GOGITTER, GITSHELLPAD, and GOSHELL Analysis

ThreatLabz provides a technical analysis of the Gopher Strike campaign: spearphishing PDFs deliver an ISO that installs a Golang downloader (GOGITTER) which drops a persistent VBScript and an executable (GITSHELLPAD) that uses private GitHub repositories for C2. The actor deploys post-compromise tools and a GOSHELL loader that decodes and launches a stageless Cobalt Strike Beacon; the report includes C2 URLs, sample commands, GitHub repo usage, persistence mechanisms, and extracted Beacon configuration and IOCs.