APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

The Sheet Attack campaign is a malicious operation that utilizes Google Sheets as a command-and-control channel, which is an uncommon tactic in this region. In September 2025, Zscaler ThreatLabz discovered three additional backdoors, SHEETCREEP, FIREPOWER, and MAILCREEP, used to power the Sheet Attack campaign. The campaign stands out for its use of legitimate cloud services, such as Google and Microsoft, to blend in and evade security controls. The backdoors are used to deploy lightweight malware that can exfiltrate files and manipulate emails. ThreatLabz identified several high-confidence fingerprints within the malware that strongly suggest the use of generative AI in the development process. The Sheet Attack campaign is believed to have originated from a new subgroup or a parallel Pakistan-linked group, despite sharing similarities with the APT36 threat group. The campaign has been active since November 2025 and has introduced new backdoors written in various programming languages. The threat actors have also deployed additional payloads, including a PowerShell-based document stealer and MAILCREEP, a backdoor developed in Golang. The use of generative AI in malware development is a growing trend, and the Sheet Attack campaign is one of the examples of this trend. The campaign's tactics and techniques have evolved over time, with the threat actors transitioning from using PDFs to malicious LNK files as the initial infection vector.