SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations
A new C# remote access trojan named SHEETCREEP uses Google Sheets as a hidden command-and-control channel, targeting diplomatic organizations via phishing emails.
Researchers at Securonix have identified a sophisticated remote access trojan (RAT) named SHEETCREEP that leverages Google Sheets API as its command-and-control (C2) infrastructure. The malware targets diplomatic organizations, using phishing emails disguised as official documents for the UAE-India Strategic Partnership Week to trick victims into executing the payload. This campaign represents a calculated evolution in stealthy espionage operations, exploiting the trust placed in widely used cloud platforms.
The attack chain begins with a phishing email containing an ISO file. Inside the ISO is a shortcut that appears to be a PDF but actually launches a C# dropper when double-clicked. The dropper installs the SHEETCREEP RAT, which is stored as vaultsvc.exe in the legitimate Windows Credential Vault folder. The RAT is written in C# and weighs only about 20 KB, yet it can fully execute commands, collect data, and exfiltrate information using Google's spreadsheet infrastructure.
SHEETCREEP's C2 mechanism is particularly innovative. The malware creates a unique victim identifier from the username, machine name, and a four-character hash, using that as the name of a dedicated tab in the attacker's Google Sheet. All communication runs over HTTPS via the Google Sheets API, making the traffic indistinguishable from normal Google Workspace activity. Commands are written into one spreadsheet column and responses into another, with all data encoded in Base64. The C2 configuration strings, including the spreadsheet ID and service account email, are XOR-encrypted with the key "discrete" and decrypted only at runtime, making static analysis significantly harder.
Securonix researchers extracted hardcoded credentials from the RAT binary and authenticated directly to the live C2 spreadsheet. They uncovered 91 active victim tabs at the time of analysis, including 17 potential real targets with physical hardware and no sandbox indicators. A high-confidence target was confirmed in Islamabad, Pakistan, illustrating the malware's deep penetration across its victim network. The campaign was first documented by Zscaler ThreatLabz in January 2026, but the current version shows clear signs of evolution, with threat actors upgrading their tools to evade detection.
The SHEETCREEP RAT employs multiple evasion techniques. Instead of launching PowerShell as a separate process, it executes commands entirely from within its own process memory, leaving no child process visible to security monitoring tools. The malware hides its executable using Hidden and System file attributes inside a directory path that closely resembles a standard Windows system folder. For persistence, it installs a scheduled task named WindowsVaultSyncService with a misleading description crafted to appear harmless. If the malware detects active analysis tools such as dnSpy or Wireshark, it forces an immediate system restart to disrupt any ongoing investigation.
Analysts assess with moderate confidence that the campaign is linked to APT36, also known as Transparent Tribe, a Pakistan-aligned group with a long history of targeting Indian government and military institutions. The use of Google Sheets as a C2 channel is a notable departure from traditional infrastructure, as it allows attackers to hide malicious activity behind one of the internet's most trusted platforms. Securonix recommends that organizations avoid opening unsolicited ISO file attachments, monitor for unexpected executables in the Windows Vault directory, and flag non-browser processes making repeated connections to Google Sheets API endpoints. Deploying Sysmon alongside .NET-based detection capabilities can help capture in-process PowerShell activity that conventional logging would otherwise miss.