Operation ShadowRecruit: A Recruitment-Themed Malware Campaign Leveraging ControlR and Google Sheets to Target Indian Job Seekers
Operation ShadowRecruit is a medium-severity malware campaign targeting Indian government job seekers through fake recruitment ads. The attack uses a malicious ZIP archive containing a disguised LNK file, PowerShell script, and .NET executable. It abuses the legitimate ControlR remote management tool for persistence and deploys SheetAgent RAT, a custom .NET malware that uses Google Sheets as a command-and-control channel. The malware employs multiple persistence mechanisms such as scheduled tasks and startup folder entries and includes anti-virtualization checks to evade analysis. The campaign infrastructure includes multiple web-based management panels and shows links to APT36 based on targeting and tactics.
AI Analysis
Technical Summary
This campaign targets Indian government job seekers by distributing malicious ZIP archives that contain a disguised LNK file, PowerShell downloader script, and a .NET executable. The attackers leverage the legitimate ControlR remote management tool to maintain persistent access on compromised systems. They deploy SheetAgent RAT, a custom remote access trojan written in .NET, which communicates with its command-and-control infrastructure via Google Sheets, an uncommon but stealthy C2 channel. The malware uses scheduled tasks and startup folder entries for persistence and incorporates anti-virtualization techniques to detect and evade sandbox or virtualized analysis environments. Infrastructure analysis reveals multiple web-based management panels and tradecraft similarities to the APT36 threat actor group. The campaign specifically targets Indian job seekers and related regions.
Potential Impact
Successful compromise results in persistent remote access to infected systems via the ControlR tool and SheetAgent RAT. The attacker can execute arbitrary commands and maintain stealthy control through Google Sheets C2. The use of anti-virtualization techniques complicates detection and analysis. The campaign targets sensitive individuals seeking government jobs, potentially leading to espionage or data theft. No known exploits in the wild are reported, but the campaign's sophistication and targeting indicate a significant threat to affected users.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign rather than a software vulnerability. Mitigation focuses on user awareness to avoid opening suspicious recruitment-related ZIP archives and LNK files. Organizations should monitor for abuse of ControlR remote management tools and scheduled tasks or startup entries indicative of persistence mechanisms. Endpoint detection and response solutions should be tuned to detect PowerShell downloader scripts and unusual Google Sheets network traffic. Since this is not a cloud service, remediation depends on endpoint security controls and user education.
Affected Countries
British Indian Ocean Territory, India
Indicators of Compromise
- hash: 6bcf91af52b9577ba81cbae9368f91f8
- hash: 6f2fd5cb3901d6818316423ac72da5e8
- hash: 90682a7c53132750b1517f80cab2281c
- hash: 081747ca2a2f4be07b52ab1da0c76b8e508248a7
- hash: a154f9bff1999be4a42ffc4cbfc686e64a163997
- hash: c1a691fdd339709439774e9402b71a4b4ba50f42
- hash: 2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c
- hash: 434243e615b93a1b948c26ad55902bd78f9fa18e42375c15790634375c1ad3f4
- hash: 70fe7576f20f5dd6a3d872753c922f1394d91487f5eabb417b240b83c22e31b2
- hash: b928e523b51187b932e48a65d36ce3d0c39ee9d409d493b90f98cf3d1e0e73b0
- hash: c4859db541b2bd0d266bbc44fafb5a767c862a57a3633a949dfaeebdf88ed529
- hash: cf3f1bceb83fa3acefbabae4bdc275347cfe03dd7fc770052a33baef204a89f7
- hash: ee9dd2a180aea75af5c0eda16b83681c0a5fed451bfad6d5b3af85c3b62fa210
- hash: fd2ac3a761f66dc6954014532795f9108f65739f23e4b294d4563673b7996881
Operation ShadowRecruit: A Recruitment-Themed Malware Campaign Leveraging ControlR and Google Sheets to Target Indian Job Seekers
Description
