A new remote access trojan (RAT) named SHEETCREEP is gaining attention for its innovative use of Google Sheets as a covert communication channel between cybercriminals and compromised systems. This sophisticated C# malware predominantly targets diplomatic entities, employing deceptive tactics to infiltrate their networks.
The malware campaign employs a phishing strategy, masquerading as an official document related to the “UAE-India Strategic Partnership Week”. Victims receive an ISO file, which contains a shortcut appearing as a PDF but actually executes the malicious software upon activation. This method capitalizes on the inherent trust users place in official-looking communications.
The Role of Google Sheets in Malware Operations
Securonix researchers have uncovered this ongoing espionage effort and released an exhaustive report shedding light on the mechanisms of SHEETCREEP. By extracting embedded credentials, they accessed the live command-and-control (C2) spreadsheet, revealing 91 active victim tabs at the time of their analysis. This campaign, originally detected by Zscaler ThreatLabz in January 2026, has evolved with enhanced obfuscation techniques, including XOR-encrypted configuration strings decoded at runtime.
Attribution suggests a link to APT36, also known as Transparent Tribe, a group with a history of targeting Indian governmental and military sectors. Among the active targets, 17 were identified as potential real systems with physical hardware, underscoring the malware’s reach and persistence.
Technical Insights and Evasion Strategies
The SHEETCREEP RAT, stored within the Windows Credential Vault under the name vaultsvc.exe, is a compact C# program, yet it executes comprehensive data collection and reporting via Google Sheets. Each compromised machine receives a unique identifier, which is used as a tab name in the attacker’s Google Sheet, facilitating organized data handling.
Communication with the C2 server occurs over HTTPS through the Google Sheets API, mimicking typical Google Workspace activity. This approach complicates detection efforts, as it blends malicious traffic with legitimate user activity. Command and response data are encoded in Base64, further obscuring malicious intent.
Detection and Mitigation Measures
SHEETCREEP employs sophisticated evasion techniques, including executing PowerShell commands within process memory to avoid detection by security tools. It also persists through a scheduled task, WindowsVaultSyncService, designed to appear benign during scrutiny. If analysis tools are detected, the malware forces a system reboot to interrupt investigations.
Securonix advises against opening unsolicited ISO files and recommends monitoring for unusual executables in the Windows Vault directory. Organizations should also detect scheduled tasks registered via COM interfaces and flag non-browser processes repeatedly accessing Google Sheets API endpoints. Deploying tools like Sysmon can aid in capturing in-process activity that might otherwise be overlooked.
In conclusion, the SHEETCREEP RAT exemplifies a sophisticated threat leveraging trusted platforms for malicious purposes. Continuous monitoring, along with enhanced detection capabilities, remain critical in mitigating the risks posed by such advanced cyber threats.
