APT Attacks Target India’s Government with GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Zscaler ThreatLabz uncovered two campaigns – Gopher Strike and Sheet Attack run by a Pakistan linked APT group targeting Indian government organizations. The activity introduces Golang based tooling, including GOGITTER, GITSHELLPAD, and GOSHELL, to stage payloads, use private GitHub repositories for C2, and ultimately deploy a Cobalt Strike beacon. Initial access is achieved through spearphishing PDFs that lure victims into downloading malicious ISO files. The operators layer multiple evasion methods, including environment checks, file padding, and scheduled task persistence.
Investigation
Analysis showed GOGITTER validates the presence of a windows_api.vbs script, creates it if absent, and registers a scheduled task to run it every 50 minutes. GITSHELLPAD uses the GitHub REST API for command retrieval and data exfiltration, while GOSHELL conditionally loads a staged Cobalt Strike beacon only on selected hostnames. The tools embed hard coded URLs and user agent strings to hinder automated analysis and sandboxing. The campaigns also used private GitHub repositories to host supporting payloads such as adobe_update.zip.
Mitigation
Block execution of untrusted/unsigned Golang binaries and enforce strict allow-listing and review for scheduled task creation. Monitor outbound traffic to known malicious domains and to GitHub resources used as C2, including anomalous GitHub API usage from non developer endpoints. Strengthen email security by scanning PDF attachments for obfuscation and blocking links that redirect to ISO downloads. Endpoint detections should alert on creation of windows_api.vbs and periodic task execution patterns consistent with 50 minute intervals.
Response
If any IOCs are detected, isolate the endpoint, stop and remove the scheduled task, and delete associated malicious artifacts. Perform a forensic review of GitHub based C2 activity, preserve command execution logs, and remove any exfiltrated or uploaded content where possible. Reset credentials for affected accounts, hunt for lateral movement, and update detections with extracted indicators to identify related activity across the environment.
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Suspicious Process Utilizes a URL in the Command Line (via cmdline)
View
Suspicious CURL Usage (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Possible Account or Group Enumeration (via cmdline)
View
Suspicious Extracted Files from an Archive (via file_event)
View
Possible System Network Configuration Discovery (via cmdline)
View
IOCs (HashSha1) to detect: APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
View
IOCs (HashMd5) to detect: APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
View
IOCs (HashSha256) to detect: APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
View
Detection of GITSHELLPAD Backdoor and Cleanup Commands [Windows Process Creation]
View
Detection of GOGITTER Downloader and C2 Communication [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An APT group deploys the GITSHELLPAD backdoor (edgehost.exe) onto a compromised Windows host. To blend with expected system behavior, the attacker launches the backdoor via the Windows command shell (cmd /c). After completing its payload (e.g., downloading additional modules), the backdoor performs a “cleanup” by terminating its own process usingtaskkill /F /PID <PID>. Both actions generate process‑creation events that contain the binary name and the required command‑line substrings, satisfying the Sigma rule. -
Regression Test Script:
# ------------------------------------------------- # Simulate GITSHELLPAD backdoor execution & cleanup # ------------------------------------------------- # 1. Drop a placeholder edgehost.exe (any benign executable) $src = "$env:SystemRootSystem32notepad.exe" $dst = "$env:TEMPedgehost.exe" Copy-Item -Path $src -Destination $dst -Force # 2. Launch edgehost.exe via cmd /c (matches cmd_cmd pattern) $proc = Start-Process -FilePath "cmd.exe" -ArgumentList "/c `"$dst`"" -PassThru # 3. Wait a few seconds to ensure the process is alive Start-Sleep -Seconds 5 # 4. Cleanup: kill the edgehost.exe process using taskkill (matches taskkill_cmd pattern) $pid = $proc.Id cmd /c "taskkill /F /PID $pid" # 5. Remove the dropped file Remove-Item -Path $dst -Force -
Cleanup Commands:
# Ensure any stray edgehost.exe instances are terminated Get-Process -Name "edgehost" -ErrorAction SilentlyContinue | Stop-Process -Force # Delete the temporary binary if still present $tempPath = "$env:TEMPedgehost.exe" if (Test-Path $tempPath) { Remove-Item $tempPath -Force }