A sophisticated Pakistan-linked campaign dubbed “Sheet Attack” is targeting Indian government entities by abusing Google Sheets as a command-and-control (C2) channel to blend malicious traffic into trusted cloud services. Researchers at Zscaler ThreatLabz report the operation uses tools such as SHEETCREEP, FIREPOWER, and MAILCREEP and shows signs of generative AI-assisted malware development. #SHEETCREEP #APT36
Keypoints
- The campaign uses Google Sheets as an unconventional C2 channel to evade security controls.
- SHEETCREEP is the primary C# backdoor that reads commands from and writes data to attacker-controlled Sheets.
- Additional tools include FIREPOWER, a PowerShell backdoor abusing Firebase, and MAILCREEP for email manipulation.
- Evidence suggests the attackers are using generative AI to assist in malware development and accelerate tool creation.
- The operation targets Indian government entities and shows TTP overlap with, but evolution from, APT36 activity.