VERY IMPORTANT

A new campaign targeting Indian government entities was uncovered, utilizing three backdoors: SHEETCREEP, FIREPOWER, and MAILCREEP. These tools leverage legitimate cloud services like Google Sheets, Firebase, and Microsoft Graph API for command and control, enabling the attackers to blend in with normal traffic. The campaign, named Sheet Attack, employed PDFs and malicious LNK files as initial infection vectors. Evidence suggests the use of generative AI in malware development. While sharing similarities with APT36, the campaign's unique characteristics point to either a new Pakistan-linked group or an APT36 subgroup. The attackers demonstrated hands-on-keyboard activity and deployed additional payloads, including a document stealer, to selected targets.