Threat Research

PulseRAT – Google Sheets-based RAT Using UAE-India Partnership Lure

DmpDump
An ISO titled UAE-India_Strategic_Partnership_Week.iso was uploaded from the UAE and delivers a new .NET RAT that the author temporarily calls PulseRAT through a dropper and LNK-based execution chain. The malware persists as WindowsVaultSyncService, disguises itself as Windows system software, and uses a Google Sheets spreadsheet for command-and-control while also sharing artifacts that may link to a host named desktop-526nitv. #PulseRAT #WindowsVaultSyncService #desktop-526nitv #UAE-India_Strategic_Partnership_Week.iso

Keypoints

  • The ISO file UAE-India_Strategic_Partnership_Week.iso contains two files: a LNK shortcut and an executable named Document_11052026-03578240540350-93.exe.
  • The LNK file launches the executable through cmd.exe, and its metadata shows it was created on a machine named desktop-526nitv.
  • The executable is a .NET dropper compiled on May 11, 2026, and its original file name is FinalTool.exe.
  • The dropper creates %LOCALAPPDATA%MicrosoftVault, extracts an internal payload as vaultsvc.exe, and sets up persistence with a Scheduled Task named WindowsVaultSyncService.
  • The final payload is a .NET RAT that the author calls PulseRAT, and it communicates through a Google Sheets spreadsheet.
  • The RAT generates a victim UID from username and machine name, uses a mutex named GlobalWinSync_, and logs system info plus command execution results to the spreadsheet.
  • The article notes a possible but unconfirmed link between the LNK/ISO activity and a benign Excel file also associated with desktop-526nitv.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – The infection begins when the victim opens the ISO and launches the shortcut, which runs the embedded executable (‘The LNK file does just one thing: it runs the accompanying executable file’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – The malware executes commands through in-process PowerShell and later runs base64-encoded PowerShell commands (‘The systeminfo command is run once via an in-process PowerShell execution’ and ‘it will base64-decode them, execute them’).
  • [T1027 ] Obfuscated Files or Information – The RAT hides strings by base64 decoding and XOR decryption before use (‘uses a string decoding/decryption method named JIT to base64-decode and XOR decrypt the strings’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – The dropper creates a scheduled task for execution and persistence (‘The Task created for initial execution and persistence is called WindowsVaultSyncService’).
  • [T1105 ] Ingress Tool Transfer – The dropper extracts embedded resources and writes the payload to disk for later execution (‘it extracts 2 embedded resources’ and ‘saved as %LOCALAPPDATA%MicrosoftVaultvaultsvc.exe’).
  • [T1112 ] Modify Registry – Not mentioned.
  • [T1106 ] Native API – The task is created via the Windows Task Scheduler COM interface rather than a normal command-line tool (‘implemented via the CreatePersistence method using the Windows Task Scheduler COM interface’).
  • [T1027.013 ] Binary Padding – The decoy PDF is described as a 0-byte resource, helping mislead analysis (‘This “decoy PDF” is a 0 byte resource’).
  • [T1564.001 ] Hide Artifacts: Hidden Files and Directories – The dropper places files under a hidden-looking application data path to conceal them (‘creates it’ under %LOCALAPPDATA%MicrosoftVault and saves the payload there).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The RAT uses Google Sheets over HTTPS as its C2 channel (‘This RAT uses Google Sheets as a C2 channel’).
  • [T1102.001 ] Web Service: Web Service – Commanding and status reporting occur via Google Sheets as an online service (‘uses Google Sheets as a C2 channel’ and interacts with an attacker-controlled Google Spreadsheet).
  • [T1555.003 ] Credentials from Password Stores – Not mentioned.
  • [T1588.001 ] Obtain Capabilities: Malware – The article introduces a newly observed RAT and dropper chain (‘a RAT which I had not seen before’).
  • [T1070.004 ] File Deletion – The dropper self-deletes after setup (‘Self-delete’).

Indicators of Compromise

  • [File names ] ISO and payload files – UAE-India_Strategic_Partnership_Week.iso, Document_11052026-03578240540350-93.exe, and UAE-India_Strategic_Partnership-Week.lnk
  • [File names ] Dropped payload and decoy – vaultsvc.exe and InternalBait (a 0-byte decoy PDF resource)
  • [SHA-256 hashes ] Sample hashes provided for the ISO and executables – 1ba67bb1cfad42446880cca53cbd05fe66d7514b2bb139b48e5c63adff14be7b, 2cc7c2d8653c98e5bac32fcaf5e45b861efb4bb87df3b3f96285edb475e75bba, and 62d62950ff7a0e43550a5d0ba55d32d5083b9de5538e0f012e406b6d951e16aa
  • [Google Spreadsheet ID ] C2 storage and command channel – 1Lb5BEIsehbCGe8p1jkfWf5Mw1dBAcw5RHWFdga5gFq8
  • [Service account email ] Google Sheets authentication material – [email protected]
  • [Host / machine name ] LNK creation metadata and possible related artifact – desktop-526nitv
  • [Mutex ] Victim-specific execution gate – GlobalWinSync_

Read more: https://dmpdump.github.io/posts/PulseRAT/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint