New York/New Delhi, Jan 28 (NationPress) Recent findings indicate that governmental entities in India have been subjected to two distinct cyber operations conducted by a threat group based in Pakistan, utilizing previously unrecorded tactics. This revelation comes from a report detailing the operations, which have been named Gopher Strike and Sheet Attack by Zscaler ThreatLabz, who identified these activities in September 2025, as reported by the renowned cybersecurity platform, The Hacker News.

“Although these operations exhibit some resemblances to the Pakistan-related Advanced Persistent Threat (APT) group, APT36, we have medium confidence that the activities observed in this analysis may be the work of a new subgroup or a different Pakistan-affiliated group operating simultaneously,” researchers Sudeep Singh and Yin Hong Chang stated, as cited by The Hacker News.

The Sheet Attack derives its name from the exploitation of legitimate platforms such as Google Sheets, Firebase, and email for command-and-control (C2) purposes.

Conversely, the Gopher Strike is believed to have utilized phishing emails as an initial method to distribute PDF files containing a distorted image, overlaid with an innocuous pop-up prompting the recipient to download an update for Adobe Acrobat Reader DC.

As per The Hacker News, victims are urged to install the “necessary update” to view the document contents. When individuals click the “Download and Install” button in the fraudulent update dialog, an ISO image file is downloaded, but only if the requests are made from IP addresses situated in India and the User-Agent string matches Windows.

“These server-side checks hinder automated URL analysis tools from retrieving the ISO file, ensuring that the harmful file is only sent to targeted individuals,” Zscaler noted.

Earlier this month, another report highlighted that hackers linked to Pakistan have initiated a new espionage effort aimed at the Indian government and educational institutions, including critical organizations, to acquire sensitive information by incapacitating systems through spyware and malware.

This alarming campaign was identified by researchers at the cybersecurity firm Cyfirma, which claims to have uncovered the techniques employed by these cyber spies.

“The operation starts with spear-phishing emails that contain a ZIP file with a malicious document masquerading as a PDF. Upon opening, the file deploys two malware components named ReadOnly and WriteOnly,” The Record reported, citing various instances of security breaches.

The malware infiltrates victims’ systems, modifying its behavior based on the installed antivirus software.

According to Cyfirma, this software can take remote control of infected computers, compromise classified information, and conduct ongoing surveillance—such as capturing screenshots, tracking clipboard activity, and enabling remote desktop access.

This could also facilitate the theft of overwritten copied data, allowing attackers to seize cryptocurrency transactions.

This covert surveillance has been linked to APT36, also known as Transparent Tribe, a long-standing threat actor accused of monitoring governmental bodies, military-affiliated organizations, and universities.

While experts have previously characterized Transparent Tribe as less technically sophisticated than some rival espionage groups, they have acknowledged its persistence and adaptability in tactics over time.

Reports indicate that APT36 has been operational since 2013, engaging in cyber-espionage campaigns against governmental and military institutions in India, Afghanistan, and various establishments across approximately 30 countries.