Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Operation ShadowRecruit: A Recruitment-Themed Malware Campaign Leveraging ControlR and Google Sheets to Target Indian Job Seekers

0
Medium
Published: 07/14/2026 (07/14/2026, 11:51:21 UTC)
Source: AlienVault OTX General

Description

Operation ShadowRecruit is a medium-severity malware campaign targeting Indian government job seekers through fake recruitment ads. The attack uses a malicious ZIP archive containing a disguised LNK file, PowerShell script, and .NET executable. It abuses the legitimate ControlR remote management tool for persistence and deploys SheetAgent RAT, a custom .NET malware that uses Google Sheets as a command-and-control channel. The malware employs multiple persistence mechanisms such as scheduled tasks and startup folder entries and includes anti-virtualization checks to evade analysis. The campaign infrastructure includes multiple web-based management panels and shows links to APT36 based on targeting and tactics.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 16:35:23 UTC

Technical Analysis

This campaign targets Indian government job seekers by distributing malicious ZIP archives that contain a disguised LNK file, PowerShell downloader script, and a .NET executable. The attackers leverage the legitimate ControlR remote management tool to maintain persistent access on compromised systems. They deploy SheetAgent RAT, a custom remote access trojan written in .NET, which communicates with its command-and-control infrastructure via Google Sheets, an uncommon but stealthy C2 channel. The malware uses scheduled tasks and startup folder entries for persistence and incorporates anti-virtualization techniques to detect and evade sandbox or virtualized analysis environments. Infrastructure analysis reveals multiple web-based management panels and tradecraft similarities to the APT36 threat actor group. The campaign specifically targets Indian job seekers and related regions.

Potential Impact

Successful compromise results in persistent remote access to infected systems via the ControlR tool and SheetAgent RAT. The attacker can execute arbitrary commands and maintain stealthy control through Google Sheets C2. The use of anti-virtualization techniques complicates detection and analysis. The campaign targets sensitive individuals seeking government jobs, potentially leading to espionage or data theft. No known exploits in the wild are reported, but the campaign's sophistication and targeting indicate a significant threat to affected users.

Mitigation Recommendations

No official patch or fix is available as this is a malware campaign rather than a software vulnerability. Mitigation focuses on user awareness to avoid opening suspicious recruitment-related ZIP archives and LNK files. Organizations should monitor for abuse of ControlR remote management tools and scheduled tasks or startup entries indicative of persistence mechanisms. Endpoint detection and response solutions should be tuned to detect PowerShell downloader scripts and unusual Google Sheets network traffic. Since this is not a cloud service, remediation depends on endpoint security controls and user education.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.seqrite.com/blog/operation-shadowrecruit-a-recruitment-themed-malware-campaign-leveraging-controlr-and-google-sheets-to-target-indian-job-seekers/"]
Adversary
Operation C-Major
Pulse Id
6a5622b97dd5ae5935298cdb
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash6bcf91af52b9577ba81cbae9368f91f8
hash6f2fd5cb3901d6818316423ac72da5e8
hash90682a7c53132750b1517f80cab2281c
hash081747ca2a2f4be07b52ab1da0c76b8e508248a7
hasha154f9bff1999be4a42ffc4cbfc686e64a163997
hashc1a691fdd339709439774e9402b71a4b4ba50f42
hash2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c
hash434243e615b93a1b948c26ad55902bd78f9fa18e42375c15790634375c1ad3f4
hash70fe7576f20f5dd6a3d872753c922f1394d91487f5eabb417b240b83c22e31b2
hashb928e523b51187b932e48a65d36ce3d0c39ee9d409d493b90f98cf3d1e0e73b0
hashc4859db541b2bd0d266bbc44fafb5a767c862a57a3633a949dfaeebdf88ed529
hashcf3f1bceb83fa3acefbabae4bdc275347cfe03dd7fc770052a33baef204a89f7
hashee9dd2a180aea75af5c0eda16b83681c0a5fed451bfad6d5b3af85c3b62fa210
hashfd2ac3a761f66dc6954014532795f9108f65739f23e4b294d4563673b7996881

Threat ID: 6a56614668715ace43d25243

Added to database: 07/14/2026, 16:18:14 UTC

Last enriched: 07/14/2026, 16:35:23 UTC

Last updated: 07/15/2026, 01:52:10 UTC

Views: 8

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses