APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL

APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1 Zscaler ThreatLabz www.zscaler.com/blogs/sec… In September 2025, Zscaler ThreatLabz identified two distinct threat campaigns, tracked as Gopher Strike and Sheet Attack. The activity was attributed to a Pakistan-based threat actor primarily targeting Indian government entities. Across both campaigns, ThreatLabz identified previously undocumented tools, techniques and procedures (TTPs). While the observed activity shares certain characteristics with the Pakistan-linked advanced persistent threat (APT) group APT36, ThreatLabz assesses with medium confidence that this activity may originate from a new subgroup or a separate Pakistan-linked actor operating in parallel. This blog post is the first in a two-part series focusing on the Gopher Strike campaign. It details: GOGITTER, an initial-stage downloader GITSHELLPAD, a backdoor used for command-and-control (C2) communications GOSHELL, a Golang-based shellcode loader used to deploy a Cobalt Strike Beacon The second part of the series will examine the Sheet Attack campaign in detail, including the full attack chain, associated backdoors, and the use of generative AI in malware development.