Executive Summary
In September 2025, cybersecurity researchers uncovered coordinated cyber campaigns—dubbed Gopher Strike and Sheet Attack—targeting Indian government entities. Attributed to a Pakistan-linked Advanced Persistent Threat (APT) group, the operations leveraged novel, undocumented tactics involving phishing and multi-stage malware to compromise government networks. Attackers exploited existing security gaps, conducted lateral movement, and exfiltrated sensitive data, threatening the confidentiality and integrity of official communications. The campaigns remained undetected for an extended period, highlighting the advanced tradecraft and persistent nature of the threat actor.
These incidents underscore the growing risk posed by state-aligned actors employing increasingly sophisticated tactics to target critical government infrastructure. The discovery of new tools and techniques in these attacks signals an escalation in South Asian regional cyber conflict and emphasizes the need for updated security controls and rapid detection capabilities.
Why This Matters Now
Pakistan-linked APTs are adopting advanced, stealthy tradecraft and targeting governments with persistent campaigns. The evolving nature of these tactics highlights a growing regional cyber arms race, making rapid detection and active security controls an urgent priority for organizations facing similar threats.
Attack Path Analysis
Attackers gained an initial foothold in Indian government cloud resources, likely exploiting credential compromise or misconfigured cloud services. They escalated privileges using cloud IAM manipulation to expand access. The adversaries moved laterally using east-west traffic between workloads, potentially leveraging limited segmentation. They established command and control channels, possibly using cloud-native outbound connections masked as normal traffic. Sensitive data was then exfiltrated through authorized egress channels or encrypted tunnels. Impact could include unauthorized disclosure, potential disruption, or destruction of data and services.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access through exposed cloud services or spear-phishing targeting cloud credentials.
Related CVEs
CVE-2023-23397
CVSS 9.8Microsoft Outlook Elevation of Privilege Vulnerability
Affected Products:
Microsoft Outlook – 2013 SP1, 2016, 2019, 2021, 365 Apps
Exploit Status:
exploited in the wildCVE-2023-36884
CVSS 8.8Microsoft Office and Windows HTML Remote Code Execution Vulnerability
Affected Products:
Microsoft Office – 2013, 2016, 2019, 2021, 365 Apps
Microsoft Windows – 10, 11, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques mapped for SEO/filtering; further enrichment with full STIX/TAXII objects possible in next iteration.
Phishing
Spearphishing Attachment
Command and Scripting Interpreter
Valid Accounts
Obfuscated Files or Information
Email Collection
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Authentication for All Access
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Adaptive Authentication and Access Controls
Control ID: Identity Pillar - Authentication & Access
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of Pakistan-linked APT campaigns compromising Indian government entities through advanced persistent threats requiring enhanced zero trust segmentation and encrypted traffic monitoring.
Defense/Space
Critical national security sector vulnerable to state-sponsored APT operations targeting government infrastructure with sophisticated lateral movement techniques and data exfiltration capabilities.
Computer/Network Security
Essential sector providing threat detection, anomaly response, and multicloud visibility controls to defend against advanced persistent threats targeting government and critical infrastructure.
Information Technology/IT
Supporting infrastructure sector requiring kubernetes security, egress policy enforcement, and cloud native security fabric implementations to prevent APT lateral movement and exfiltration.
Sources
- Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entitieshttps://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.htmlVerified
- APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshellVerified
- APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-andVerified
- APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaignhttps://thehackernews.com/2025/10/apt36-targets-indian-government-with.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, encrypted traffic controls, and east-west traffic security would have notably disrupted the adversary’s progression—limiting lateral movement, detecting anomalous C2 behaviors, blocking unauthorized data exports, and containing privilege escalation.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Initial compromise attempts would be detected or blocked at the control plane.
Control: Zero Trust Segmentation
Mitigation: Block attempts to access resources beyond allowed scope, even after role compromise.
Control: East-West Traffic Security
Mitigation: Detection and prevention of lateral movement between sensitive workloads.
Control: Multicloud Visibility & Control
Mitigation: Suspicious outbound connections are detected and alerted on.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data flows are blocked and encrypted exfiltration is monitored.
Known malicious payloads or ransomware actions are detected and prevented pre-impact.
Impact at a Glance
Affected Business Functions
- Government Communications
- Data Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive government communications and data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and least-privilege policies to block unauthorized lateral movement and privilege escalation.
- • Enforce stringent egress filtering and outbound traffic policies to prevent data exfiltration and malicious C2 communication.
- • Deploy multicloud visibility solutions for centralized policy management, real-time monitoring, and rapid detection of anomalous behaviors.
- • Utilize encrypted traffic inspection and line-rate encryption for all critical in-transit data flows to restrict packet sniffing and covert data theft.
- • Integrate inline IPS and distributed runtime enforcement to block known exploit attempts and prevent malware from impacting cloud workloads.
