New York/New Delhi, Jan 28 (IANS) The Indian government entities have been targetted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft, a report has revealed.

The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025, leading cybersecurity news platform 'The Hacker News' reported.

"While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel," researchers Sudeep Singh and Yin Hong Chang were quoted as saying by The Hacker News.

Sheet Attack, the report mentioned, gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2).

"On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that's superimposed by a seemingly harmless pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC," it added.

According to The Hacker News, users are urged to install the "necessary update" in order to access the document's contents. Clicking the "Download and Install" button in the fake update dialog triggers the download of an ISO image file only when the requests originate from IP addresses located in India and the User-Agent string corresponds to Windows.

"These server-side checks prevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered to intended targets," Zscaler said.

Earlier this month, another report had revealed that Pakistan-linked hackers have launched a new spying campaign targetting the Indian government and universities, including strategic institutions, to procure sensitive information by making the system defunct with the use of spyware and malware.

The sinister campaign was flagged by researchers at the cybersecurity firm Cyfirma, which claims to have unearthed the modus operandi of these cyber spies.

"The operation begins with spear-phishing emails carrying a ZIP archive containing a malicious file disguised as a PDF. Once opened, the file delivers two malware components, dubbed ReadOnly and WriteOnly," The Record reported, citing instances of security breaches.

The malware gets embedded on victims' systems, adjusting its behaviour based on which antivirus software is installed.

According to Cyfirma, this can remotely control infected machines, compromise classified data and carry out persistent surveillance - including taking screenshots, monitoring clipboard activity and enabling remote desktop access.

According to the report, this could also be used to steal overwritten copied data, allowing attackers to hijack cryptocurrency transactions.

The secret surveillance has been attributed to APT36, also called Transparent Tribe, a long-running threat actor accused of spying on government bodies, military-linked organisations and universities.

While researchers have previously described Transparent Tribe as less technically advanced than some rival espionage groups, they have also noted its persistence and ability to adapt tactics over time.

According to the report, APT36 has been active since 2013, and linked to cyber-espionage campaigns targeting government and military organisations in India as well as Afghanistan, as well as institutions in roughly 30 countries.

--IANS

/as