SOC Prime Bias: Critical

29 Jan 2026 15:34 UTC

APT Attacks Target India’s Government with GOGITTER, GITSHELLPAD, and GOSHELL | Part 1

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
APT Attacks Target India’s Government with GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Zscaler ThreatLabz uncovered two campaigns – Gopher Strike and Sheet Attack run by a Pakistan linked APT group targeting Indian government organizations. The activity introduces Golang based tooling, including GOGITTER, GITSHELLPAD, and GOSHELL, to stage payloads, use private GitHub repositories for C2, and ultimately deploy a Cobalt Strike beacon. Initial access is achieved through spearphishing PDFs that lure victims into downloading malicious ISO files. The operators layer multiple evasion methods, including environment checks, file padding, and scheduled task persistence.

Investigation

Analysis showed GOGITTER validates the presence of a windows_api.vbs script, creates it if absent, and registers a scheduled task to run it every 50 minutes. GITSHELLPAD uses the GitHub REST API for command retrieval and data exfiltration, while GOSHELL conditionally loads a staged Cobalt Strike beacon only on selected hostnames. The tools embed hard coded URLs and user agent strings to hinder automated analysis and sandboxing. The campaigns also used private GitHub repositories to host supporting payloads such as adobe_update.zip.

Mitigation

Block execution of untrusted/unsigned Golang binaries and enforce strict allow-listing and review for scheduled task creation. Monitor outbound traffic to known malicious domains and to GitHub resources used as C2, including anomalous GitHub API usage from non developer endpoints. Strengthen email security by scanning PDF attachments for obfuscation and blocking links that redirect to ISO downloads. Endpoint detections should alert on creation of windows_api.vbs and periodic task execution patterns consistent with 50 minute intervals.

Response

If any IOCs are detected, isolate the endpoint, stop and remove the scheduled task, and delete associated malicious artifacts. Perform a forensic review of GitHub based C2 activity, preserve command execution logs, and remove any exfiltrated or uploaded content where possible. Reset credentials for affected accounts, hunt for lateral movement, and update detections with extracted indicators to identify related activity across the environment.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    An APT group deploys the GITSHELLPAD backdoor (edgehost.exe) onto a compromised Windows host. To blend with expected system behavior, the attacker launches the backdoor via the Windows command shell (cmd /c). After completing its payload (e.g., downloading additional modules), the backdoor performs a “cleanup” by terminating its own process using taskkill /F /PID <PID>. Both actions generate process‑creation events that contain the binary name and the required command‑line substrings, satisfying the Sigma rule.

  • Regression Test Script:

    # -------------------------------------------------
    # Simulate GITSHELLPAD backdoor execution & cleanup
    # -------------------------------------------------
    # 1. Drop a placeholder edgehost.exe (any benign executable)
    $src = "$env:SystemRootSystem32notepad.exe"
    $dst = "$env:TEMPedgehost.exe"
    Copy-Item -Path $src -Destination $dst -Force
    
    # 2. Launch edgehost.exe via cmd /c (matches cmd_cmd pattern)
    $proc = Start-Process -FilePath "cmd.exe" -ArgumentList "/c `"$dst`"" -PassThru
    
    # 3. Wait a few seconds to ensure the process is alive
    Start-Sleep -Seconds 5
    
    # 4. Cleanup: kill the edgehost.exe process using taskkill (matches taskkill_cmd pattern)
    $pid = $proc.Id
    cmd /c "taskkill /F /PID $pid"
    
    # 5. Remove the dropped file
    Remove-Item -Path $dst -Force
  • Cleanup Commands:

    # Ensure any stray edgehost.exe instances are terminated
    Get-Process -Name "edgehost" -ErrorAction SilentlyContinue | Stop-Process -Force
    
    # Delete the temporary binary if still present
    $tempPath = "$env:TEMPedgehost.exe"
    if (Test-Path $tempPath) { Remove-Item $tempPath -Force }