Cybersecurity alarms are blaring in India following the unmasking of two audacious campaigns linked to Pakistan, aimed squarely at government networks. Zscaler ThreatLabs first spotted these in September 2025, naming them ‘Gopher Strike’ and ‘Sheet Attack’ for their cunning methodologies. What sets them apart? Unprecedented tactics that slipped past existing safeguards, signaling a leap in adversarial capabilities.
According to in-depth analysis by experts Sudeep Singh and Yin Hong Chang, traces echo APT36 activities, but evidence points—with moderate certainty—to either a splinter group or a fresh Pakistan-backed actor operating in tandem. This fluidity complicates attribution in the shadowy world of cyber threats.
Breaking down ‘Sheet Attack’: Attackers hijacked everyday tools like Google Sheets, Firebase, and emails for C2 channels. By masquerading within legitimate services, they maintained persistent access without raising red flags, a tactic that’s both elegant and alarming.
Shifting to ‘Gopher Strike,’ the playbook involved phishing lures via PDFs with obscured visuals and fake update prompts for Adobe software. The trap sprung selectively: Downloads activated solely for Indian IPs on Windows machines, dodging URL scanners that typically neutralize such threats. Zscaler’s report highlights how these conditional triggers ensured precision strikes.
This comes amid broader concerns, as separate intelligence this month exposed ongoing Pakistani espionage against Indian academia and officialdom using advanced malware. The pattern is clear—systematic data grabs to undermine national security.
For Indian entities, the message is unequivocal: Conventional antivirus won’t cut it. Multi-layered strategies, from zero-trust architectures to AI-driven anomaly detection, are imperative. Globally, this underscores the geopolitical stakes in cyberspace, where nations wield code as weapons of influence and disruption.
