APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP
A new campaign targeting Indian government entities was uncovered, utilizing three backdoors: SHEETCREEP, FIREPOWER, and MAILCREEP. These tools leverage legitimate cloud services like Google Sheets, Firebase, and Microsoft Graph API for command and control, enabling the attackers to blend in with normal traffic. The campaign, named Sheet Attack, employed PDFs and malicious LNK files as initial infection vectors. Evidence suggests the use of generative AI in malware development. While sharing similarities with APT36, the campaign's unique characteristics point to either a new Pakistan-linked group or an APT36 subgroup. The attackers demonstrated hands-on-keyboard activity and deployed additional payloads, including a document stealer, to selected targets.
AI Analysis
Technical Summary
The Sheet Attack campaign is a targeted Advanced Persistent Threat (APT) operation focusing on Indian government entities. It employs three distinct backdoors—SHEETCREEP, FIREPOWER, and MAILCREEP—that utilize legitimate cloud platforms such as Google Sheets, Firebase, and Microsoft Graph API to establish command and control (C2) channels. This approach enables the attackers to evade traditional network security monitoring by blending malicious traffic with legitimate cloud service communications. Initial infection vectors include weaponized PDFs and malicious Windows LNK shortcut files, which are common vectors for social engineering and spear-phishing attacks. The campaign shows evidence of leveraging generative AI techniques to develop or enhance malware capabilities, indicating a sophisticated and evolving threat actor. Although the campaign shares similarities with the Pakistan-linked APT36 group, unique operational characteristics suggest either a new threat actor or a subgroup. The attackers demonstrate hands-on-keyboard activity, indicating manual control and tailored payload deployment, including document stealers, to exfiltrate sensitive information from targeted systems. The campaign's stealthy use of cloud services for C2, combined with targeted payloads and social engineering, makes detection and response challenging. No public exploits or patches are currently available, and the campaign is assessed as medium severity due to its targeted nature and complexity.
Potential Impact
For European organizations, the direct impact is currently limited since the campaign targets Indian government entities. However, the tactics and techniques employed—leveraging legitimate cloud services for C2 and using generative AI to develop malware—represent a growing trend that could be adopted globally, including Europe. European government agencies and critical infrastructure sectors using similar cloud platforms could be at risk if the threat actor expands operations or if similar groups adopt these methods. The use of cloud services for stealthy C2 complicates detection, potentially leading to prolonged undetected intrusions, data exfiltration, and espionage. Additionally, the hands-on-keyboard activity and deployment of document stealers indicate a high risk of sensitive data compromise. The campaign underscores the need for vigilance against sophisticated social engineering and supply chain attacks that exploit trusted cloud services. European organizations with ties to Indian government or strategic sectors may face indirect risks through supply chain or geopolitical spillover effects.
Mitigation Recommendations
European organizations should implement advanced monitoring of cloud service API usage, focusing on anomalous patterns in Google Sheets, Firebase, and Microsoft Graph API activities. Deploy behavioral analytics and anomaly detection tools that can identify unusual access or data flows within legitimate cloud services. Strengthen email security by enforcing strict attachment filtering, sandboxing PDFs and LNK files, and training users to recognize spear-phishing attempts. Employ endpoint detection and response (EDR) solutions capable of detecting hands-on-keyboard activity and unusual process behaviors. Implement strict least privilege access controls for cloud service accounts and regularly audit permissions. Use multi-factor authentication (MFA) for all cloud service access to reduce the risk of credential compromise. Establish threat hunting programs focused on detecting cloud-based C2 patterns and generative AI–enhanced malware indicators. Collaborate with cloud service providers to gain visibility and rapid response capabilities. Finally, maintain up-to-date threat intelligence feeds to monitor for emerging variants or related campaigns.
