Pakistan-linked Gopher Strike and Sheet Attack campaigns against Indian government entities
Campaign
Summary
Hide ▲
Show ▼
Gopher Strike and Sheet Attack are two Pakistan-linked campaigns that targeted Indian government entities with phishing, selective malware delivery, and nontraditional C2. The activity matters because the operators used previously undocumented tradecraft and limited payload delivery to India-based Windows systems. One campaign used Google Sheets, Firebase, and email for C2, while the other used a fake Adobe Acrobat Reader DC update to deliver an ISO payload. The tooling chain included GOGITTER, GITSHELLPAD, and GOSHELL, showing a layered approach to access and command execution.
Related Happenings
Transparent Tribe AI-assisted implant campaign targeting India
Campaign
First: 06.03.2026 17:11
Last: 06.03.2026 17:11
Sources 1
About this happening:
**Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...
Transparent Tribe AI-assisted implant campaign targeting India
CampaignAbout this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...
Lazarus Group graphalgo recruitment-themed package campaign
Campaign
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Lazarus Group graphalgo recruitment-themed package campaign
CampaignAbout this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Tirith adds command-line homoglyph blocking for pasted URLs and shell commands
Security Tool/Service
First: 08.02.2026 17:26
Last: 08.02.2026 17:26
Sources 1
About this happening:
**Tirith** is a new **open-source, cross-platform** command-line security tool that detects **homoglyph attacks** before pasted commands run, reducing the risk of deceptive URL ex...
Tirith adds command-line homoglyph blocking for pasted URLs and shell commands
Security Tool/ServiceAbout this happening: **Tirith** is a new **open-source, cross-platform** command-line security tool that detects **homoglyph attacks** before pasted commands run, reducing the risk of deceptive URL ex...
ClawHavoc malicious skills campaign targeting OpenClaw users via ClawHub
Campaign
First: 02.02.2026 19:49
Last: 02.02.2026 19:49
Sources 1
About this happening:
The **ClawHavoc** campaign continues to abuse **ClawHub** and the **OpenClaw** ecosystem to distribute **infostealer malware** through malicious skills. New reporting says the ope...
ClawHavoc malicious skills campaign targeting OpenClaw users via ClawHub
CampaignAbout this happening: The **ClawHavoc** campaign continues to abuse **ClawHub** and the **OpenClaw** ecosystem to distribute **infostealer malware** through malicious skills. New reporting says the ope...
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
Campaign
First: 02.02.2026 14:45
Last: 02.02.2026 14:45
Sources 1
About this happening:
**Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
CampaignAbout this happening: **Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Latest development: 10.03.2026 12:00
ESET says APT28 has used a custom variant of Covenant together with BeardShell since April 2024 against Ukrainian targets, including Ukrainian military personnel and central executive bodies of Ukraine, with recent attacks exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files. Covenant is the primary implant and BeardShell is the fallback, while Icedrive, Filen, Koofr, and pCloud are used for C2 infrastructure.
Timeline
-
27.01.2026 18:45 1 articles · 4mo ago
Threat-actor GitHub account is created
Technical Analysis UpdateA GitHub account later used for campaign infrastructure was created on June 7, 2025, supporting private repository activity that helped deliver payloads such as adobe_update.zip and enable GitHub-based command-and-control for GITSHELLPAD.
Show sources
- Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities — thehackernews.com — 27.01.2026 18:45
-
27.01.2026 18:45 2 articles · 4mo ago
Zscaler identifies Gopher Strike and Sheet Attack targeting Indian government entities
Initial DisclosureZscaler ThreatLabz publishes analysis of Gopher Strike and Sheet Attack, describing Indian government entities as the target set, phishing emails and a fake Adobe Acrobat Reader DC update lure, selective ISO delivery to India-based Windows requests, Google Sheets, Firebase, email, and private GitHub repositories for command-and-control, and a medium-confidence assessment that the activity may originate from APT36 or another Pakistan-linked subgroup.
Show sources
- Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities — thehackernews.com — 27.01.2026 18:45
- Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities — thehackernews.com — 27.01.2026 18:45