{ "name": "APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1", "slug": "apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell-part-1", "description": "A Pakistan-linked APT group conducted two campaigns targeting Indian government entities. The Gopher Strike campaign used PDFs with malicious links to deliver an ISO file containing GOGITTER, a Golang downloader that fetches payloads from private GitHub repositories. GITSHELLPAD, a Golang backdoor, was used for C2 communication via GitHub. GOSHELL, a Golang shellcode loader, deployed Cobalt Strike Beacon on specific hostnames. The attackers used various techniques including scheduled tasks for persistence, obfuscation, and environmental keying. Post-compromise activities involved system reconnaissance and data exfiltration. The campaign demonstrated sophisticated TTPs and custom-built tools, indicating a potentially new subgroup or parallel Pakistan-linked threat actor.", "published": "2026-01-26T20:19:21+00:00", "created_at": "2026-01-26T20:19:21+00:00", "modified_at": "2026-01-27T06:35:13+00:00", "created_at_opencti": "2026-01-26T20:19:21+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-01-26", "apt", "cobalt strike", "cobalt strike beacon", "github", "gitshellpad", "gogitter", "golang", "goshell", "government", "india", "pakistan" ], "related_entities": { "observables": [ { "id": "", "name": "https://govt-filesharing.site/taskmgr.rar" }, { "id": "", "name": "https://adobe-acrobat.in" }, { "id": "", "name": "https://adobereader-upgrade.in/tmp.rar" }, { "id": "", "name": "https://govt-filesharing.site/hpc5985.php?key=xvnd54&info=Hello" }, { "id": "", "name": "https://govt-filesharing.site/svchost.rar" }, { "id": "", "name": "https://adobereader-upgrade.in/adobe_update.php?file=Adobe_Acrobat_Reader_Installation" }, { "id": "", "name": "https://govt-filesharing.site/a9.rar" }, { "id": "", "name": "https://adobe-acrobat.in/a.rar" }, { "id": "", "name": "https://halsoftsoftsite.com" }, { "id": "", "name": "http://adobe-acrobat.in/ninevmc987.php?file=bncoeeav34564cvv94adfavc3354334dfsf" }, { "id": "", "name": "https://adobreader-upgrade.in" }, { "id": "", "name": "https://adobe-acrobat.in/wchost.rar" }, { "id": "", "name": "https://adobe-acrobat.in/ninevmc987.php?file=bncoeeav34564cvv94adfavc3354334dfsf" }, { "id": "", "name": "https://adobe-acrobat.in/adobe_reader_setup.php?file=Adobe_Acrobat_Reader_Installation_Setup" }, { "id": "", "name": "https://adobereader-update.in/taskmgr.rar" }, { "id": "", "name": "https://bsn.halsoftsoftsite.com" }, { "id": "", "name": "https://govt-filesharing.site/tmp.rar" }, { "id": "", "name": "https://listsoft-update.site/" }, { "id": "", "name": "https://adobecloud.site/adobe_installer.php?file=Adobe_Acrobat_Installer" }, { "id": "", "name": "https://adobe-acrobat.in/msedge.rar" }, { "id": "", "name": "https://adobereader-update.in/msedge.rar" }, { "id": "", "name": "https://adobereader-upgrade.in/tmp1.rar" }, { "id": "", "name": "8f495603be80b513820a948d51723b616fac33f0f382fa4a141e39e12fff40cf" }, { "id": "", "name": "95a2fb8b6c7b74a7f598819810ddb0a505f3d5cf392b857ff8e75c5a1401110e" }, { "id": "", "name": "03edba9908a2f9e1012237d216e894029bd58f9121027e35f80d7b701d30ca95" }, { "id": "", "name": "5d9b2e61ed45b6407b778a18ff87792265fa068d7c4580ae54fbf88af435679f" }, { "id": "", "name": "af01c12019a3a3aa64e8a99d7231e0f2af6084298733bba3d7d41db13091cbac" }, { "id": "", "name": "6c60e5b28e352375d101eb0954fa98d229de3b94f22d5815af8948ebed1f44dd" }, { "id": "", "name": "99c3e908277df232d7170e1ea0697f79047c7f5610524bd11dc571fe4d84696b" }, { "id": "", "name": "fff79ce90b1af67e0b6d16a850e85861c948f988eda39ef46457241bbe3df170" }, { "id": "", "name": "23327fe1158c2e1229dfac028c461eb331686e5c5c04f33af7a042676806a962" }, { "id": "", "name": "7434a71a8302462d56fee876c74cf3595cba9f2ca6940b3a11ece8aa064fcbaa" }, { "id": "", "name": "3f2a52ec2dd2d6614115687325f1da9e028937f8a16bccc347de8c71c3aa87e1" } ], "malware": [ { "id": "59613cbe-0c51-4d3c-ad6e-1f6e1c411cca", "name": "GOGITTER", "slug": "gogitter" }, { "id": "legacy:malware:4b1b349e1bbd4cb0", "name": "Cobalt Strike Beacon", "slug": "cobalt-strike-beacon" }, { "id": "legacy:malware:e9bc6b97bc04090d", "name": "GITSHELLPAD", "slug": "gitshellpad" }, { "id": "legacy:malware:57c6bae93b7614be", "name": "GOSHELL", "slug": "goshell" } ], "intrusion_sets": [ { "id": "db5db15c-525d-4e39-9b12-840d085370b0", "name": "Transparent Tribe", "slug": "transparent-tribe" } ], "attack_patterns": [ { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c", "name": "T1583.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "India" }, { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "Government" }, { "id": "", "name": "govt-filesharing.site" }, { "id": "", "name": "adobereader-update.in" }, { "id": "", "name": "adobreader-upgrade.in" }, { "id": "", "name": "halsoftsoftsite.com" }, { "id": "", "name": "adobe-acrobat.in" }, { "id": "", "name": "listsoft-update.site" }, { "id": "", "name": "adobecloud.site" }, { "id": "", "name": "bsn.halsoftsoftsite.com" }, { "id": "", "name": "adobereader-upgrade.in" } ] }, "external_refs": [ "https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell", "https://otx.alienvault.com/pulse/6977da59fb7a0679c7535c14" ] }