SOC Prime Bias: Critical

16 Jun 2026 05:47 UTC
newspaper icon Securonix

Analyzing SHEET#CREEP: The Malware Returns with New Config Obfuscation

Author Photo
SOC Prime Team linkedin icon Follow
Analyzing SHEET#CREEP: The Malware Returns with New Config Obfuscation
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

An active espionage operation known as SHEETCREEP relies on a C# remote access trojan that uses the Google Sheets API for command and control. The attackers deliver the malware through a diplomatic-themed ISO phishing lure, after which the RAT establishes persistence and executes commands through an in-process PowerShell runspace. Recent samples show the operators have strengthened the malware by introducing XOR-based obfuscation for configuration data.

Investigation

The Securonix Threat Research team uncovered the campaign by extracting embedded Google Cloud service account credentials from the RAT binary. After authenticating to the live command-and-control spreadsheet, the researchers identified 91 active victim tabs, including sandboxes, research environments, and one high-confidence victim located in Pakistan. Their analysis also showed that the malware’s configuration protection had evolved through an updated obfuscation approach.

Mitigation

Organizations should avoid opening unsolicited attachments, especially ISO files that contain LNK shortcut files. Defenders should monitor the %LOCALAPPDATA%\MicrosoftVault directory for suspicious executables and review scheduled tasks for misleading or unexpected entries. Strong endpoint visibility through tools such as Sysmon and AMSI can also help detect in-process PowerShell activity tied to this malware.

Response

If unusual HTTPS traffic to Google API services is observed from non-browser processes, the affected system should be isolated immediately. Security teams should inspect scheduled tasks for unauthorized items such as WindowsVaultSyncService. A forensic review of %LOCALAPPDATA%\MicrosoftVault should also be performed to identify hidden or system-attributed binaries associated with the intrusion.

graph TB %% Class Definitions Section classDef initial_access fill:#f96,stroke:#333,stroke-width:2px classDef execution fill:#3498db,stroke:#333,stroke-width:2px classDef persistence fill:#2ecc71,stroke:#333,stroke-width:2px classDef evasion fill:#9b59b6,stroke:#333,stroke-width:2px classDef command_control fill:#e74c3c,stroke:#333,stroke-width:2px classDef malware fill:#ecf0f1,stroke:#333,stroke-width:2px %% Initial Access Nodes node_iso[“<b>File</b>: UAE-India_Strategic_Partnership_Week.iso<br/><b>Action</b>: Mounting ISO<br/><b>Context</b>: Diplomatic theme used for social engineering”] class node_iso initial_access node_lnk[“<b>File</b>: Malicious LNK Shortcut<br/><b>Technique</b>: T1027.012 – Obfuscated Files or Information: LNK Icon Smuggling<br/><b>Description</b>: LNK file masquerading as a PDF icon to deceive the user”] class node_lnk initial_access %% Execution and Dropper Nodes node_user_exec[“<b>Action</b>: T1204.002 – User Execution: Malicious File<br/><b>Description</b>: Victim interacts with the malicious LNK file”] class node_user_exec execution node_dropper[“<b>Malware</b>: C# Dropper<br/><b>File</b>: Document_11052026-03578240540350-93.exe<br/><b>Function</b>: Extracts decoy PDF and drops RAT payload”] class node_dropper execution %% Persistence and Evasion Nodes node_rat[“<b>Malware</b>: SHEETCREEP RAT<br/><b>Process</b>: vaultsvc.exe<br/><b>Location</b>: %LOCALAPPDATA%\Microsoft\Vault\vaultsvc.exe”] class node_rat malware node_attr_evasion[“<b>Action</b>: T1027.008 – Obfuscated Files or Information: Stripped Payloads<br/><b>Description</b>: Setting RAT file attributes to Hidden and System”] class node_attr_evasion evasion node_persistence[“<b>Action</b>: T1137 – Office Application Startup<br/><b>Method</b>: Scheduled Task via COM API<br/><b>Task Name</b>: WindowsVaultSyncService”] class node_persistence persistence node_melt[“<b>Action</b>: T1070.004 – Indicator Removal: File Deletion<br/><b>Description</b>: Melt routine deletes the dropper and replaces it with a benign PDF”] class node_melt evasion %% C2 and Advanced Evasion Nodes node_c2_api[“<b>Technique</b>: T1102.002 – Web Service: Bidirectional Communication<br/><b>Channel</b>: Google Sheets API<br/><b>Authentication</b>: GCP Service Account and RSA-2048 key”] class node_c2_api command_control node_xor_cfg[“<b>Technique</b>: T1573.002 – Encrypted Channel<br/><b>Description</b>: XOR-encrypted configuration using key ‘discrete’ for Spreadsheet ID”] class node_xor_cfg command_control node_powershell_evasion[“<b>Technique</b>: T1036.011 – Masquerading: Overwrite Process Arguments<br/><b>Description</b>: Executes commands via in-process PowerShell runspace to evade EDR”] class node_powershell_evasion evasion %% Connection Flow %% Flow starts with ISO node_iso –>|contains| node_lnk %% LNK leads to user interaction node_lnk –>|triggers| node_user_exec %% User interaction triggers dropper node_user_exec –>|executes| node_dropper %% Dropper performs multiple actions node_dropper –>|drops| node_rat node_dropper –>|applies attributes| node_attr_evasion node_dropper –>|establishes persistence| node_persistence node_dropper –>|performs| node_melt %% RAT operations node_rat –>|communicates via| node_c2_api node_rat –>|uses| node_xor_cfg node_rat –>|executes commands via| node_powershell_evasion

