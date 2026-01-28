Researchers have uncovered Pakistan-linked cyber espionage campaigns targeting India using phishing, spyware and malware to steal sensitive data.

Pakistan's nefarious designs and its anti-India campaign have been exposed once again. In what may be called an unprovoked attack on India, Islamabad used new techniques to target Indian interests. According to 'The Hacker News', Pakistan carried out cyber attacks on India and codenamed its covert operations "Gopher Strike" and "Sheet Attack." Researchers Sudeep Singh and Yin Hong Chang said, "While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel."

India-Pakistan Cyber Warfare

Sheet Attack got its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). The report added, "On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that's superimposed by a seemingly harmless pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC."

The Hacker News said that users were urged to install the "necessary update" in order to access the document's contents. By clicking the "Download and Install" button in the fake update dialog, an ISO image file can be downloaded when the requests originate from IP addresses located in India and the User-Agent string corresponds to Windows. Zscaler ThreatLabz, which identified the covert operations in September 2025, said, "These server-side checks prevent automated URL analysis tools from fetching the ISO file, ensuring that the malicious file is only delivered to intended targets."

Pakistan's cyberattack on India

Earlier this month, another report had revealed that Pakistan-linked hackers have launched a new spying campaign targeting the Indian government and universities, including strategic institutions, to procure sensitive information by making the system defunct with the use of spyware and malware. The sinister campaign was flagged by researchers at the cybersecurity firm Cyfirma, which claims to have unearthed the modus operandi of these cyber spies.

Citing instances of security breaches, The Record reported, "The operation begins with spear-phishing emails carrying a ZIP archive containing a malicious file disguised as a PDF. Once opened, the file delivers two malware components, dubbed ReadOnly and WriteOnly." The malware gets embedded on victims' systems, adjusting its behaviour based on which antivirus software is installed. According to Cyfirma, this can remotely control infected machines, compromise classified data and carry out persistent surveillance - including taking screenshots, monitoring clipboard activity and enabling remote desktop access.

Pakistan hacking India

According to the report, this could also be used to steal overwritten copied data, allowing attackers to hijack cryptocurrency transactions.The secret surveillance has been attributed to APT36, also called Transparent Tribe, a long-running threat actor accused of spying on government bodies, military-linked organisations and universities. While researchers have previously described Transparent Tribe as less technically advanced than some rival espionage groups, they have also noted its persistence and ability to adapt tactics over time.