Operation ShadowRecruit: A Recruitment-Themed Malware Campaign Leveraging ControlR and Google Sheets to Target Indian Job Seekers

Operation ShadowRecruit: A Recruitment-Themed Malware Campaign Leveraging ControlR and Google Sheets to Target Indian Job Seekers
Seqrite tracked Operation ShadowRecruit, a multi-stage campaign targeting Indian government job seekers with a fake Cabinet Secretariat recruitment notice and a ZIP file containing a malicious LNK, PowerShell script, and .NET loader. The attack abuses ControlR and Google Sheets/Google Drive for remote access and backup command-and-control, and is assessed with moderate confidence to be linked to APT36. #APT36 #ControlR #GoogleSheets #SheetAgentRAT

Keypoints

  • The campaign targeted Indian government job seekers using a fake Senior Field Officer recruitment notice for the Cabinet Secretariat.
  • The initial lure was a ZIP archive named Approved Documents 2026.pdf.zip containing a malicious LNK file, a PowerShell script, and a .NET executable.
  • The attack abused the legitimate ControlR remote management tool to enroll victim machines into the attacker’s instance for persistent access.
  • Document.exe acted as a .NET dropper that created persistence through a scheduled task and, if needed, a Startup folder shortcut.
  • The final payload, named SheetAgent RAT, used Google Sheets and Google Drive as a backup command-and-control channel.
  • The malware used hardcoded Google service account credentials and a fixed spreadsheet layout to issue commands, store output, and track infected systems.
  • Seqrite assessed the campaign with moderate confidence as likely associated with APT36 and noted related infrastructure including SecureMonitor and PrivateRat panels.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The campaign delivered a malicious ZIP attachment disguised as recruitment documents (‘the attacker leveraged an ongoing Indian government recruitment notice … as a lure’).
  • [T1204.002] User Execution – Victims had to open the disguised LNK/archive for the infection chain to begin (‘the initial infection begins with the LNK file’).
  • [T1059.001] Command and Scripting Interpreter – PowerShell was used to run the downloader and launch the next stage (‘it invokes powershell.exe to execute JT-agenda.ps1’).
  • [T1106] Native API – The .NET dropper used system functions and Windows mechanisms to create files, tasks, and launch payloads (‘the malware dynamically creates a task configured to launch agent.exe’).
  • [T1547.001] Boot or Logon Autostart Execution – Persistence was achieved through the Windows Startup folder (‘creates a shortcut … and places it in %APPDATA%MicrosoftWindowsStart MenuProgramsStartup’).
  • [T1053.005] Scheduled Task – The malware created a scheduled task for repeated execution (‘Windows Scheduled Task named WindowsDefenderSyncService’).
  • [T1548.004] Abuse Elevation Control Mechanism – The campaign abused legitimate software and installer behavior to gain persistent access (‘the threat actors abuse this legitimate remote management software’).
  • [T1036.005] Masquerading – Files and names were made to look legitimate, including Windows-like names and icons (‘replaced the default LNK icon with the Microsoft Edge browser icon’).
  • [T1140] Deobfuscate/Decode Data – The PowerShell script used an encoded command that was decoded for analysis (‘long Base64-encoded command supplied through the -EncodedCommand parameter’).
  • [T1027.011] Obfuscated Files or Information – Hidden files and disguised components were used to conceal the infection chain (‘configured with the Hidden file attribute’).
  • [T1564.001] Hide Artifacts – Malware components were hidden and deleted after use (‘the other two files … were configured with the Hidden file attribute’).
  • [T1070.004] Indicator Removal – The cleanup routine deleted malware files and configuration artifacts (‘forcefully deletes the malware executable, removes its configuration file’).
  • [T1497.001] Virtualization/Sandbox Evasion – The malware performed multiple VM and sandbox checks before continuing (‘performs a total of 14 different virtualization detection techniques’).
  • [T1082] System Information Discovery – It queried system manufacturer, BIOS, drivers, processes, and registry artifacts (‘checks the system manufacturer and BIOS information using WMI’).
  • [T1614.001] System Location Discovery – The malware stored the victim’s public IP address in Google Sheets (‘Stores the victim’s public IP address’).
  • [T1041] Exfiltration Over C2 Channel – The malware sent command results and victim data through its Google Sheets C2 channel (‘writes the execution results back to the same row’).

Indicators of Compromise

  • [File names / archives] Malware delivery and dropped components – Approved Documents 2026.pdf.zip, Document.exe, JT-agenda.ps1, and Document-24062026-Y6352634.lnk
  • [File names / payloads] Secondary installer and final payload – ControlR.Agent.Installer.exe, MicrosoftSyncService.exe, and Document.lnk
  • [SHA-256 hashes] Sample hashes for archive and payload files – 2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c, ee9dd2a180aea75af5c0eda16b83681c0a5fed451bfad6d5b3af85c3b62fa210, and other 6 hashes
  • [IP address] Hosting decoy document and management panels – 38[.]242[.]157[.]89
  • [URLs] Decoy PDF and panel login pages – hxxp://38[.]242[.]157[.]89/file.pdf, 38[.]242[.]157[.]89:9000/login, and other 2 login URLs
  • [Google account / service account] Infrastructure linked to SheetAgent RAT – [email protected] and [email protected]
  • [Cloud project / IDs] Google service enrollment and access values embedded in the malware – sheet12-500308, d5eab065-bbe2-4178-9574-1cbac7e40c64, and other 2 IDs/secrets


Read more: https://www.seqrite.com/blog/operation-shadowrecruit-a-recruitment-themed-malware-campaign-leveraging-controlr-and-google-sheets-to-target-indian-job-seekers/