Two campaigns targeted Indian government entities in September 2025 and delivered Golang-based backdoors and loaders to infected machines, a technical analysis by Zscaler said.
KEY FACTS
- Incident Two campaigns codenamed Gopher Strike and Sheet Attack targeted Indian government entities
- Timeline Activity identified in September 2025
- Tactics Phishing with malicious PDFs and a fake Adobe update dialog plus use of Google Sheets Firebase and email for command and control
- Malware Golang downloader GOGITTER, backdoor GITSHELLPAD and loader GOSHELL that delivered Cobalt Strike
Sheet Attack used legitimate services such as Google Sheets and Firebase for command and control. Gopher Strike began with phishing emails that delivered PDF documents containing a blurred image and a pop-up asking the recipient to download an update for Adobe Acrobat Reader DC.
Server side checks restricted the malicious ISO download to requests originating from IP addresses in India and User-Agent strings that matched Windows. Those checks prevented automated URL analysis tools from fetching the ISO file.
The ISO delivered a Golang downloader called GOGITTER that creates a VBScript file in specific folders if missing and polls for VBScript commands every 30 seconds. GOGITTER also establishes persistence with a scheduled task and pulls an “adobe_update.zip” archive from a private GitHub repository when the ZIP is not present.
GOGITTER extracts and runs a lightweight backdoor named GITSHELLPAD that polls a GitHub file every 15 seconds for commands. The backdoor supports directory changes, running commands, and upload and download operations. Additional RAR archives deployed utilities and a Golang loader called GOSHELL that after decoding delivered a Cobalt Strike Beacon. The tools are removed after use.
WHY IT MATTERS
The campaigns targeted national government entities and used staged delivery plus legitimate cloud services for command and control, increasing the difficulty of automated detection and response for affected organizations.