Affected Countries
India, United Kingdom, Germany, France, Italy, Netherlands
Indicators of Compromise
- hash: 03141afe5c20d37620c085cdbeb4058b
- hash: 0729db72ab4ad9b2ac7a82918c744388
- hash: 0f7730a78490c61964b3bfc05eb59ea7
- hash: 119b836b4e1e7be8c3be8fe921f72bfb
- hash: 12669c29e00057abf20c73a434eb3dd2
- hash: 1ede39cb02b8aaa75063febc167db565
- hash: 21dacb6cf6da872f1f3c7b6c876a8a92
- hash: 41a3752e6ea83d25731f22e1c17f59e2
- hash: 5001c32b386cc8346079db7b2629d777
- hash: 556a567a2c5c27a6aa5660e2e6bcce7b
- hash: 62a23220b0249a15503f5ad762ed5889
- hash: 6bed5e271eddf5cb86a5964b8c2f51b6
- hash: 7269779e3fe07b1d96564117461ec75b
- hash: 87c7d69c6131406afdd0a08e89329d0a
- hash: a0b6869accba2c9ad3e1f79268a810d4
- hash: cd5aab2b0f8d2b42e7a6537303d6345d
- hash: e48f1000c86b93cf428a13a0b7384e0d
- hash: ed4dd29c57a38f2bb1934acbaeadeeba
- hash: f9a2da8f12179414663a230f11edca20
- hash: 147055a1341737625cf0e878b7ebd5acf09d1883
- hash: 16410fe2c44272005ca3c2ce994d24e9c2e731f6
- hash: 2f46595d58bef1c70ca757e18bb04443b2d5ce72
- hash: 6140ed17fa47e0fa166449eaf2b2770fec0fedbd
- hash: 7bc5d288ec260765a146136194d815ff3c697df8
- hash: 8735e1af5134d1cd173b55b089e31becb0261677
- hash: 8f9843607ff0ed83ca58e21612b41d6e744beb81
- hash: 97712c11b83c31ba03b747cf39a49cd0e208c5f5
- hash: a38eab1ac01201b651b2efdebc78e994402976f1
- hash: a55c18a82203cf1efafac6f3c47642ab60c74ffc
- hash: aa9b4410004d43e4e5cc1fc2cda1956bc5663b03
- hash: ac06003a774af5a8e4be349fc6f0e65cea116370
- hash: b8fd6b4eece68095caeb26bdd1090ab7959f24aa
- hash: cdecfe8e1cacd1af204a5da52f6c02eb16fdea8b
- hash: daeeb031a9617e6f1b7bf4d85de9c75f62021c82
- hash: e333ae0948ede0cf1368deec53a1eda18210e75e
- hash: e9d9d8c0c818ba9208e61eaf49af4c1b37f4eb59
- hash: e9eeda092500d7c7f278672d35f733e0e26f0e2c
- hash: f68cd104bfa2ac9992a98936c6e97c41e680b698
- hash: 20d72c8580b4d5ef4f771c91ce1d1207e5416fa789d8216a73a0abb8e030644f
- hash: 309a39ba10cd7c7075837b63d247fa45764f5496fdae215e95a3f4b65ab6dfc3
- hash: 363fca9534e5cb69e40330473bcbd0acc439cf81a555234eed250f65c98478e3
- hash: 43fb05d9fc179f791b1a2814f7116ee577b6e48f62eee63af039350260d7fe2b
- hash: 59abb997927e471472a1c487dea0180d11e9c99774bb138ace46771acba9c3d8
- hash: 61b2b6b61474398a966e26d3b909542450fcab9b6670558cecd6fabc1015bbce
- hash: 644dda0ea5db1eb5f07ccfccddb909c6ee57235c4465adbfc342da6867cdb71a
- hash: 71794df37a107472e8d0829387741953f9e6c7778519b11f061c79ff6fb0f386
- hash: 86d8b3fe209b3f1d9a20865ff1ee5d6015941c2a5394861118c8d6ec3695f1a6
- hash: 889b4b1e13b66aff349282eae3999783f5542f961b433a7d4653c5281e7f4d3e
- hash: 989ad43bb9e328d786664247c3af4c17be28932760113708a9c6de977d69652c
- hash: 9ab6d01a6df367ee505e59850438e6926dfb61c2ebfbe4e03eba48f70ee36ac3
- hash: 9eebbf8899a1cf4156a872e9b8cde2a8f6ab364b8089550510938405c622cc58
- hash: a97cc81a2f7c05bfc498b71999176c2aeb6e3ad273e48eb1f5c1c5647419c642
- hash: b56062033df06738b66c38b3fa2f82a7e8c558336a4790c83c7faad595172167
- hash: bb11bea463ab1b976c3716591f93eccc71c1a2d1c389a371416b140cd8faa6f0
- hash: bec00fa5a87195f182511ecc5292a716c79bc74e17bd1138c8fb2f2285df1b46
- hash: de14ca6d93dadbc1ec216700d76ad2d0e7b9ebceb95de68c631d0a1c01c915c4
- hash: eea5cb7795d86e4612edcc6f0085d151e1b7a7351646caf26955c2ac35158971
- domain: coadelhi.in
- domain: hciaccounts.in
- domain: hcidelhi.in
- domain: hcidoc.in
- domain: hcisupport.in
APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP
Description
A new campaign targeting Indian government entities was uncovered, utilizing three backdoors: SHEETCREEP, FIREPOWER, and MAILCREEP. These tools leverage legitimate cloud services like Google Sheets, Firebase, and Microsoft Graph API for command and control, enabling the attackers to blend in with normal traffic. The campaign, named Sheet Attack, employed PDFs and malicious LNK files as initial infection vectors. Evidence suggests the use of generative AI in malware development. While sharing similarities with APT36, the campaign's unique characteristics point to either a new Pakistan-linked group or an APT36 subgroup. The attackers demonstrated hands-on-keyboard activity and deployed additional payloads, including a document stealer, to selected targets.
