Sophisticated APT Campaigns Target Indian Government Using Cloud-Based Malware and Custom Backdoors

CyberDefender 9 mins0

A series of highly targeted advanced persistent threat (APT) campaigns have been observed actively targeting Indian government entities. These operations demonstrate a clear focus on precision targeting, long-term persistence, and stealthy command-and-control (C2) by abusing legitimate cloud platforms and developer services.

The activity consists of two closely related but operationally distinct campaigns, commonly referred to as Gopher Strike and Sheet Attack. While both campaigns share infrastructure, delivery methods, and targeting logic, each employs its own malware ecosystem and C2 strategy. Attribution analysis indicates a Pakistan-linked threat actor, potentially an evolved subgroup or parallel operator aligned with previously observed regional espionage activity.

Initial Access: Spear-Phishing and Environment-Aware Payload Delivery

Both campaigns begin with spear-phishing emails crafted to appear as official government correspondence. These emails typically contain PDF attachments designed to entice recipients into clicking embedded links or buttons such as “Download” or “View Document.”

Targeted Payload Serving

Once the link is clicked, victims are redirected to attacker-controlled servers that apply strict filtering before delivering payloads:

  • Payloads are served only to Windows user agents
  • Requests must originate from Indian IP address ranges
  • All other requests receive HTTP 403 responses

This selective delivery significantly reduces exposure to automated sandboxes, crawlers, and security researchers.

The final payload is typically delivered as an ISO image, a format commonly abused to bypass email security and user suspicion.

Campaign One: Gopher Strike

Stage 1 – GOGITTER (Golang Downloader)

The initial executable dropped from the ISO is GOGITTER, a previously undocumented downloader written in Golang.

Key functionality:

  • Downloads additional payloads from private GitHub repositories
  • Checks for the presence of a VBScript loader named windows_api.vbs
  • Searches predefined directories including:
    • C:\Users\Public\Downloads
    • C:\Users\Public\Pictures
    • %APPDATA%
  • Drops the VBScript if missing

Persistence Mechanism

GOGITTER establishes persistence via Windows Scheduled Tasks, using names crafted to resemble legitimate system processes, such as:

MicrosoftEdge_ConfigurationUpdate_<random>

This scheduled task executes the VBScript loader to ensure execution across reboots.

Stage 2 – GITSHELLPAD (Golang Backdoor)

Once persistence is established, GITSHELLPAD is deployed.

Capabilities:

  • Acts as a lightweight backdoor
  • Periodically polls private GitHub repositories for commands
  • Uses GitHub as a covert C2 channel, blending malicious traffic with legitimate developer activity

This approach allows attackers to issue commands, deploy additional tools, or update malware while avoiding traditional C2 detection.

Stage 3 – GOSHELL (Shellcode Loader)

The final payload in Gopher Strike is GOSHELL, a Golang-based shellcode loader.

Notable characteristics:

  • Executes shellcode only if the system hostname matches hardcoded values
  • Loads a Cobalt Strike Beacon
  • Enables full interactive access, command execution, and potential lateral movement

This hostname-based gating ensures that high-value tooling is deployed only on intended targets.

Campaign Two: Sheet Attack

The second campaign shifts away from GitHub-based C2 and introduces three new backdoors, each abusing a different trusted cloud service.

SHEETCREEP – Google Sheets–Based C2

SHEETCREEP is a lightweight backdoor written in C#.

Delivery Method

Victims receive a ZIP archive containing:

  • A malicious LNK file
  • A disguised binary with a .PNG extension (e.g., details.png)

The LNK executes PowerShell, which:

  • Reverses the byte order of the PNG file
  • Loads the decoded .NET assembly via reflection, avoiding disk-based detection

Command and Control

  • Uses Google Sheets as a C2 channel
  • Commands and configuration are stored in spreadsheet cells
  • Results are written back to the same document

This technique blends seamlessly with normal Google Workspace traffic.

FIREPOWER – Firebase Realtime Database C2

FIREPOWER is a PowerShell-based backdoor.

Execution chain:

  • Triggered via malicious LNK shortcuts
  • Executes encoded PowerShell using: powershell.exe -headless -e <base64>
  • Fetches and executes additional payloads dynamically

C2 Infrastructure:

  • Uses Google Firebase Realtime Database
  • Commands are retrieved and results exfiltrated through Firebase endpoints

MAILCREEP – Microsoft Graph API C2

MAILCREEP is written in Golang and leverages Microsoft Graph API for C2.

Key features:

  • Uses authenticated Graph API access tokens
  • Communicates over legitimate Microsoft cloud endpoints
  • Allows command execution, data exfiltration, and tasking via Microsoft services

This approach makes network-level detection extremely difficult in enterprise environments.

Use of Generative AI in Malware Development

Analysis of multiple malware samples revealed distinct development artifacts strongly suggesting the use of generative AI tools:

  • Non-standard error handling patterns
  • Inconsistent logic flows
  • Presence of emoji-style or unusual formatting in debug strings

These indicators align with broader trends of AI-assisted malware development, enabling rapid iteration and diversification.

Evasion and Operational Security Techniques

Across both campaigns, the threat actor employed advanced evasion strategies:

  • Geofencing based on IP location
  • User-agent validation
  • Abuse of trusted cloud services:
    • GitHub
    • Google Sheets
    • Firebase
    • Microsoft Graph
  • Living-off-the-land techniques using PowerShell and LNK files
  • Masqueraded persistence mechanisms using legitimate-looking scheduled tasks

MITRE ATT&CK Techniques Observed

  • Phishing for Initial Access (T1566)
  • User Execution (T1204)
  • PowerShell (T1059.001)
  • Scheduled Task Persistence (T1053.005)
  • Cloud-based C2 (T1102)
  • Obfuscated Files or Information (T1027)
  • Reflection-based Execution (.NET)

Attribution Assessment

While the campaigns share historical overlaps with APT36-associated targeting patterns, notable differences in tooling, infrastructure, and tradecraft suggest either:

  • A significantly evolved version of the group, or
  • A closely aligned Pakistan-linked subgroup operating independently

Attribution confidence remains medium, based on infrastructure reuse, targeting alignment, and operational characteristics.

Conclusion

These campaigns represent a highly evolved espionage operation characterized by:

  • Multi-stage malware chains
  • Selective payload deployment
  • Abuse of legitimate cloud platforms for stealthy C2
  • Strong operational discipline and target validation

The shift toward cloud-native C2, reflection-based loading, and AI-assisted development signals a broader evolution in APT tradecraft. Defenders must move beyond static indicators and focus on behavioral detection, cloud telemetry analysis, and context-aware threat hunting to counter threats of this nature.

CyberDefender