A newly identified remote access trojan named SHEETCREEP is making headlines for its clever use of Google Sheets as a hidden communication channel between attackers and infected machines.
This C# malware targets diplomatic organizations, using a carefully crafted lure to trick victims into executing it on their systems.
The campaign represents a calculated move by threat actors who want to conceal malicious activity behind one of the internet’s most trusted and widely used platforms.
The malware arrives through a phishing email disguised as an official document about the “UAE-India Strategic Partnership Week.” Victims receive an ISO file, and inside it is a shortcut that looks like a PDF but quietly launches the malicious dropper when double-clicked.
This type of social engineering works because it exploits the trust people naturally place in government-themed communications that appear completely legitimate.
Researchers from Securonix identified the ongoing espionage campaign and released a detailed report shared with Cyber Security News (CSN).
According to Securonix, the team extracted hardcoded credentials from the RAT binary and authenticated directly to the live command-and-control spreadsheet, uncovering 91 active victim tabs at the time of analysis.
The campaign was first documented by Zscaler ThreatLabz in January 2026, but the current version shows clear signs of evolution.
Threat actors have upgraded their tools to make detection harder, replacing plaintext configuration settings with XOR-encrypted strings decoded only at runtime.
Analysts assess with moderate confidence that the campaign is linked to APT36, also known as Transparent Tribe, a Pakistan-aligned group with a long history of targeting Indian government and military institutions.
Among the active victim tabs, the team identified 17 potential real targets with physical hardware and no sandbox indicators.
A high-confidence target was confirmed in Islamabad, Pakistan, illustrating how deeply embedded the malware had become across its victim network.
SHEETCREEP C# RAT Abuses Google Sheets API as C2
The SHEETCREEP RAT, stored as vaultsvc.exe inside the legitimate Windows Credential Vault folder, is written in C# and weighs just around 20 KB.
Despite its small size, it fully executes commands, collects data, and reports back to attackers using Google’s own spreadsheet infrastructure.
The RAT creates a unique victim identifier from the username, machine name, and a four-character hash, using that as the name of a dedicated tab in the attacker’s Google Sheet.
All communication runs through the Google Sheets API over HTTPS, making the traffic look identical to normal Google Workspace activity. Commands are written into one spreadsheet column and responses go into another, with all data encoded in Base64.
The C2 configuration strings, including the spreadsheet ID and service account email, are XOR-encrypted with the key “discrete” and decrypted only at runtime, making static analysis considerably harder for security teams.
Evasion Techniques and Persistence Mechanisms
One of the most notable features of SHEETCREEP is how deliberately it avoids detection at every stage. Instead of launching PowerShell as a separate program, the RAT executes commands entirely from within its own process memory, leaving no child process visible to security monitoring tools.
The malware also hides its executable using Hidden and System file attributes inside a directory path that closely resembles a standard Windows system folder.
For persistence, it installs a scheduled task named WindowsVaultSyncService with a misleading description crafted to appear harmless during manual review.
The task runs at every user login with no time limit, keeping attacker access alive indefinitely. If the malware detects active analysis tools such as dnSpy or Wireshark, it forces an immediate system restart to disrupt any ongoing investigation.
Securonix recommends that teams avoid opening unsolicited ISO file attachments and monitor for unexpected executables appearing in the Windows Vault directory.
.webp)
Organizations should also watch for scheduled tasks registered through COM rather than the standard command line, and flag non-browser processes making repeated connections to Google Sheets API endpoints.
Deploying Sysmon alongside .NET-based detection capabilities can help capture in-process PowerShell activity that conventional logging would otherwise miss.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA256) | 1ba67bb1cfad42446880cca53cbd05fe66d7514b2bb139b48e5c63adff14be7b | UAE-India_Strategic_Partnership_Week.iso (initial infection file) |
| File Hash (SHA256) | 2cc7c2d8653c98e5bac32fcaf5e45b861efb4bb87df3b3f96285edb475e75bba | Document_11052026-03578240540350-93.exe (C# dropper) |
| File Hash (SHA256) | 62d62950ff7a0e43550a5d0ba55d32d5083b9de5538e0f012e406b6d951e16aa | vaultsvc.exe (SHEETCREEP RAT payload) |
| IP Address | 142.251.223.42 | Google API C2 endpoint (Google LLC, AS15169) observed during beaconing |
| Domain | sheets.googleapis.com | Google Sheets API used as C2 channel |
| Domain | oauth2.googleapis.com | OAuth2 authentication endpoint used by the RAT |
| Service Account Email | sheet5-495707@sheetcreep-serviceaccount.iam.gserviceaccount.com | Hardcoded GCP service account used for authentication |
| C2 Spreadsheet ID | 1Lb5BEIsehbCGe8p1jkfWf5Mw1dBAcw5RHWFdga5gFq8 | Google Sheets document used as the C2 spreadsheet |
| GCP Project ID | sheet5-495707 | Google Cloud project hosting the attacker’s service account |
| Scheduled Task Name | WindowsVaultSyncService | Persistence mechanism created by the dropper |
| File Path | %LOCALAPPDATA%MicrosoftVaultvaultsvc.exe | RAT deployment path masquerading as a Windows system file |
| Mutex | GlobalWinSync_ | Mutex used by the RAT to enforce single-instance execution |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
