Seqrite tracked Operation ShadowRecruit, a multi-stage campaign targeting Indian government job seekers with a fake Cabinet Secretariat recruitment notice and a ZIP file containing a malicious LNK, PowerShell script, and .NET loader. The attack abuses ControlR and Google Sheets/Google Drive for remote access and backup command-and-control, and is assessed with moderate confidence to be linked to APT36. #APT36 #ControlR #GoogleSheets #SheetAgentRAT
Keypoints
- The campaign targeted Indian government job seekers using a fake Senior Field Officer recruitment notice for the Cabinet Secretariat.
- The initial lure was a ZIP archive named Approved Documents 2026.pdf.zip containing a malicious LNK file, a PowerShell script, and a .NET executable.
- The attack abused the legitimate ControlR remote management tool to enroll victim machines into the attackerâs instance for persistent access.
- Document.exe acted as a .NET dropper that created persistence through a scheduled task and, if needed, a Startup folder shortcut.
- The final payload, named SheetAgent RAT, used Google Sheets and Google Drive as a backup command-and-control channel.
- The malware used hardcoded Google service account credentials and a fixed spreadsheet layout to issue commands, store output, and track infected systems.
- Seqrite assessed the campaign with moderate confidence as likely associated with APT36 and noted related infrastructure including SecureMonitor and PrivateRat panels.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment â The campaign delivered a malicious ZIP attachment disguised as recruitment documents (âthe attacker leveraged an ongoing Indian government recruitment notice ⌠as a lureâ).
- [T1204.002] User Execution â Victims had to open the disguised LNK/archive for the infection chain to begin (âthe initial infection begins with the LNK fileâ).
- [T1059.001] Command and Scripting Interpreter â PowerShell was used to run the downloader and launch the next stage (âit invokes powershell.exe to execute JT-agenda.ps1â).
- [T1106] Native API â The .NET dropper used system functions and Windows mechanisms to create files, tasks, and launch payloads (âthe malware dynamically creates a task configured to launch agent.exeâ).
- [T1547.001] Boot or Logon Autostart Execution â Persistence was achieved through the Windows Startup folder (âcreates a shortcut ⌠and places it in %APPDATA%MicrosoftWindowsStart MenuProgramsStartupâ).
- [T1053.005] Scheduled Task â The malware created a scheduled task for repeated execution (âWindows Scheduled Task named WindowsDefenderSyncServiceâ).
- [T1548.004] Abuse Elevation Control Mechanism â The campaign abused legitimate software and installer behavior to gain persistent access (âthe threat actors abuse this legitimate remote management softwareâ).
- [T1036.005] Masquerading â Files and names were made to look legitimate, including Windows-like names and icons (âreplaced the default LNK icon with the Microsoft Edge browser iconâ).
- [T1140] Deobfuscate/Decode Data â The PowerShell script used an encoded command that was decoded for analysis (âlong Base64-encoded command supplied through the -EncodedCommand parameterâ).
- [T1027.011] Obfuscated Files or Information â Hidden files and disguised components were used to conceal the infection chain (âconfigured with the Hidden file attributeâ).
- [T1564.001] Hide Artifacts â Malware components were hidden and deleted after use (âthe other two files ⌠were configured with the Hidden file attributeâ).
- [T1070.004] Indicator Removal â The cleanup routine deleted malware files and configuration artifacts (âforcefully deletes the malware executable, removes its configuration fileâ).
- [T1497.001] Virtualization/Sandbox Evasion â The malware performed multiple VM and sandbox checks before continuing (âperforms a total of 14 different virtualization detection techniquesâ).
- [T1082] System Information Discovery â It queried system manufacturer, BIOS, drivers, processes, and registry artifacts (âchecks the system manufacturer and BIOS information using WMIâ).
- [T1614.001] System Location Discovery â The malware stored the victimâs public IP address in Google Sheets (âStores the victimâs public IP addressâ).
- [T1041] Exfiltration Over C2 Channel â The malware sent command results and victim data through its Google Sheets C2 channel (âwrites the execution results back to the same rowâ).
Indicators of Compromise
- [File names / archives] Malware delivery and dropped components â Approved Documents 2026.pdf.zip, Document.exe, JT-agenda.ps1, and Document-24062026-Y6352634.lnk
- [File names / payloads] Secondary installer and final payload â ControlR.Agent.Installer.exe, MicrosoftSyncService.exe, and Document.lnk
- [SHA-256 hashes] Sample hashes for archive and payload files â 2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c, ee9dd2a180aea75af5c0eda16b83681c0a5fed451bfad6d5b3af85c3b62fa210, and other 6 hashes
- [IP address] Hosting decoy document and management panels â 38[.]242[.]157[.]89
- [URLs] Decoy PDF and panel login pages â hxxp://38[.]242[.]157[.]89/file.pdf, 38[.]242[.]157[.]89:9000/login, and other 2 login URLs
- [Google account / service account] Infrastructure linked to SheetAgent RAT â [email protected] and [email protected]
- [Cloud project / IDs] Google service enrollment and access values embedded in the malware â sheet12-500308, d5eab065-bbe2-4178-9574-1cbac7e40c64, and other 2 IDs/secrets