Full Report
Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Document Technical Analysis Stage 1 – Initial Infection through LNK file Stage 2 – PowerShell Downloader Analysis Stage 3 – The .NET Dropper – Document.exe Analysis Stage 4 – Decoy Delivery and SheetAgent RAT Analysis Infrastructure & Attribution Conclusion […] The post Operation ShadowRecruit: A Recruitment-Themed Malware Campaign Leveraging ControlR and Google Sheets to Target Indian Job Seekers appeared first on Seqrite Labs.
Analysis Summary
# Incident Report: Operation ShadowRecruit
## Executive Summary
Operation ShadowRecruit is a sophisticated cyber-espionage campaign targeting Indian government job seekers through a recruitment-themed lure. The attack employs a multi-stage infection chain involving malicious LNK files, PowerShell scripts, and the "SheetAgent" RAT, while abusing legitimate tools like ControlR RMM and Google Sheets for command and control (C2). The campaign has been attributed with moderate confidence to the threat actor **APT36**.
## Incident Details
- **Discovery Date:** July 2026 (Reported)
- **Incident Date:** June - July 2026
- **Affected Organization:** Indian Government Job Seekers / Cabinet Secretariat applicants
- **Sector:** Government, Public Sector, Education, Technology
- **Geography:** India
## Timeline of Events
### Initial Access
- **Date/Time:** June 2026
- **Vector:** Spearphishing / Malicious Archive
- **Details:** Victims download a ZIP archive named `Approved Documents 2026.pdf.zip`. It contains a hidden .NET dropper (`Document.exe`), a hidden PowerShell script (`JT-agenda.ps1`), and a visible LNK file disguised with a Microsoft Edge icon.
### Lateral Movement
- **Details:** The campaign utilizes **ControlR**, a legitimate Remote Monitoring and Management (RMM) tool, to gain persistent remote access to compromised endpoints, facilitating potential movement within the victim's network.
### Data Exfiltration/Impact
- **Details:** The final payload, **SheetAgent RAT**, uses Google Sheets as a C2 interface to receive commands and Google Drive to exfiltrate stolen data. The impact includes full system compromise and unauthorized access to sensitive applicant information.
### Detection & Response
- **Discovery:** Identified by Seqrite APT Research Team during proactive threat hunting.
- **Response:** Analysis of the infection chain, extraction of C2 infrastructure (IPs and management panels), and release of protection signatures.
## Attack Methodology
- **Initial Access:** Phishing via spearphishing attachments (ZIP containing malicious LNK).
- **Persistence:** Use of legitimate RMM tool (ControlR) and Scheduled Tasks.
- **Privilege Escalation:** Abuse of Elevation Control Mechanisms (UAC bypass techniques).
- **Defense Evasion:** Use of hidden file attributes, masquerading files as PDFs/Edge shortcuts, and sandbox/virtualization evasion checks.
- **Discovery:** System information and location discovery (T1082, T1614.001).
- **Lateral Movement:** Remote access capabilities via RMM and RAT.
- **Collection:** Gathering system data and specific documents related to government recruitment.
- **Exfiltration:** Exfiltration over C2 channel using Google Drive API.
- **Impact:** Intelligence gathering and long-term surveillance.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with incident response and remediation.
- **Data Breach:** Exposure of personal data of job seekers applying for Senior Field Officer positions.
- **Operational:** Disruption of government recruitment processes; unauthorized RMM presence on systems.
- **Reputational:** Impersonation of the Cabinet Secretariat and Employment News can erode trust in official digital communications.
## Indicators of Compromise
- **Network Indicators:**
- hxxp://38[.]242[.]157[.]89/file.pdf
- 38[.]242[.]157[.]89:9000 (SecureMonitor Panel)
- 38[.]242[.]157[.]89:7000 (PrivateRat Panel)
- **File Indicators (SHA-256):**
- `2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c` (Archive)
- `ee9dd2a180aea75af5c0eda16b83681c0a5fed451bfad6d5b3af85c3b62fa210` (Document.exe)
- `434243e615b93a1b948c26ad55902bd78f9fa18e42375c15790634375c1ad3f4` (LNK file)
- **Behavioral Indicators:**
- LNK file executing PowerShell scripts to launch hidden executables.
- Unauthorized installation of ControlR RMM software.
- Systematic communication with Google Sheets/Drive APIs from non-browser processes.
## Response Actions
- **Containment:** Blocking of identified C2 IP addresses and suspicious domains.
- **Eradication:** Deployment of security signatures (e.g., `Lnk.Trojan.Loader.50884.GC`) to remove malicious components.
- **Recovery:** Restoration of compromised systems and monitoring for re-infection via RMM persistence.
## Lessons Learned
- **Key Takeaways:** Threat actors are increasingly "living off trusted services" (Google Sheets/Drive) to bypass traditional firewall rules.
- **Improvements:** There is a need for better visibility into hidden file execution and PowerShell logging (Script Block Logging) to catch obfuscated loaders early.
## Recommendations
- **Prevention:**
- Disable or restrict the execution of LNK files from untrusted zones.
- Implement application whitelisting to prevent unauthorized RMM tools (like ControlR) from running.
- Educate users to verify the file extension of downloaded documents, specifically looking for double extensions or hidden attributes.
- Monitor for unusual API traffic to Google Cloud services from endpoint applications.