AI-Powered Analysis
Technical Analysis
The Sheet Attack campaign is a targeted Advanced Persistent Threat (APT) operation focusing on Indian government entities. It employs three distinct backdoors—SHEETCREEP, FIREPOWER, and MAILCREEP—that utilize legitimate cloud platforms such as Google Sheets, Firebase, and Microsoft Graph API to establish command and control (C2) channels. This approach enables the attackers to evade traditional network security monitoring by blending malicious traffic with legitimate cloud service communications. Initial infection vectors include weaponized PDFs and malicious Windows LNK shortcut files, which are common vectors for social engineering and spear-phishing attacks. The campaign shows evidence of leveraging generative AI techniques to develop or enhance malware capabilities, indicating a sophisticated and evolving threat actor. Although the campaign shares similarities with the Pakistan-linked APT36 group, unique operational characteristics suggest either a new threat actor or a subgroup. The attackers demonstrate hands-on-keyboard activity, indicating manual control and tailored payload deployment, including document stealers, to exfiltrate sensitive information from targeted systems. The campaign's stealthy use of cloud services for C2, combined with targeted payloads and social engineering, makes detection and response challenging. No public exploits or patches are currently available, and the campaign is assessed as medium severity due to its targeted nature and complexity.
Potential Impact
For European organizations, the direct impact is currently limited since the campaign targets Indian government entities. However, the tactics and techniques employed—leveraging legitimate cloud services for C2 and using generative AI to develop malware—represent a growing trend that could be adopted globally, including Europe. European government agencies and critical infrastructure sectors using similar cloud platforms could be at risk if the threat actor expands operations or if similar groups adopt these methods. The use of cloud services for stealthy C2 complicates detection, potentially leading to prolonged undetected intrusions, data exfiltration, and espionage. Additionally, the hands-on-keyboard activity and deployment of document stealers indicate a high risk of sensitive data compromise. The campaign underscores the need for vigilance against sophisticated social engineering and supply chain attacks that exploit trusted cloud services. European organizations with ties to Indian government or strategic sectors may face indirect risks through supply chain or geopolitical spillover effects.
Mitigation Recommendations
European organizations should implement advanced monitoring of cloud service API usage, focusing on anomalous patterns in Google Sheets, Firebase, and Microsoft Graph API activities. Deploy behavioral analytics and anomaly detection tools that can identify unusual access or data flows within legitimate cloud services. Strengthen email security by enforcing strict attachment filtering, sandboxing PDFs and LNK files, and training users to recognize spear-phishing attempts. Employ endpoint detection and response (EDR) solutions capable of detecting hands-on-keyboard activity and unusual process behaviors. Implement strict least privilege access controls for cloud service accounts and regularly audit permissions. Use multi-factor authentication (MFA) for all cloud service access to reduce the risk of credential compromise. Establish threat hunting programs focused on detecting cloud-based C2 patterns and generative AI–enhanced malware indicators. Collaborate with cloud service providers to gain visibility and rapid response capabilities. Finally, maintain up-to-date threat intelligence feeds to monitor for emerging variants or related campaigns.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and"]
- Adversary
- null
- Pulse Id
- 697a42251f1b8af2c39201cc
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash03141afe5c20d37620c085cdbeb4058b | — | |
