With a distinguished career spent on the front lines of corporate cybersecurity, Malik Haidar has dissected the complex tactics of state-sponsored threat actors and criminal hackers alike. His work provides a critical bridge between deep technical analysis and high-level business strategy, making him an essential voice in understanding the evolving landscape of global cyber threats. Today, we delve into his analysis of recent cyber espionage campaigns targeting Indian government entities, exploring the sophisticated and previously undocumented tradecraft employed. Our discussion will cover the evolution of this threat actor’s tactics, their clever use of geo-fencing and file manipulation to evade detection, the operational advantages of using mixed programming languages, and their novel approach to command-and-control using private GitHub repositories.
The threat actors behind the Gopher Strike and Sheet Attack campaigns employed previously undocumented tradecraft. Considering the use of Golang-based payloads and private GitHub repositories for command-and-control, what does this evolution in tactics suggest about this group’s sophistication compared to established actors?
What we’re seeing here is a significant step up in operational security and technical capability. Using Golang is a deliberate choice; it compiles into a single, statically-linked binary, which makes it harder for traditional signature-based defenses to pick apart. When you couple that with using a private GitHub repository for C2, it shows a deep understanding of how to blend in with normal network traffic. Most security tools are hesitant to block all traffic to a legitimate service like GitHub. This isn’t the work of a fledgling group. While there are some overlaps with established groups like APT36, the tradecraft here feels more refined, more patient. It suggests we’re either looking at a well-funded new subgroup or a parallel entity that has learned from the past and is actively innovating to stay ahead of defenders.
The Gopher Strike campaign implemented server-side checks, delivering its ISO payload only to Windows users with Indian IP addresses. Could you explain how this geo-fencing and user-agent filtering complicates automated analysis, and what steps researchers take to bypass these checks to study the malware?
This is a classic case of the attackers setting up a digital velvet rope. They’re essentially telling their server, “Only let in guests from this specific list.” By checking for an Indian IP address and a Windows User-Agent, they ensure their payload is only delivered to the intended target pool. This is incredibly frustrating for automated analysis tools and sandboxes, which often run in data centers in the U.S. or Europe. The server sees the request, recognizes it’s not from the target region, and simply refuses to serve the malicious ISO file. To get past this, our research teams have to essentially go undercover. We configure our analysis environment to route traffic through a proxy or VPN located in India and spoof our user-agent string to mimic a standard Windows machine. Only by perfectly impersonating a potential victim can we trick the server into handing over the malware for us to dissect.
Attackers used a multi-stage process involving a Golang downloader, GOGITTER, which then executed a VBScript file for persistence. What are the primary advantages for an adversary in using multiple programming languages within a single attack chain, particularly for evading modern endpoint detection and response tools?
It’s a strategy of diversification to create complexity and confusion. An EDR solution might be highly attuned to detecting malicious PowerShell or certain Golang behaviors, but it might be less sensitive to a seemingly innocuous VBScript being dropped and executed. By using Golang for the initial downloader, GOGITTER, they get efficiency and evasion. Then, for persistence, they pivot to VBScript, which is a native part of the Windows ecosystem and can be easily scheduled to run. This polyglot approach forces security tools to be proficient in analyzing multiple, distinct execution chains. It breaks the “monoculture” of the attack, making it much harder for a single defensive mechanism to connect the dots from the initial download to the long-term persistence. Each stage looks like a separate, potentially benign event, which is exactly the kind of noise attackers want to create.
The GITSHELLPAD backdoor used private GitHub repositories to receive commands and exfiltrate data, a technique known as C2-over-GitHub. Can you walk us through the operational benefits this provides the attacker, and what specific network traffic indicators a security team should look for to detect it?
The primary benefit is stealth. Using GitHub for command-and-control is brilliant from an attacker’s perspective because the traffic is encrypted via HTTPS and it’s going to a universally trusted domain. Countless developers and automated tools in any corporate network are constantly communicating with GitHub, so the attacker’s C2 traffic just melts into the background noise. Operationally, it’s also resilient. GitHub is not going to be blacklisted by a firewall. The backdoor, GITSHELLPAD, simply sends a GET request every 15 seconds to a specific file in a private repo, reads the command, executes it, and then uploads the results via a PUT request. For a security team, detection is tough. You can’t just block GitHub. Instead, you need to look for anomalies: an unusual user agent making frequent, rhythmic requests to a specific, non-corporate repository, or seeing PUT requests that indicate data is being uploaded. It requires looking beyond the domain and into the patterns of communication itself.
Another payload, GOSHELL, was inflated to approximately one gigabyte and designed to run only on specific hostnames. Please elaborate on how bloating a file’s size and tying its execution to a hard-coded hostname list helps malware evade both signature-based antivirus and sandbox analysis.
This is a two-pronged evasion tactic aimed squarely at automated security systems. First, bloating the file to a gigabyte is a brute-force way to overwhelm antivirus scanners. Most AV engines and sandboxes have file size limits for analysis to conserve resources; they’ll simply skip a file that large, assuming it’s a legitimate data file or installer. It’s a simple but surprisingly effective trick. Second, the hostname check is a targeted kill switch. When GOSHELL executes, its first action is to check the computer’s name against its internal, hard-coded list. If the name doesn’t match, the malware does nothing. This is devastating for a generic analysis sandbox, which will have a randomly generated hostname like “Admin-PC-123.” The malware sees it’s not on its target list and immediately terminates, revealing none of its malicious behavior. This ensures the final payload, the Cobalt Strike Beacon, is only activated on a machine the attackers have specifically chosen.
What is your forecast for state-sponsored cyber espionage in the South Asia region?
I believe we are entering a new phase of heightened sophistication and operational stealth. The Gopher Strike campaign is a clear indicator that threat actors in the region are moving away from noisy, broad-stroke attacks and are adopting highly targeted, evasive techniques borrowed from the playbooks of top-tier global APTs. We will likely see a continued rise in the use of legitimate services for C2—platforms like GitHub, Google Sheets, or Firebase—making attribution and detection significantly more difficult. Furthermore, the use of compiled languages like Golang will become more common, challenging traditional signature-based security. The focus will remain on government, defense, and critical infrastructure, but the methods will be quieter, more patient, and designed to persist for long periods before being discovered. The cat-and-mouse game is becoming much more complex.
