This is Part 2 of our two-part technical analysis on the Gopher Strike and Sheet Attack campaigns. For details on the Gopher Strike campaign, go to Part 1.IntroductionIn September 2025, Zscaler ThreatLabz uncovered three additional backdoors, SHEETCREEP, FIREPOWER, and MAILCREEP, used to power the Sheet Attack campaign. In Part 2 of this series, ThreatLabz will delve into these backdoors and analyze how threat actors are leveraging generative AI in their malware development processes.The Sheet Attack campaign stands out for its use of Google Sheets as a command-and-control (C2) channel, an uncommon tactic in this region. Between November 2025 and January 2026, ThreatLabz observed the deployment of new tools, including SHEETCREEP and FIREPOWER, along with MAILCREEP, which is used to manipulate emails, and a PowerShell-based document stealer to exfiltrate files. Furthermore, the activity contained indicators suggesting that the threat actors have adopted AI as part of their malware development workflow, mirroring a global trend of AI adoption by malicious actors.Key TakeawaysThe Sheet Attack campaign leveraged PDFs to deploy lightweight backdoors that utilized multiple C2 channels that abused legitimate cloud services, such as Google and Microsoft, enabling the network traffic to blend in and evade security controls.ThreatLabz identified SHEETCREEP, FIREPOWER, and MAILCREEP as backdoors employed in the Sheet Attack campaign.SHEETCREEP is a lightweight backdoor written in C# that uses Google Sheets for C2 communication.FIREPOWER is a PowerShell-based backdoor that exploits Google’s Firebase Realtime Database for its C2 channel.MAILCREEP is a Golang-based backdoor leveraging the Microsoft Graph API for its C2 communications.ThreatLabz identified several high-confidence fingerprints within the malware of the Sheet Attack and Gopher Strike campaigns that strongly suggest the use of generative AI.ThreatLabz assesses with medium confidence that these campaigns likely originate from a new subgroup or a parallel Pakistan-linked group, despite sharing similarities with the APT36 threat group.Technical AnalysisIn the following sections, ThreatLabz provides a technical analysis of the Sheet Attack campaign, detailing the backdoors it leverages and examining the evidence that suggests AI was used to generate parts of the code.Initial infection vectorsSimilar to the Gopher Strike campaign, some of the initial Sheet Attack campaigns began with the delivery of a PDF
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: