Do Son 
At a glance
| Malware family | SHEETCREEP (SHEET#CREEP), C# .NET RAT |
| Threat actor | APT36 / Transparent Tribe (suspected, moderate confidence) |
| Target / victims | Indian diplomatic and foreign-affairs entities; 91 active victim tabs observed |
| Delivery vector | Diplomatic-themed ISO phishing lure with a malicious LNK shortcut |
| Key capabilities | Google Sheets API C2, in-process PowerShell, scheduled-task persistence, anti-analysis |
| Source | Securonix Threat Research, building on Zscaler ThreatLabz |
TL;DR
Securonix has uncovered a fresh wave of SHEETCREEP malware, a C# remote access trojan that turns Google Sheets into a covert command channel. The campaign targets Indian diplomatic entities through a fake UAE-India partnership lure. Researchers extracted the embedded credentials, authenticated to the live spreadsheet, and counted 91 active victim tabs.
Delivery: a diplomatic-themed ISO
The attack opens with a phishing lure. Victims receive an ISO file themed around a “UAE-India Strategic Partnership Week” event. When mounted, the ISO shows a single shortcut file. That LNK wears a PDF icon to look harmless. A double-click silently launches a C# dropper packaged inside the ISO. The theme points squarely at the Indian diplomatic and foreign-affairs space. Lures like this one exploit trust between governments, which gives them a strong track record.
How the infection chain works
The dropper moves fast and quietly. First, it opens a decoy PDF to reassure the victim. Then it writes the RAT into a legitimate Windows Credential Vault directory. This blends the payload with trusted system files. The dropper also marks the file hidden and system. For persistence, it registers a scheduled task through a COM interface rather than the command line. That choice avoids easy command-line logging. The task carries a misleading name and description to look benign. Finally, the dropper deletes itself and swaps in a clean PDF. Only the hidden RAT and its scheduled task remain on disk.
Google Sheets as the command channel
Here lies the campaign’s defining trick. The RAT skips a normal C2 server. “The RAT does not use a traditional C2 server,” Securonix writes. Instead, it talks to the Google Sheets API over HTTPS. That traffic resembles ordinary Google Workspace activity, which makes network detection hard. The malware authenticates with an embedded GCP service account and an RSA-2048 private key. Each victim receives a dedicated spreadsheet tab. On the first beacon, the RAT runs a system inventory and uploads the result. Operators then write Base64 commands into one column, and the RAT returns Base64 output in the next.
This Google Sheets RAT also hardens against analysis. The config strings now hide behind an XOR cipher with the key “discrete”. Earlier variants stored them in plaintext. According to Securonix, the threat actors are “actively hardening their tooling against static analysis.” The RAT runs commands inside its own PowerShell runspace. As a result, “there is no powershell.exe child process for EDR solutions to detect.” It even watches for analyst tools and reboots the host to break debugging.
Inside the victim telemetry
Because Securonix authenticated to the live spreadsheet, it mapped every victim tab. During triage the sheet held 79 tabs. By May 26, 2026, that count reached 91. Not all are real targets, though. Around 28 tabs traced to automated sandboxes. Another 17 belonged to security-researcher labs running tools like Wireshark and dnSpy. Roughly 17 looked like genuine victims on physical hardware. One stood out as a high-confidence target in Islamabad, Pakistan. Synchronized check-ins suggest public malware uploads triggered many sandbox detonations.
Detection and defense guidance
This SHEETCREEP malware hides inside trusted cloud traffic, so defenders need behavior-based detection. Watch for unexpected processes reaching the Google Sheets API. Flag binaries that run from the user Credential Vault directory. Hunt for scheduled tasks with mismatched names and unlimited run times. Monitor for in-process PowerShell inside non-shell executables. Network teams can also baseline which endpoints normally touch Google APIs, then review anything outside that baseline.
Attribution stays suspected, not confirmed. Securonix assesses with moderate confidence that APT36, also called Transparent Tribe, runs the campaign. The Pakistan-aligned group has a long record against Indian government targets. Zscaler ThreatLabz first documented the family in January 2026, and this variant marks a clear evolution. For the full technical breakdown, read Securonix’s analysis of the evolved SHEETCREEP Google Sheets RAT. Defenders should expect more iteration on this cloud-based C2 method.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
