"The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025. "While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel," researchers Sudeep Singh and Yin Hong Chang said."
"Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that's superimposed by a seemingly harmless pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC."
"The main purpose of the image is to give the users an impression that it's necessary to install the update in order to access the document's contents. Clicking the "Download and Install" button in the fake update dialog triggers the download of an ISO image file only when the requests originate from IP addresses located in India and the User-Agent string corresponds to Windows."
Two campaigns codenamed Gopher Strike and Sheet Attack targeted Indian government entities using undocumented tradecraft and Pakistan-linked infrastructure. Sheet Attack used legitimate services such as Google Sheets, Firebase, and email as command-and-control channels to blend C2 traffic with common cloud services. Gopher Strike began with phishing emails that delivered PDFs containing a blurred image overlaid with a fake Adobe update pop-up to coerce victims into downloading an ISO. The ISO was served only to requests from IP addresses in India with Windows User-Agents to evade automated analysis. The ISO contained a Golang downloader named GOGITTER that creates VBScript files in public and %APPDATA% locations.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]