GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz
Part 1: The Gopher Strike campaign includes the GOGITTER downloader, GITSHELLPAD backdoor, and GOSHELL loader used to deploy a Cobalt Strike Beacon.
APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
- Thread starter Khushal
- Start date
This Zscaler ThreatLabz post (published January 26, 2026) describes a targeted campaign (“Gopher Strike”) aimed at Indian government entities, using newly documented Golang tooling (GOGITTER / GITSHELLPAD / GOSHELL) and GitHub private repos as part of delivery and C2.GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz
Part 1: The Gopher Strike campaign includes the GOGITTER downloader, GITSHELLPAD backdoor, and GOSHELL loader used to deploy a Cobalt Strike Beacon.www.zscaler.com
High-level attack chain (as described by Zscaler)
- Spearphishing PDFs contain a malicious link and a fake “Adobe Acrobat update” prompt; clicking leads to an ISO download. The payload server reportedly only returns the ISO when the request appears to be from Windows and from India-based IP space, to evade automated analysis.
- The ISO leads to execution of GOGITTER (Golang downloader).
- GOGITTER drops/ensures a VBScript file named windows_api.vbs exists (Public folders / %APPDATA%), which then polls attacker infrastructure for VBScript commands and executes them when responses begin with “hi ”.
- Persistence: a Scheduled Task named similar to MicrosoftEdge_ConfigurationUpdate_#### runs the VBScript periodically.
- GOGITTER then pulls adobe_update.zip from a threat-actor-controlled private GitHub repo (using an embedded GitHub token), extracts edgehost.exe (GITSHELLPAD backdoor), and signals an infection marker URL (adobe-acrobat[.]in/...php).
- GITSHELLPAD uses GitHub’s REST API (Contents API) for command retrieval (command.txt) and output exfil (result.txt), supporting typical cmd execution plus upload/download.
- Post-compromise, the actor deploys GOSHELL (Golang loader) to load a Cobalt Strike Beacon; GOSHELL is described as being artificially inflated to ~1GB via PE overlay junk bytes and gated to only run on hardcoded hostnames.
Defender takeaways / practical detection ideas
- Email/PDF stage: treat “PDF → click-to-download ISO” patterns as high-risk, and consider blocking or heavily sandboxing ISO downloads originating from browser/PDF-reader processes.
- Hunt for persistence artifacts: Scheduled Tasks named MicrosoftEdge_ConfigurationUpdate_#### (random 4 digits) launching wscript/cscript and a dropped windows_api.vbs.
- Endpoint/network telemetry to review:
- wscript.exe / cscript.exe making outbound HTTP(S) requests (especially if uncommon in your environment)
- Suspicious VBScript in C:\Users\Public\Downloads, C:\Users\Public\Pictures, or %APPDATA%
- Non-developer endpoints calling GitHub REST “Contents” API patterns (api.github.com/repos/.../contents/...) at high frequency (the post mentions 15-second polling)
- Execution of unusually large PE files (around 1GB) and/or ISO mount + execution chains
- If you suspect exposure, prioritize containment over “cleanup”: isolate the host, preserve volatile data if possible, then perform full offline/EDR scanning and log review before reintroducing the device.
Source
This campaign demonstrates a highly modular approach using the Go programming language to increase cross-platform compatibility and complicate static analysis.
GOGITTER (Downloader)
Acts as the initial stage, responsible for establishing a foothold and downloading the secondary payloads from attacker-controlled infrastructure.
GITSHELLPAD (Backdoor)
A custom backdoor designed for persistent access, likely utilizing Git-based protocols or similar communication channels for command and control (C2), allowing for remote shell execution.
GOSHELL (Loader)
A specialized loader that decrypts and executes the final Cobalt Strike Beacon in memory to evade file-based antivirus solutions.
Supply Chain & Delivery
Initial entry is typically achieved through targeted phishing or the distribution of malicious ISO/ZIP files masquerading as official government documentation.
Identity & Access Management
Perform an immediate global session revocation for all OIDC/SAML tokens to terminate potential unauthorized persistent shell sessions.
Reset MFA seeds for any account identified in the telemetry as having logged in from anomalous IP ranges.
Network Containment
Block known C2 domains and IP addresses associated with Gopher Strike at the perimeter firewall and DNS levels.
Monitor for unusual outbound traffic on non-standard ports, specifically looking for Go-based binary communications.