Operation ShadowRecruit is a medium-severity malware campaign targeting Indian government job seekers through fake recruitment ads. The attack uses a malicious ZIP archive containing a disguised LNK file, PowerShell script, and .NET executable. It abuses the legitimate ControlR remote management tool for persistence and deploys SheetAgent RAT, a custom .NET malware that uses Google Sheets as a command-and-control channel. The malware employs multiple persistence mechanisms such as scheduled tasks and startup folder entries and includes anti-virtualization checks to evade analysis. The campaign infrastructure includes multiple web-based management panels and shows links to APT36 based on targeting and tactics.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign targets Indian government job seekers by distributing malicious ZIP archives that contain a disguised LNK file, PowerShell downloader script, and a .NET executable. The attackers leverage the legitimate ControlR remote management tool to maintain persistent access on compromised systems. They deploy SheetAgent RAT, a custom remote access trojan written in .NET, which communicates with its command-and-control infrastructure via Google Sheets, an uncommon but stealthy C2 channel. The malware uses scheduled tasks and startup folder entries for persistence and incorporates anti-virtualization techniques to detect and evade sandbox or virtualized analysis environments. Infrastructure analysis reveals multiple web-based management panels and tradecraft similarities to the APT36 threat actor group. The campaign specifically targets Indian job seekers and related regions.
Potential Impact
Successful compromise results in persistent remote access to infected systems via the ControlR tool and SheetAgent RAT. The attacker can execute arbitrary commands and maintain stealthy control through Google Sheets C2. The use of anti-virtualization techniques complicates detection and analysis. The campaign targets sensitive individuals seeking government jobs, potentially leading to espionage or data theft. No known exploits in the wild are reported, but the campaign's sophistication and targeting indicate a significant threat to affected users.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign rather than a software vulnerability. Mitigation focuses on user awareness to avoid opening suspicious recruitment-related ZIP archives and LNK files. Organizations should monitor for abuse of ControlR remote management tools and scheduled tasks or startup entries indicative of persistence mechanisms. Endpoint detection and response solutions should be tuned to detect PowerShell downloader scripts and unusual Google Sheets network traffic. Since this is not a cloud service, remediation depends on endpoint security controls and user education.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-shadowrecruit-a-recruitment-themed-malware-campaign-leveraging-controlr-and-google-sheets-to-target-indian-job-seekers/"]
- Adversary
- Operation C-Major
- Pulse Id
- 6a5622b97dd5ae5935298cdb
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash6bcf91af52b9577ba81cbae9368f91f8 | — | |
hash6f2fd5cb3901d6818316423ac72da5e8 | — | |
hash90682a7c53132750b1517f80cab2281c | — | |
hash081747ca2a2f4be07b52ab1da0c76b8e508248a7 | — | |
hasha154f9bff1999be4a42ffc4cbfc686e64a163997 | — | |
hashc1a691fdd339709439774e9402b71a4b4ba50f42 | — | |
hash2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c | — | |
hash434243e615b93a1b948c26ad55902bd78f9fa18e42375c15790634375c1ad3f4 | — | |
hash70fe7576f20f5dd6a3d872753c922f1394d91487f5eabb417b240b83c22e31b2 | — | |
hashb928e523b51187b932e48a65d36ce3d0c39ee9d409d493b90f98cf3d1e0e73b0 | — | |
hashc4859db541b2bd0d266bbc44fafb5a767c862a57a3633a949dfaeebdf88ed529 | — | |
hashcf3f1bceb83fa3acefbabae4bdc275347cfe03dd7fc770052a33baef204a89f7 | — | |
hashee9dd2a180aea75af5c0eda16b83681c0a5fed451bfad6d5b3af85c3b62fa210 | — | |
hashfd2ac3a761f66dc6954014532795f9108f65739f23e4b294d4563673b7996881 | — |
Threat ID: 6a56614668715ace43d25243
Added to database: 07/14/2026, 16:18:14 UTC
Last enriched: 07/14/2026, 16:35:23 UTC
Last updated: 07/15/2026, 01:52:10 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.