Find notable cyber news and cases, enriched with sources, timelines, and signals.

Pakistan-linked Gopher Strike and Sheet Attack campaigns against Indian government entities

Campaign
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

Gopher Strike and Sheet Attack are two Pakistan-linked campaigns that targeted Indian government entities with phishing, selective malware delivery, and nontraditional C2. The activity matters because the operators used previously undocumented tradecraft and limited payload delivery to India-based Windows systems. One campaign used Google Sheets, Firebase, and email for C2, while the other used a fake Adobe Acrobat Reader DC update to deliver an ISO payload. The tooling chain included GOGITTER, GITSHELLPAD, and GOSHELL, showing a layered approach to access and command execution.

Related Happenings

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Transparent Tribe AI-assisted implant campaign targeting India

Campaign
H score32 First: 06.03.2026 17:11 Last: 06.03.2026 17:11 Sources 1

About this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...

Lazarus Group graphalgo recruitment-themed package campaign

Campaign
H score38 First: 12.02.2026 18:55 Last: 12.02.2026 18:55 Sources 1

About this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...

Tirith adds command-line homoglyph blocking for pasted URLs and shell commands

Security Tool/Service
H score15 First: 08.02.2026 17:26 Last: 08.02.2026 17:26 Sources 1

About this happening: **Tirith** is a new **open-source, cross-platform** command-line security tool that detects **homoglyph attacks** before pasted commands run, reducing the risk of deceptive URL ex...

ClawHavoc malicious skills campaign targeting OpenClaw users via ClawHub

Campaign
H score37 First: 02.02.2026 19:49 Last: 02.02.2026 19:49 Sources 1

About this happening: The **ClawHavoc** campaign continues to abuse **ClawHub** and the **OpenClaw** ecosystem to distribute **infostealer malware** through malicious skills. New reporting says the ope...

Timeline

  1. 27.01.2026 18:45 1 articles · 5mo ago

    Threat-actor GitHub account is created

    Technical Analysis Update

    A GitHub account later used for campaign infrastructure was created on June 7, 2025, supporting private repository activity that helped deliver payloads such as adobe_update.zip and enable GitHub-based command-and-control for GITSHELLPAD.

    Show sources
  2. 27.01.2026 18:45 2 articles · 5mo ago

    Zscaler identifies Gopher Strike and Sheet Attack targeting Indian government entities

    Initial Disclosure

    Zscaler ThreatLabz publishes analysis of Gopher Strike and Sheet Attack, describing Indian government entities as the target set, phishing emails and a fake Adobe Acrobat Reader DC update lure, selective ISO delivery to India-based Windows requests, Google Sheets, Firebase, email, and private GitHub repositories for command-and-control, and a medium-confidence assessment that the activity may originate from APT36 or another Pakistan-linked subgroup.

    Show sources