Persistence Removal
Audit scheduled tasks and registry run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) for suspicious entries pointing to user directories (e.g., %AppData%).
System Scans
Run a full system scan with a reputable antivirus. Go-based malware often generates large binaries that may trigger heuristic detections.
Account Security
Change passwords for your primary email and banking accounts from a different, clean device. Enable app-based MFA (e.g., Google Authenticator) instead of SMS.
Clean Reinstall
If suspicious behavior continues (e.g., unexpected CMD windows), the most reliable method for home users is to back up essential documents (not programs) and perform a clean "Reset this PC" with the "Remove everything" option.
For Enterprise
Implement CIS Benchmark - Windows 10/11 Section 18.9: "Restrict PowerShell Execution Policy." Setting this to "AllSigned" or "Restricted" via Group Policy can significantly hinder the lateral movement phase of the GOSHELL/Cobalt Strike chain.
For Home Users
Ensure your browser is configured to block automatic downloads and treat any unexpected ZIP or ISO file from an email with extreme suspicion—never open these files unless verified through a secondary channel.
NIST SP 800-61 Rev. 2
(Computer Security Incident Handling Guide)
GOGITTER (Downloader)
Acts as the initial stage, responsible for establishing a foothold and downloading the secondary payloads from attacker-controlled infrastructure.
GITSHELLPAD (Backdoor)
A custom backdoor designed for persistent access, likely utilizing Git-based protocols or similar communication channels for command and control (C2), allowing for remote shell execution.
GOSHELL (Loader)
A specialized loader that decrypts and executes the final Cobalt Strike Beacon in memory to evade file-based antivirus solutions.
Supply Chain & Delivery
Initial entry is typically achieved through targeted phishing or the distribution of malicious ISO/ZIP files masquerading as official government documentation.
Remediation & Recovery
Enterprise Mitigation (NIST 800-61r2 Alignment)
Identity & Access Management
Perform an immediate global session revocation for all OIDC/SAML tokens to terminate potential unauthorized persistent shell sessions.
Reset MFA seeds for any account identified in the telemetry as having logged in from anomalous IP ranges.
Network Containment
Block known C2 domains and IP addresses associated with Gopher Strike at the perimeter firewall and DNS levels.
Monitor for unusual outbound traffic on non-standard ports, specifically looking for Go-based binary communications.
Persistence Removal
Audit scheduled tasks and registry run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) for suspicious entries pointing to user directories (e.g., %AppData%).
Home User Remediation
System Scans
Run a full system scan with a reputable antivirus. Go-based malware often generates large binaries that may trigger heuristic detections.
Account Security
Change passwords for your primary email and banking accounts from a different, clean device. Enable app-based MFA (e.g., Google Authenticator) instead of SMS.
Clean Reinstall
If suspicious behavior continues (e.g., unexpected CMD windows), the most reliable method for home users is to back up essential documents (not programs) and perform a clean "Reset this PC" with the "Remove everything" option.
Post-Incident Hardening
For Enterprise
Implement CIS Benchmark - Windows 10/11 Section 18.9: "Restrict PowerShell Execution Policy." Setting this to "AllSigned" or "Restricted" via Group Policy can significantly hinder the lateral movement phase of the GOSHELL/Cobalt Strike chain.
For Home Users
Ensure your browser is configured to block automatic downloads and treat any unexpected ZIP or ISO file from an email with extreme suspicion—never open these files unless verified through a secondary channel.
References
Zscaler ThreatLabz AnalysisNIST SP 800-61 Rev. 2
(Computer Security Incident Handling Guide)
80% of attack scenarios on Bleepin computer, The hackers news, and Cybersecurity news are the same; LNK file posing as pdf or docx in email attachment initiating the attack.
It's the new trend in phishing.
While the delivery mechanism (LNK files masquerading as PDFs) is a common entry vector, the "Gopher Strike" campaign is anything but "typical." The technical sophistication lies in its custom Go-based multi-stage toolkit (GOGITTER, GITSHELLPAD, and GOSHELL), specifically designed to bypass modern EDR/XDR solutions through memory-only execution of Cobalt Strike Beacons.
Does not matter the following steps; just block the first step with WHHL and you are safe.
You may also like...
-
Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities- Started by Captain Awesome
- Replies: 3
-
-
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia
- Started by Captain Awesome
- Replies: 2
-
APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities
- Started by Captain Awesome
- Replies: 3
-