Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities
- Thread starter Captain Awesome
- Start date
The excerpt is essentially highlighting a Zscaler ThreatLabz write-up about two distinct intrusion campaigns (“Gopher Strike” and “Sheet Attack”) aimed at Indian government entities, with attribution leaning “Pakistan-linked” but explicitly not definitive.
What’s being claimed (and what isn’t)
Why the “new subgroup / parallel group” wording matters
Threat clusters often share infrastructure, lures, or tooling (or imitate each other). So even if TTPs resemble APT36, it doesn’t automatically mean it is APT36. From a defender’s perspective, the safest approach is to focus on TTPs/IOCs and detection coverage rather than the label.
Practical defensive takeaways for organizations
Even without assuming any specific actor, the campaign framing suggests typical APT-style initial access + stealthy tooling. Useful actions that generally reduce risk here:
How to handle this on MalwareTips threads (evidence-first)
If someone is trying to determine whether a specific incident is related, the only reliable path is matching concrete evidence (IOCs + observed behavior) against the report—not the “APT36-ish” description. If logs are available, posting sanitized indicators and relevant telemetry (EDR tree, DNS/proxy logs, persistence findings) is typically what enables meaningful community analysis.
Next step
Treat the Zscaler post as the primary reference, extract the published IOCs/TTPs into your detections and hunting playbooks, and avoid over-weighting the attribution label since the authors themselves state only medium confidence.
Sources
What’s being claimed (and what isn’t)
- Zscaler says they observed the activity in September 2025 and assigned two campaign names for tracking.
- They note overlaps with APT36 tradecraft, but only assess “medium confidence” that it may be a new subgroup or a separate Pakistan-linked cluster operating in parallel.
- “Medium confidence” is a key point: it implies attribution is plausible but not proven, and should not be treated as a confirmed actor identity.
Why the “new subgroup / parallel group” wording matters
Threat clusters often share infrastructure, lures, or tooling (or imitate each other). So even if TTPs resemble APT36, it doesn’t automatically mean it is APT36. From a defender’s perspective, the safest approach is to focus on TTPs/IOCs and detection coverage rather than the label.
Practical defensive takeaways for organizations
Even without assuming any specific actor, the campaign framing suggests typical APT-style initial access + stealthy tooling. Useful actions that generally reduce risk here:
- Pull and action IOCs from the original Zscaler report (hashes, domains, URLs, C2 patterns) and ingest into SIEM/EDR blocklists and threat hunting.
- Hunt for toolmarks rather than names: unusual child processes from Office apps, suspicious script host activity, new/rare scheduled tasks, persistence in Run keys/services, and anomalous outbound connections from user workstations.
- Tighten script abuse controls: PowerShell Constrained Language Mode where feasible, script block logging, AMSI enabled, and alerting on suspicious PowerShell/WMI usage.
- Email + web delivery hardening: attachment sandboxing, block executable content from email, and enforce Mark-of-the-Web protections.
- Credential and lateral movement controls: MFA everywhere possible, reduce local admin, LAPS/Windows LAPS, restrict remote admin paths, and monitor for abnormal authentication patterns.
- Network egress monitoring: alert on rare destinations, new TLS fingerprints, DNS anomalies, and repeated beacon-like traffic.
How to handle this on MalwareTips threads (evidence-first)
If someone is trying to determine whether a specific incident is related, the only reliable path is matching concrete evidence (IOCs + observed behavior) against the report—not the “APT36-ish” description. If logs are available, posting sanitized indicators and relevant telemetry (EDR tree, DNS/proxy logs, persistence findings) is typically what enables meaningful community analysis.
Next step
Treat the Zscaler post as the primary reference, extract the published IOCs/TTPs into your detections and hunting playbooks, and avoid over-weighting the attribution label since the authors themselves state only medium confidence.
Sources
Malware Lifecycle & MITRE ATT&CK Mapping
Initial Access (T1566.001)
Spearphishing with PDF attachments featuring blurred images and fake Adobe update pop-ups.
Execution (T1059.005)
GOGITTER downloader creates VBScripts in %APPDATA% and Public folders.
Persistence (T1053.005)
Scheduled tasks execute the VBScript payload every 50 minutes.
Command and Control (T1102.002)
Sheet Attack leverages Google Sheets and Firebase. Gopher Strike uses private GitHub repositories (e.g., github[.]com/jaishankai/sockv6) to poll command.txt and upload result.txt.
Defense Evasion (T1027.001)
GOSHELL loader file size is artificially inflated to ~1GB using junk bytes to bypass antivirus scanners. It also features hostname-based execution checks.
Network Isolation
Block traffic to the known infection signal domain adobe-acrobat[.]in.
