Spies in the Spreadsheet: “Sheet Attack” Uses Google Sheets & AI to Target India

A sophisticated cyberespionage operation targeting the Indian government has been exposed, revealing a disturbing evolution in how threat actors are blending legitimate cloud services with cutting-edge artificial intelligence. Dubbed “Sheet Attack” by researchers at Zscaler ThreatLabz, the campaign utilizes Google Sheets as a command-and-control (C2) mechanism—effectively turning a mundane spreadsheet tool into a weapon of war.

The findings, detailed in a new report, paint a picture of a Pakistan-linked threat actor that is rapidly modernizing its arsenal.

The core innovation of this campaign is its reliance on trusted infrastructure to hide malicious traffic. Instead of communicating with suspicious servers, the malware talks to Google Sheets.

“The Sheet Attack campaign stands out for its use of Google Sheets as a command-and-control (C2) channel, an uncommon tactic in this region,” the report notes.

By abusing legitimate cloud services from Google and Microsoft, the attackers ensure their communications “blend in and evade security controls”. The primary tool driving this method is SHEETCREEP, a lightweight backdoor written in C# that reads commands from and writes data to a Google Sheet controlled by the attackers.

Perhaps even more alarming than the infrastructure is the method of creation. ThreatLabz found evidence that the attackers aren’t just writing code—they are generating it.

“Furthermore, the activity contained indicators suggesting that the threat actors have adopted AI as part of their malware development workflow, mirroring a global trend of AI adoption by malicious actors”.

This integration of generative AI suggests that state-sponsored groups are leveraging large language models to accelerate development and potentially lower the barrier to entry for creating sophisticated tools.

Beyond SHEETCREEP, the investigation uncovered a suite of specialized tools deployed between November 2025 and January 2026:

• FIREPOWER: A PowerShell-based backdoor that “abuses Google’s Firebase” for its operations.
• MAILCREEP: A tool designed to “manipulate emails,” likely for exfiltrating sensitive communications.

The campaign is laser-focused on Indian government entities. While the tactics bear a strong resemblance to APT36 (a known Pakistan-linked group), the operation shows signs of distinct evolution.

“While both campaigns share TTPs with APT36, their concurrent operation alongside traditional APT36 activity, use of new tools, and potential generative AI in malware development suggest an evolution of APT36 or the emergence of a closely aligned group,” the report concludes.

Related Posts:

• Google Workspace Introduces Workspace Flows and AI Enhancements
• Pakistan-Linked APT Exploits Youth Laptop Scheme in Cyberattack Targeting India
• “Gopher Strike”: New Pakistan-Linked Cyber Campaigns Target Indian Government
• ChatGPT Takes Aim at Microsoft Office: OpenAI’s New “Agent” Edits Spreadsheets & Presentations Directly