Advanced persistent threat (APT) actors, believed to be operating from Pakistan, have launched a sophisticated cyber campaign targeting Indian government organizations using newly identified tools, including GOGITTER and GITSHELLPAD malware. This coordinated assault, dubbed Gopher Strike by researchers, emerged in September 2025 and signifies a growing threat to sensitive Indian government infrastructure, highlighting the increasing technical prowess of state-sponsored hacking groups.
The Gopher Strike campaign employs a multi-stage attack chain designed to bypass traditional security measures. Initial access is gained through meticulously crafted phishing emails that contain deceptive PDF documents. These documents are designed to look like legitimate government communications, often displaying blurred official document images and using social engineering tactics to entice recipients into downloading malicious ISO files under the guise of a fake Adobe Acrobat update.
GOPHER STRIKE CAMPAIGN UTILIZES GOGITTER AND GITSHELLPAD MALWARE
The malicious ISO file lies dormant until actively triggered, concealing malware intended to establish persistent access to compromised government systems. The infection mechanism relies on a trio of custom-built tools developed in the Golang programming language, which work in tandem to infiltrate and control targeted machines.
According to Zscaler, the initial downloader component, identified as GOGITTER, is responsible for fetching additional payloads from GitHub repositories controlled by the threat actors, utilizing embedded authentication tokens. Once deployed, GOGITTER creates a VBScript file named windows_api.vbs. This script continuously polls command-and-control servers every 30 seconds, actively searching for and executing new instructions on the infected devices.
GITSHELLPAD’s Innovative GitHub-Based Persistence Mechanism
A particularly distinctive element of the Gopher Strike campaign is GITSHELLPAD, a lightweight backdoor that leverages private GitHub repositories for all its command-and-control (C2) communication. This innovative approach allows threat actors to camouflage malicious traffic within seemingly legitimate GitHub activity, significantly complicating detection efforts by security monitoring tools. The use of GitHub for C2 is a notable trend in modern cyber espionage due to its widespread trust and whitelisting by many organizations.
Upon successful infection, GITSHELLPAD registers the compromised victim by creating a new directory within the threat actor’s private repository. This directory is named using the format SYSTEM-[hostname], and it subsequently includes an info.txt file. This file contains Base64-encoded system information derived from the compromised machine, providing the attackers with valuable intelligence about the target environment.
The GITSHELLPAD backdoor then polls GitHub’s API at regular intervals, specifically every 15 seconds, to check for new instructions embedded within a command.txt file. This enables attackers to execute reconnaissance commands remotely, download further tools, or stage additional malware deployments. This method is highly effective as it avoids traditional network indicators of compromise while maintaining reliable two-way communication through a platform widely used and trusted for legitimate development purposes.
The final stage of the Gopher Strike campaign involves the deployment of Cobalt Strike Beacon, a powerful post-exploitation tool. This is achieved through GOSHELL, a custom shellcode loader designed to execute exclusively on machines possessing specific hardcoded hostnames. This intricate targeting mechanism ensures that the malicious payload is delivered only to the intended government systems, further restricting its reach and impact.
Security researchers are continuing to monitor this evolving threat landscape to develop and implement effective countermeasures. The ongoing analysis of the Gopher Strike campaign aims to protect critical government networks against future, similarly sophisticated cyberattacks and to understand the broader implications of these advanced persistent threats on national cybersecurity.