Identity Security
Review OIDC/SAML logs for unusual activity involving GitHub or Google Workspace accounts, as actors use legitimate SaaS for exfiltration.
TTP & Forensic Indicators
Host-Based Indicators
Monitor for file creation of edgehost[.]exe or adobe_update.zip in C:\Users\Public\Downloads and C:\Users\Public\Pictures.
Persistence Check
Inspect scheduled tasks for any scripts running at 50-minute intervals.
Detection Engineering
SIEM Logic
Alert on cURL commands downloading RAR archives from non-standard external repositories.
File Size Monitoring
Implement rules to flag or sandbox Portable Executable (PE) files with suspicious overlays (e.g., jump from normal size to ~1GB).
Governance
In accordance with NIST SP 800-61 Rev. 2, document all identified IOCs and report findings to relevant national authorities (e.g., Indian CERT-In) if organizational data is compromised.
Safety
If you encounter a PDF that requests an "Adobe Acrobat Reader" update to view content, immediately disconnect from the internet and delete the file.
Run a full offline scan using a reputable antivirus (ensure definitions are updated).
Identity
Change passwords for Google and GitHub accounts if you have interacted with suspicious links or files, as these services are leveraged by the attacker.
Persistence
Check "Task Scheduler" (search in Start menu) for any unfamiliar tasks set to run periodically and disable them.
Implement Control 7 (Email and Web Browser Protections) to block malicious URL categories.
NIST Framework
Follow NIST SP 800-83 for Malware Incident Prevention and Handling.
Relevant Sources
Zscaler ThreatLabz Research (Sept 2025/Jan 2026).
SANS FOR508
Advanced Incident Response.
Initial Access (T1566.001)
Spearphishing with PDF attachments featuring blurred images and fake Adobe update pop-ups.
Execution (T1059.005)
GOGITTER downloader creates VBScripts in %APPDATA% and Public folders.
Persistence (T1053.005)
Scheduled tasks execute the VBScript payload every 50 minutes.
Command and Control (T1102.002)
Sheet Attack leverages Google Sheets and Firebase. Gopher Strike uses private GitHub repositories (e.g., github[.]com/jaishankai/sockv6) to poll command.txt and upload result.txt.
Defense Evasion (T1027.001)
GOSHELL loader file size is artificially inflated to ~1GB using junk bytes to bypass antivirus scanners. It also features hostname-based execution checks.
Remediation - THE ENTERPRISE TRACK
Blast Radius & ContainmentNetwork Isolation
Block traffic to the known infection signal domain adobe-acrobat[.]in.
Identity Security
Review OIDC/SAML logs for unusual activity involving GitHub or Google Workspace accounts, as actors use legitimate SaaS for exfiltration.
TTP & Forensic Indicators
Host-Based Indicators
Monitor for file creation of edgehost[.]exe or adobe_update.zip in C:\Users\Public\Downloads and C:\Users\Public\Pictures.
Persistence Check
Inspect scheduled tasks for any scripts running at 50-minute intervals.
Detection Engineering
SIEM Logic
Alert on cURL commands downloading RAR archives from non-standard external repositories.
File Size Monitoring
Implement rules to flag or sandbox Portable Executable (PE) files with suspicious overlays (e.g., jump from normal size to ~1GB).
Governance
In accordance with NIST SP 800-61 Rev. 2, document all identified IOCs and report findings to relevant national authorities (e.g., Indian CERT-In) if organizational data is compromised.
Remediation - THE HOME USER TRACK
Safety
If you encounter a PDF that requests an "Adobe Acrobat Reader" update to view content, immediately disconnect from the internet and delete the file.
Run a full offline scan using a reputable antivirus (ensure definitions are updated).
Identity
Change passwords for Google and GitHub accounts if you have interacted with suspicious links or files, as these services are leveraged by the attacker.
Persistence
Check "Task Scheduler" (search in Start menu) for any unfamiliar tasks set to run periodically and disable them.
Hardening & References
CIS ControlsImplement Control 7 (Email and Web Browser Protections) to block malicious URL categories.
NIST Framework
Follow NIST SP 800-83 for Malware Incident Prevention and Handling.
Relevant Sources
Zscaler ThreatLabz Research (Sept 2025/Jan 2026).
SANS FOR508
Advanced Incident Response.
Last edited:
I thought its another India vs Pakistan Cricket Match....
You may also like...
-
APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities- Started by Captain Awesome
- Replies: 3
-
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia
- Started by Captain Awesome
- Replies: 2
-
-
APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign
- Started by Captain Awesome
- Replies: 2
-
Confucius Hackers Hit Pakistan With New WooperStealer and Anondoor Malware
- Started by Captain Awesome
- Replies: 1