SHEETCREEP
SHEETCREEP is a backdoor/remote access trojan used in an espionage campaign targeting primarily Indian government, military, diplomatic, and other diplomatic organizations, with reporting linking the activity with moderate confidence to APT36 (Transparent Tribe), a Pakistan-aligned threat actor. It has been described in reporting as a small .NET/C# backdoor with limited built-in functionality that abuses Google Sheets as its command-and-control channel, polling an attacker-controlled spreadsheet for encrypted commands and writing encrypted, Base64-encoded execution results back into spreadsheet cells over the Google Sheets API via HTTPS. Some reporting also refers to a Golang-based SHEETCREEP variant, but the strongest and most detailed technical descriptions in the provided content describe a C#/.NET implementation.
Observed delivery includes phishing lures themed around the “UAE-India Strategic Partnership Week,” as well as PDF lure workflows that redirect victims to attacker-controlled sites serving ZIP archives. Victims have also received ISO or ZIP archives containing malicious Windows shortcut (.LNK) files; in one chain, a shortcut masquerading as a PDF launches a malicious dropper, while another chain used a binary disguised with a PNG extension and reflection-based loading of the .NET assembly. More recent related activity also used malicious LNK files launching headless PowerShell to retrieve payloads.
Capabilities and behavior directly described in the content include: generation of a victim identifier from host/user information; creation or use of a dedicated spreadsheet tab for each victim; retrieval of commands from spreadsheet cells; execution of commands through a hidden cmd.exe process in some variants; and return of encrypted output to the sheet. Configuration data has been reported as embedded and encrypted, including Google Cloud credentials and a Google Sheet ID. One report states configuration strings such as the spreadsheet ID and service account email were XOR-encrypted with the key "discrete" and decoded at runtime; another states an embedded JSON configuration was decrypted with TripleDES in ECB mode. The malware has also been reported to poll the spreadsheet every three seconds for new commands.
Persistence and evasion observed in the content include installation via a scheduled task, including names such as WindowsVaultSyncService and GServices.vbs-based tasking, execution of PowerShell commands in-process rather than spawning a separate PowerShell child process, hiding the executable with Hidden and System attributes in a Windows-like path, and anti-analysis behavior that forces an immediate system restart if tools such as dnSpy or Wireshark are detected. One report states the payload was stored as vaultsvc.exe in the Windows Credential Vault directory path.
High-confidence indicators mentioned in the content include SHA-256 1ba67bb1cfad42446880cca53cbd05fe66d7514b2bb139b48e5c63adff14be7b for the infection ISO file UAE-India_Strategic_Partnership_Week.iso and SHA-256 62d62950ff7a0e43550a5d0ba55d32d5083b9de5538e0f012e406b6d951e16aa for the SHEETCREEP payload vaultsvc.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A newly identified remote access trojan named SHEETCREEP is making headlines for its clever use of Google Sheets as a hidden communication channel between attackers and infected machines.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
For persistence, it installs a scheduled task named WindowsVaultSyncService with a misleading description crafted to appear harmless during manual review. The task runs at every user login with no time limit, keeping attacker access alive indefinitely.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
Threat actors have upgraded their tools to make detection harder, replacing plaintext configuration settings with XOR-encrypted strings decoded only at runtime.
Victims receive an ISO file, and inside it is a shortcut that looks like a PDF... The malware also hides its executable using Hidden and System file attributes inside a directory path that closely resembles a standard Windows system folder.
Mutex Global\WinSync_<username>-<hostname>-<4char-hash> Mutex used by the RAT to enforce single-instance execution
Among the active victim tabs, the team identified 17 potential real targets with physical hardware and no sandbox indicators.
Discovery
2 techniques
Discovery
Command and Control
4 techniques
Command and Control
All communication runs through the Google Sheets API over HTTPS, making the traffic look identical to normal Google Workspace activity.
SheetCreep... converts a Google Drive spreadsheet into a live control hub, polling it for encrypted instructions and writing encrypted responses back into cells.
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A C# remote access trojan used in an espionage campaign targeting diplomatic organizations. It is delivered via phishing with an ISO lure, persists via a scheduled task, executes commands including in-process PowerShell, collects data, and uses the Google Sheets API over HTTPS as its command-and-control channel while hiding configuration with XOR-encrypted strings.
A C# backdoor that uses a Google Sheets/Drive spreadsheet as a C2 control hub by polling for encrypted commands and writing encrypted responses back into spreadsheet cells.
Golang backdoor used in the 'Sheet Attack' campaign; uses Google Sheets as command-and-control by reading encoded commands from cells and writing execution output back via the Sheets API.
Golang backdoor that uses Google Sheets as C2 by reading encoded commands from spreadsheet cells and writing execution output back via the Google Sheets API.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.