GOGITTER, GITSHELLPAD, and GOSHELL Analysis

In September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). ThreatLabz assesses with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel, despite sharing similarities with the APT36 threat group. The Gopher Strike campaign uses PDFs containing malicious links and fake prompts to trick victims into downloading an ISO file with a payload, ensuring delivery is restricted to targeted victims (Windows systems in India). This campaign includes the newly discovered GOGITTER tool as an initial downloader, a backdoor called GITSHELLPAD for command-and-control (C2) communication, and GOSHELL, a Golang shellcode loader used to deploy a Cobalt Strike Beacon.

ThreatLabz traced the origins of the Gopher Striker campaign to multiple PDFs presumably sent in spear phishing emails. These PDFs contain a malicious link and a blurred image designed to trick victims into downloading a fake Adobe Acrobat update. If the victim clicks the button, an ISO file containing the malicious payload is downloaded. ThreatLabz observed that the servers hosting the payload only respond with the ISO file when accessed from IP addresses in India, with a User-Agent header representing a Windows platform. GOGITTER is a previously undocumented lightweight 64-bit Golang-based downloader. GOGITTER attempts to create a new file named windows_api.vbs in the first accessible location if not found. The contents of this VBScript are stored in plaintext within the binary. This newly-created VBScript contains two pre-configured C2 URLs that are used to fetch VBScript commands every 30 seconds. To achieve persistence, a scheduled task is created with a dynamic name, configured to execute the dropped windows_api.vbs script every 50 minutes. GOGITTER downloads a file named adobe_update.zip from the private threat actor-controlled GitHub repository at hxxps[:]//raw.githubusercontent[.]com/jaishankai/sockv6/main/adobe_update.zip. A GitHub authentication token embedded in the binary is used to authenticate and download the archive.

The extracted edgehost.exe file is GITSHELLPAD, a 64-bit lightweight Golang-based backdoor that leverages threat actor-controlled private GitHub repositories for its C2 communication. The backdoor registers the victim with the C2 server, and polls the C2 for commands to execute. GITSHELLPAD uses GitHub’s REST API to create a new directory in the threat actor-controlled GitHub repository with the format: SYSTEM-<PC Name>. GITSHELLPAD then adds the file info.txt into this new directory and commits the changes to the main branch. GITSHELLPAD polls the threat actor-controlled GitHub account for new commands every 15 seconds by sending a GET request to the GitHub REST Contents API endpoint for the file command.txt. All the logging messages detailing the command status and output are captured in the result.txt file and uploaded to the threat actor’s GitHub account via a PUT request. During the investigation, ThreatLabz discovered four threat actor-controlled private GitHub repositories and observed more than 200 post-compromise commands issued by the threat actor. Additionally, the threat actors utilized GOSHELL, a custom-built Golang-based loader, to deploy a Cobalt Strike Beacon.

To read the complete article see: Zscaler Blog.