The campaigns named Gopher Strike and Sheet Attack, attributed with medium confidence to Pakistan-linked threat actors possibly related to or parallel with APT36, represent sophisticated cyber espionage operations targeting Indian government entities. Gopher Strike initiates via phishing emails containing PDFs with blurred images and fake Adobe Acrobat Reader DC update prompts. When the victim clicks the fake update, an ISO image is downloaded only if the request originates from an Indian IP and a Windows user-agent, preventing automated detection. The ISO contains GOGITTER, a Golang-based downloader that creates VBScript files in multiple common directories to fetch commands every 30 seconds from two C2 servers. Persistence is maintained via scheduled tasks running the VBScript every 50 minutes. GOGITTER also checks for and downloads a ZIP archive from a private GitHub repository if absent, extracting and executing a lightweight Golang backdoor named GITSHELLPAD. This backdoor polls a GitHub-hosted command.txt file every 15 seconds, supporting commands to navigate directories, run commands, upload/download files, and capture command output, which it uploads back to GitHub before deleting the command file. Additional tools, including system information gatherers and GOSHELL—a Golang loader that delivers Cobalt Strike Beacon—are downloaded and executed selectively based on hostname. GOSHELL is obfuscated by inflating its size with junk bytes to evade antivirus detection. Sheet Attack uses legitimate cloud services such as Google Sheets, Firebase, and email for C2 communications, leveraging trusted platforms to blend malicious traffic with normal activity. The campaigns demonstrate advanced operational security, including geo-fencing, user-agent checks, and ephemeral tool usage to avoid detection and attribution. No known exploits in the wild have been reported yet, but the campaigns highlight evolving tradecraft and the use of public infrastructure for stealthy espionage.

For European organizations, the direct impact is currently limited as the campaigns specifically target Indian government entities with geo-fencing to restrict payload delivery to Indian IP addresses. However, the use of legitimate cloud services and public repositories for C2 infrastructure demonstrates a trend that could be adopted against European targets in the future. European entities with strategic, diplomatic, or economic ties to India or South Asia could become indirect targets or collateral victims. The sophisticated evasion techniques and use of multi-stage payloads complicate detection and response, increasing the risk of prolonged undetected intrusions if adapted against European networks. Additionally, organizations using Adobe Acrobat Reader DC and Windows environments are potentially vulnerable to similar phishing and social engineering tactics. The campaigns underscore the need for vigilance against supply chain and cloud service abuse, which can impact confidentiality, integrity, and availability of sensitive data. Espionage campaigns of this nature can lead to data exfiltration, intellectual property theft, and disruption of governmental or critical infrastructure operations.

European organizations should implement targeted phishing awareness training emphasizing the risks of fake software updates and social engineering. Deploy advanced email filtering and sandboxing solutions capable of detecting malicious PDFs and ISO attachments, especially those employing geo-IP and user-agent checks. Monitor and restrict the use of scripting languages such as VBScript and scheduled tasks, applying application control policies to prevent unauthorized script execution. Implement network monitoring for unusual outbound connections to cloud services like Google Sheets, Firebase, and GitHub, including anomaly detection for frequent polling or data uploads/downloads. Enforce strict endpoint detection and response (EDR) solutions capable of identifying Golang-based malware and large, obfuscated executables. Regularly audit and restrict access to private GitHub repositories and monitor for suspicious repository activity. Employ threat intelligence sharing to stay informed about emerging tradecraft and indicators of compromise related to these campaigns. Finally, conduct regular vulnerability assessments and penetration testing focusing on social engineering and supply chain attack vectors.