APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP

Jan. 28, 2026, 7:23 p.m.

Description

A new campaign targeting Indian government entities was uncovered, utilizing three backdoors: SHEETCREEP, FIREPOWER, and MAILCREEP. These tools leverage legitimate cloud services like Google Sheets, Firebase, and Microsoft Graph API for command and control, enabling the attackers to blend in with normal traffic. The campaign, named Sheet Attack, employed PDFs and malicious LNK files as initial infection vectors. Evidence suggests the use of generative AI in malware development. While sharing similarities with APT36, the campaign's unique characteristics point to either a new Pakistan-linked group or an APT36 subgroup. The attackers demonstrated hands-on-keyboard activity and deployed additional payloads, including a document stealer, to selected targets.

External References

https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and
https://otx.alienvault.com/pulse/697a42251f1b8af2c39201cc
Tags
backdoor
apt
pakistan
india
government
cloud services
generative ai
2026-01-28
firepower
mailcreep
sheetcreep

Date

  • Created: Jan. 28, 2026, 5:06 p.m.
  • Published: Jan. 28, 2026, 5:06 p.m.
  • Modified: Jan. 28, 2026, 7:23 p.m.

Indicators

  • 309a39ba10cd7c7075837b63d247fa45764f5496fdae215e95a3f4b65ab6dfc3
  • 889b4b1e13b66aff349282eae3999783f5542f961b433a7d4653c5281e7f4d3e
  • 59abb997927e471472a1c487dea0180d11e9c99774bb138ace46771acba9c3d8
  • a97cc81a2f7c05bfc498b71999176c2aeb6e3ad273e48eb1f5c1c5647419c642
  • 61b2b6b61474398a966e26d3b909542450fcab9b6670558cecd6fabc1015bbce
  • 20d72c8580b4d5ef4f771c91ce1d1207e5416fa789d8216a73a0abb8e030644f
  • b56062033df06738b66c38b3fa2f82a7e8c558336a4790c83c7faad595172167
  • 9eebbf8899a1cf4156a872e9b8cde2a8f6ab364b8089550510938405c622cc58
  • 9ab6d01a6df367ee505e59850438e6926dfb61c2ebfbe4e03eba48f70ee36ac3
  • eea5cb7795d86e4612edcc6f0085d151e1b7a7351646caf26955c2ac35158971
  • 86d8b3fe209b3f1d9a20865ff1ee5d6015941c2a5394861118c8d6ec3695f1a6
  • bec00fa5a87195f182511ecc5292a716c79bc74e17bd1138c8fb2f2285df1b46
  • 71794df37a107472e8d0829387741953f9e6c7778519b11f061c79ff6fb0f386
  • 43fb05d9fc179f791b1a2814f7116ee577b6e48f62eee63af039350260d7fe2b
  • 644dda0ea5db1eb5f07ccfccddb909c6ee57235c4465adbfc342da6867cdb71a
  • 989ad43bb9e328d786664247c3af4c17be28932760113708a9c6de977d69652c
  • de14ca6d93dadbc1ec216700d76ad2d0e7b9ebceb95de68c631d0a1c01c915c4
  • bb11bea463ab1b976c3716591f93eccc71c1a2d1c389a371416b140cd8faa6f0
  • 363fca9534e5cb69e40330473bcbd0acc439cf81a555234eed250f65c98478e3
Download all indicators here!

Attack Patterns

  • SHEETCREEP
  • MAILCREEP
  • FIREPOWER

Additional Informations

  • Government
  • hciaccounts.in
  • hcidelhi.in
  • hcidoc.in
  • coadelhi.in
  • hcisupport.in
  • India
  • British Indian Ocean Territory