with APT36, while introducing new tools and tactics. The attacks begin with spear-phishing emails carrying malicious PDF files that mimic official government documents, overlaid with fake Adobe update prompts. Payload delivery is tightly controlled through server-side checks that validate Indian IP ranges and Windows user agents, effectively filtering out sandboxes and automated scanners targeting Indian government infrastructure.

Gopher Strike GitHub-Based Command and Control

Gopher Strike relies heavily on GitHub for command-and-control operations. Victims are lured into downloading an ISO file that drops GOGITTER, a Golang-based downloader that establishes persistence via a VBScript and a scheduled task disguised as a Microsoft Edge update. GOGITTER pulls the GITSHELLPAD backdoor from private GitHub repositories, using embedded tokens and GitHub’s REST API for two-way C2 communication. In high-value intrusions against Indian government targets, the actor escalates to GOSHELL, an unusually large Golang shellcode loader designed to evade detection, which ultimately deploys a stageless Cobalt Strike Beacon using a jQuery-style Malleable C2 profile.

Sheet Attack Cloud Platform Abuse

The Sheet Attack campaign takes a different route by abusing trusted cloud platforms against Indian government entities. Early variants deploy SHEETCREEP, a C# backdoor that uses Google Sheets as its C2 channel, encrypting traffic with TripleDES and executing commands through hidden command-line processes. Newer iterations shift to malicious LNK files delivering FIREPOWER, a PowerShell backdoor that communicates via Google Firebase. Select targets also receive MAILCREEP, a Golang backdoor abusing Microsoft Graph API within an attacker-controlled Azure tenant, alongside a document-stealing PowerShell script that exfiltrates sensitive files to private GitHub repositories.

Advanced Operational Security and AI-Assisted Development

Across both campaigns targeting Indian government entities, the operator demonstrates strong operational security and active hands-on-keyboard activity, including observable command-line mistakes during post-compromise actions. Malware analysis also points to the likely use of generative AI in development, reflected in verbose Unicode comments and emoji-laden error handling. While victim profiles, infrastructure traits, and some tooling align with APT36, the consistent use of novel backdoors, cloud-native C2 channels, and refined evasion techniques suggests this activity may represent a distinct subgroup, or a parallel Pakistan-linked operation running alongside traditional APT36 campaigns.

Recommendations

Block Malicious Domains and IPs

Implement immediate blocking of all identified C2 domains including adobe-acrobat.in, adobereader-upgrade.in, adobecloud.site, govt-filesharing.site, hciaccounts.in, hcisupport.in, hcidelhi.in, hcidoc.in, and coadelhi.in at network perimeter and DNS levels to prevent communication with attacker infrastructure.

Monitor GitHub API Communications

Implement monitoring and alerting for unusual GitHub API traffic patterns, particularly authentication token usage and repository interactions from endpoints that typically do not require such access, as this is a key indicator of Gopher Strike campaign activity.

Restrict Cloud Service Access

Apply strict egress filtering for Google Sheets API, Firebase Realtime Database, and Microsoft Graph API connections from sensitive government network segments, permitting only authorized business applications to prevent Sheet Attack campaign communications.

Implement Application Allowlisting

Deploy application control policies preventing execution of unsigned Golang binaries and PowerShell scripts from user-writable directories to block malware execution from both campaigns.

Implement Zero Trust Network Architecture

Segment government networks to limit lateral movement capabilities if initial compromise occurs, particularly isolating systems with access to sensitive documents that are primary targets of these espionage campaigns.

Review Third-Party Cloud Service Policies

Audit organizational policies regarding GitHub, Google, Firebase, and Microsoft cloud service usage to identify legitimate baseline activity and detect anomalous access patterns associated with both Gopher Strike and Sheet Attack campaigns.

MITRE ATT&CK TTPs

Resource Development

  • T1583: Acquire Infrastructure
    • T1583.001: Domains
    • T1583.006: Web Services
  • T1585: Establish Accounts
    • T1585.003: Cloud Accounts
  • T1587: Develop Capabilities
    • T1587.001: Malware
    • T1588.007: Artificial Intelligence
  • T1588: Obtain Capabilities
    • T1588.002: Tool
    • T1588.007: Artificial Intelligence
  • T1608: Stage Capabilities
    • T1608.001: Upload Malware

Initial Access

  • T1566: Phishing
    • T1566.002: Spearphishing Link

Execution

  • T1059: Command and Scripting Interpreter
    • T1059.001: PowerShell
    • T1059.003: Windows Command Shell
    • T1059.005: Visual Basic
  • T1106: Native API
  • T1204: User Execution
    • T1204.001: Malicious Link
  • T1129: Shared Modules

Persistence

  • T1053: Scheduled Task/Job
    • T1053.005: Scheduled Task

Defense Evasion

  • T1027: Obfuscated Files or Information
    • T1027.001: Binary Padding
    • T1027.013: Encrypted/Encoded File
    • T1027.009: Embedded Payloads
    • T1027.015: Compression
  • T1036: Masquerading
    • T1036.004: Masquerade Task or Service
    • T1036.005: Match Legitimate Resource Name or Location
    • T1036.008: Masquerade File Type
  • T1055: Process Injection
    • T1055.004: Asynchronous Procedure Call
  • T1140: Deobfuscate/Decode Files or Information
  • T1480: Execution Guardrails
    • T1480.001: Environmental Keying
  • T1553: Subvert Trust Controls
    • T1553.005: Mark-of-the-Web Bypass
  • T1070: Indicator Removal
    • T1070.004: File Deletion
  • T1564: Hide Artifacts
    • T1564.003: Hidden Window
  • T1620: Reflective Code Loading

Discovery

  • T1016: System Network Configuration Discovery
    • T1016.001: Internet Connection Discovery
  • T1033: System Owner/User Discovery
  • T1057: Process Discovery
  • T1087: Account Discovery
    • T1087.001: Local Account
    • T1087.002: Domain Account
  • T1018: Remote System Discovery
  • T1082: System Information Discovery

Collection

  • T1560: Archive Collected Data
    • T1560.003: Archive via Custom Method
    • T1560.002: Archive via Library
  • T1530: Data from Cloud Storage

Command and Control

  • T1071: Application Layer Protocol
    • T1071.001: Web Protocols
  • T1102: Web Service
    • T1102.002: Bidirectional Communication
    • T1102.001: Dead Drop Resolver
  • T1105: Ingress Tool Transfer
  • T1132: Data Encoding
    • T1132.001: Standard Encoding
  • T1573: Encrypted Channel
    • T1573.001: Symmetric Cryptography
    • T1573.002: Asymmetric Cryptography
  • T1665: Hide Infrastructure
  • T1008: Fallback Channels

Exfiltration

  • T1567: Exfiltration Over Web Service
    • T1567.001: Exfiltration to Code Repository

Indicators of Compromise (IOCs)

Malware Hashes (MD5, SHA1, SHA256): Multiple hashes provided for GOGITTER, GITSHELLPAD, GOSHELL, SHEETCREEP, FIREPOWER, and MAILCREEP malware samples.

Malicious Domains:

  • adobe-acrobat.in
  • adobereader-upgrade.in
  • adobecloud.site
  • govt-filesharing.site
  • hciaccounts.in
  • hcisupport.in
  • hcidelhi.in
  • hcidoc.in
  • coadelhi.in

C2 Infrastructure:

  • Google Sheets API endpoints
  • Firebase Realtime Database URLs
  • GitHub repository URLs
  • Microsoft Graph API endpoints

IP Address:

  • 15.207.85.170

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox