Indian government entities have faced cyberattacks in two campaigns orchestrated by a threat actor operating from Pakistan, as per a recent report. Identified as Gopher Strike and Sheet Attack by Zscaler ThreatLabz in September 2025, these campaigns exhibit unique tradecraft. The Hacker News highlighted that while similarities exist with the Pakistan-linked APT group APT36, researchers suggest the possibility of a new subgroup or parallel group originating these activities.
The report detailed that Sheet Attack utilizes legitimate services like Google Sheets, Firebase, and email for command-and-control purposes. In contrast, Gopher Strike employs phishing emails to distribute PDF documents containing a deceptive pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC. The malicious file is triggered for download only when specific conditions related to IP addresses and User-Agent strings are met.
Furthermore, recent findings by cybersecurity firm Cyfirma unveiled a spying campaign by Pakistan-linked hackers targeting Indian government entities and universities. This campaign aims to gather sensitive information by deploying spyware and malware to disrupt systems. The operation commences with spear-phishing emails carrying a malicious file disguised as a PDF, which deploys malware components known as ReadOnly and WriteOnly upon opening.
The malware components adapt their behavior based on the victim’s antivirus software, allowing remote control of infected systems and potential compromise of classified data. The attackers can conduct surveillance activities such as capturing screenshots, monitoring clipboard actions, and enabling remote desktop access. Additionally, the malware could facilitate the theft of overwritten copied data, potentially enabling hijacking of cryptocurrency transactions.
The spying activities have been attributed to APT36, also known as Transparent Tribe, a threat actor with a history of targeting government bodies, military-related organizations, and universities. Despite being considered less technically advanced than some counterparts, APT36 has demonstrated persistence and adaptability in its tactics over time. The group has been active since 2013, engaging in cyber-espionage campaigns across various countries, including India, Afghanistan, and approximately 30 other nations.
