{"id":207194,"date":"2026-01-27T11:45:00","date_gmt":"2026-01-27T16:45:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/01\/27\/experts-detect-pakistan-linked-cyber-campaigns-aimed-at-indian-government-entities\/"},"modified":"2026-01-27T20:40:08","modified_gmt":"2026-01-28T01:40:08","slug":"experts-detect-pakistan-linked-cyber-campaigns-aimed-at-indian-government-entities","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/01\/27\/experts-detect-pakistan-linked-cyber-campaigns-aimed-at-indian-government-entities\/","title":{"rendered":"Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities"},"content":{"rendered":"

Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/01\/experts-detect-pakistan-linked-cyber.html<\/a><\/p>\n

Publish Date: 2026-01-27 11:45:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Jan 27, 2026<\/span><\/span>Threat Intelligence \/ Cyber Espionage<\/span><\/p>\n

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft.<\/p>\n

The campaigns have been codenamed Gopher Strike<\/strong> and Sheet Attack<\/strong> by Zscaler ThreatLabz, which identified them in September 2025.<\/p>\n

“While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel,” researchers Sudeep Singh and Yin Hong Chang said.<\/p>\n

Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that’s superimposed by a seemingly harmless pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC.<\/p>\n

\"Cybersecurity\"<\/p>\n

The main purpose of the image is to give the users an impression that it’s necessary to install the update in order to access the document’s contents. Clicking the “Download and Install” button in the fake update dialog triggers the download of an ISO image file only when the requests originate from IP addresses located in India and the User-Agent string corresponds to Windows.<\/p>\n

“These server-side checks prevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered to intended targets,” Zscaler said.<\/p>\n

The malicious payload embedded within the ISO image is a Golang-based downloader dubbed GOGITTER that’s responsible for creating a Visual Basic Script (VBScript) file if it does not already exist in the following locations: “C:UsersPublicDownloads,” “C:UsersPublicPictures,” and “%APPDATA%.” The script is…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities https:\/\/thehackernews.com\/2026\/01\/experts-detect-pakistan-linked-cyber.html Publish Date: 2026-01-27 11:45:00…<\/p>\n","protected":false},"author":1,"featured_media":207195,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiG612WfAM4qjKPdbLvz7i_kK0qgRz5Abg8pRz9uGc86pEQvuO-_83uNd8xC8e1y86mWhlTRL_PeWtgp2bfizGf8y78pp1xGYqoXJ9Q7ilpXG4lAS4MvNiiAMGf74PzFod56EJW9qq6P3afCB9IgTFGrbgu1EqnXVsly_I8clrUqdGReHfmEJtKUL09wV5m\/s1700-e365\/attack.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,25,34],"class_list":["post-207194","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207194"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=207194"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207194\/revisions"}],"predecessor-version":[{"id":207196,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207194\/revisions\/207196"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/207195"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=207194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=207194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=207194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}