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish persistence and execute a remote access trojan (RAT) using the SHEETCREEP technique. First, they simulate the initial execution via a malicious LNK file that calls cmd.exe to start a specific suspicious executable. Next, they establish persistence by creating a scheduled task named WindowsVaultSyncService with a deceptive description to blend in with system updates. Finally, they deploy the payload vaultsvc.exe into the C:Users<User>AppDataLocalMicrosoftVault directory and execute it to trigger the final part of the detection logic.

  • Regression Test Script:

    # SHEETCREEP Simulation Script
# Note: This script must be run with Administrative privileges to create scheduled tasks.

$targetDir = "$env:LOCALAPPDATAMicrosoftVault"
$payloadName = "vaultsvc.exe"
$payloadPath = "$targetDir$payloadName"
$taskName = "WindowsVaultSyncService"
$taskDesc = "Windows Edge Core Update Task Machine Discord Update"

Write-Host "[+] Starting SHEETCREEP Simulation..." -ForegroundColor Cyan

# 1. Simulate Selection 1: CMD execution with specific string
Write-Host "[+] Simulating Selection 1: CMD command pattern..." -ForegroundColor Yellow
Start-Process cmd.exe -ArgumentList '/c start "" "Document_11052026-03578240540350-93.exe"' -WindowStyle Hidden

# 2. Simulate Selection 2: Scheduled Task Creation
Write-Host "[+] Simulating Selection 2: Scheduled Task creation..." -ForegroundColor Yellow
$action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c echo Persistence Established"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskName -Description $taskDesc -Force

# 3. Simulate Selection 3: Payload placement and execution
Write-Host "[+] Simulating Selection 3: Payload deployment and execution..." -ForegroundColor Yellow
if (!(Test-Path $targetDir)) {
    New-Item -Path $targetDir -ItemType Directory -Force | Out-Null
}

# Create a dummy binary file to mimic the RAT
New-Item -Path $payloadPath -ItemType File -Force | Out-Null

# Execute the dummy payload
Start-Process -FilePath $payloadPath -WindowStyle Hidden -ErrorAction SilentlyContinue

Write-Host "[+] Simulation commands sent. Check SIEM for alerts." -ForegroundColor Green

  • Cleanup Commands:

    # Cleanup SHEETCREEP Simulation
$targetDir = "$env:LOCALAPPDATAMicrosoftVault"
$payloadPath = "$targetDirvaultsvc.exe"
$taskName = "WindowsVaultSyncService"

Write-Host "[+] Cleaning up simulation artifacts..." -ForegroundColor Cyan

# Remove Scheduled Task
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue

# Remove Payload and Directory
if (Test-Path $payloadPath) { Remove-Item $payloadPath -Force }
if (Test-Path $targetDir) { Remove-Item $targetDir -Recurse -Force }

Write-Host "[+] Cleanup complete." -ForegroundColor Green

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free