hash0729db72ab4ad9b2ac7a82918c744388 | — | |
hash0f7730a78490c61964b3bfc05eb59ea7 | — | |
hash119b836b4e1e7be8c3be8fe921f72bfb | — | |
hash12669c29e00057abf20c73a434eb3dd2 | — | |
hash1ede39cb02b8aaa75063febc167db565 | — | |
hash21dacb6cf6da872f1f3c7b6c876a8a92 | — | |
hash41a3752e6ea83d25731f22e1c17f59e2 | — | |
hash5001c32b386cc8346079db7b2629d777 | — | |
hash556a567a2c5c27a6aa5660e2e6bcce7b | — | |
hash62a23220b0249a15503f5ad762ed5889 | — | |
hash6bed5e271eddf5cb86a5964b8c2f51b6 | — | |
hash7269779e3fe07b1d96564117461ec75b | — | |
hash87c7d69c6131406afdd0a08e89329d0a | — | |
hasha0b6869accba2c9ad3e1f79268a810d4 | — | |
hashcd5aab2b0f8d2b42e7a6537303d6345d | — | |
hashe48f1000c86b93cf428a13a0b7384e0d | — | |
hashed4dd29c57a38f2bb1934acbaeadeeba | — | |
hashf9a2da8f12179414663a230f11edca20 | — | |
hash147055a1341737625cf0e878b7ebd5acf09d1883 | — | |
hash16410fe2c44272005ca3c2ce994d24e9c2e731f6 | — | |
hash2f46595d58bef1c70ca757e18bb04443b2d5ce72 | — | |
hash6140ed17fa47e0fa166449eaf2b2770fec0fedbd | — | |
hash7bc5d288ec260765a146136194d815ff3c697df8 | — | |
hash8735e1af5134d1cd173b55b089e31becb0261677 | — | |
hash8f9843607ff0ed83ca58e21612b41d6e744beb81 | — | |
hash97712c11b83c31ba03b747cf39a49cd0e208c5f5 | — | |
hasha38eab1ac01201b651b2efdebc78e994402976f1 | — | |
hasha55c18a82203cf1efafac6f3c47642ab60c74ffc | — | |
hashaa9b4410004d43e4e5cc1fc2cda1956bc5663b03 | — | |
hashac06003a774af5a8e4be349fc6f0e65cea116370 | — | |
hashb8fd6b4eece68095caeb26bdd1090ab7959f24aa | — | |
hashcdecfe8e1cacd1af204a5da52f6c02eb16fdea8b | — | |
hashdaeeb031a9617e6f1b7bf4d85de9c75f62021c82 | — | |
hashe333ae0948ede0cf1368deec53a1eda18210e75e | — | |
hashe9d9d8c0c818ba9208e61eaf49af4c1b37f4eb59 | — | |
hashe9eeda092500d7c7f278672d35f733e0e26f0e2c | — | |
hashf68cd104bfa2ac9992a98936c6e97c41e680b698 | — | |
hash20d72c8580b4d5ef4f771c91ce1d1207e5416fa789d8216a73a0abb8e030644f | — | |
hash309a39ba10cd7c7075837b63d247fa45764f5496fdae215e95a3f4b65ab6dfc3 | — | |
hash363fca9534e5cb69e40330473bcbd0acc439cf81a555234eed250f65c98478e3 | — | |
hash43fb05d9fc179f791b1a2814f7116ee577b6e48f62eee63af039350260d7fe2b | — | |
hash59abb997927e471472a1c487dea0180d11e9c99774bb138ace46771acba9c3d8 | — | |
hash61b2b6b61474398a966e26d3b909542450fcab9b6670558cecd6fabc1015bbce | — | |
hash644dda0ea5db1eb5f07ccfccddb909c6ee57235c4465adbfc342da6867cdb71a | — | |
hash71794df37a107472e8d0829387741953f9e6c7778519b11f061c79ff6fb0f386 | — | |
hash86d8b3fe209b3f1d9a20865ff1ee5d6015941c2a5394861118c8d6ec3695f1a6 | — | |
hash889b4b1e13b66aff349282eae3999783f5542f961b433a7d4653c5281e7f4d3e | — | |
hash989ad43bb9e328d786664247c3af4c17be28932760113708a9c6de977d69652c | — | |
hash9ab6d01a6df367ee505e59850438e6926dfb61c2ebfbe4e03eba48f70ee36ac3 | — | |
hash9eebbf8899a1cf4156a872e9b8cde2a8f6ab364b8089550510938405c622cc58 | — | |
hasha97cc81a2f7c05bfc498b71999176c2aeb6e3ad273e48eb1f5c1c5647419c642 | — | |
hashb56062033df06738b66c38b3fa2f82a7e8c558336a4790c83c7faad595172167 | — | |
hashbb11bea463ab1b976c3716591f93eccc71c1a2d1c389a371416b140cd8faa6f0 | — | |
hashbec00fa5a87195f182511ecc5292a716c79bc74e17bd1138c8fb2f2285df1b46 | — | |
hashde14ca6d93dadbc1ec216700d76ad2d0e7b9ebceb95de68c631d0a1c01c915c4 | — | |
hasheea5cb7795d86e4612edcc6f0085d151e1b7a7351646caf26955c2ac35158971 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincoadelhi.in | — | |
domainhciaccounts.in | — | |
domainhcidelhi.in | — | |
domainhcidoc.in | — | |
domainhcisupport.in | — |
Threat ID: 697a5de14623b1157ce5e519
Added to database: 1/28/2026, 7:05:05 PM
Last enriched: 1/28/2026, 7:05:18 PM
Last updated: 1/30/2026, 12:01:03 AM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
eScan confirms update server breached to push malicious update
MediumDissecting UAT-8099: New persistence mechanisms and regional focus
MediumExposed BYOB C2 Infrastructure Reveals a Multi-Stage Malware Deployment
MediumThreatFox IOCs for 2026-01-28
MediumCan't stop, won't stop: TA584 innovates initial access
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.