AlienVault OTX has detected a sophisticated APT campaign, designated Operation ShadowRecruit, actively targeting the Indian government, education, and technology sectors. Orchestrated by the threat actor Operation C-Major, this campaign leverages a highly socialized recruitment theme, specifically impersonating the Cabinet Secretariat to lure job seekers applying for Senior Field Officer positions.
The attack chain initiates via a malicious ZIP archive containing a disguised LNK file. Upon execution, it triggers a PowerShell downloader that deploys a .NET executable. Notably, the campaign abuses the legitimate ControlR remote management tool for persistent access and utilizes SheetAgent, a malware family that weaponizes Google Sheets as a Command & Control (C2) infrastructure to evade detection. The campaign exhibits anti-virtualization techniques to hinder sandbox analysis.
Threat Actor / Malware Profile
Adversary: Operation C-Major
- Objective: Intelligence gathering and persistent access within government and educational networks.
- TTPs: Highly targeted spear-phishing with job recruitment lures, abuse of legitimate administrative tools (LOLBins), and living-off-the-land techniques.
Malware Family: SheetAgent
- Behavior: A Remote Access Trojan (RAT) that uses Google Sheets documents for C2 communication. This allows the attacker to blend in with legitimate corporate traffic, bypassing standard firewall egress rules that block unknown domains.
- Capabilities: Command execution, data exfiltration, and system reconnaissance.
Tool: ControlR (PrivateRat)
- Abuse: Legitimate remote management software is modified or used directly to maintain persistent access to the victim's machine without raising red flags associated with custom malware.
- Persistence: Established via Scheduled Tasks to ensure survival across reboots.
IOC Analysis
The provided indicators primarily consist of file hashes (MD5, SHA1, SHA256) associated with the malicious payloads, including the initial downloader, the .NET executables, and the ControlR components.
- Operationalization: SOC teams should immediately ingest these hashes into EDR alerting rules and SIEM correlation engines.
- Tooling: EDR solutions (CrowdStrike, SentinelOne, Elastic) can automatically block execution of these hashes. Network detection is more challenging due to the use of Google Sheets as C2; therefore, defenders must hunt for anomalous process-to-Google-Docs traffic originating from non-browser processes.
Detection Engineering
title: Potential Operation ShadowRecruit LNK PowerShell Execution
date: 2026/07/15
author: Security Arsenal
status: experimental
description: Detects execution of PowerShell scripts initiated by LNK files, a common pattern in Operation ShadowRecruit phishing emails.
references:
- https://otx.alienvault.com/pulse/operation-shadowrecruit/
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'DownloadString'
- 'Invoke-Expression'
- 'IEX'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
---
title: ControlR Remote Tool Suspicious Execution
date: 2026/07/15
author: Security Arsenal
status: experimental
description: Detects the execution of ControlR or PrivateRat binaries often abused by Operation C-Major for persistence.
references:
- https://otx.alienvault.com/pulse/operation-shadowrecruit/
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|contains:
- 'ControlR'
- 'PrivateRat'
selection_cli:
CommandLine|contains:
- '-connect'
- '-host'
condition: all of selection_*
falsepositives:
- Authorized administrative remote management
level: medium
---
title: SheetAgent Google Sheets C2 Traffic Pattern
date: 2026/07/15
author: Security Arsenal
status: experimental
description: Detects non-browser processes connecting to Google Sheets (docs.google.com) potentially indicating SheetAgent RAT activity.
references:
- https://otx.alienvault.com/pulse/operation-shadowrecruit/
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains: 'docs.google.com'
Initiated: 'true'
filter_legit_browsers:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\opera.exe'
filter_legit_updaters:
Image|contains:
- '\Google\Update\'
- '\Microsoft\EdgeUpdate\'
condition: selection and not 1 of filter_*
falsepositives:
- Office applications syncing files
- legitimate scripts utilizing Google APIs
level: high
kql
// Hunt for File Hash Indicators of Compromise (IOCs)
// Search for specific SHA256 and MD5 hashes found in Operation ShadowRecruit
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
"2b33b5185e93e1655eb27dbaa025d7ee088627db3d640fe4709be705646b189c",
"434243e615b93a1b948c26ad55902bd78f9fa18e42375c15790634375c1ad3f4"
)
or MD5 in (
"6bcf91af52b9577ba81cbae9368f91f8",
"6f2fd5cb3901d6818316423ac72da5e8",
"90682a7c53132750b1517f80cab2281c"
)
| project Timestamp, DeviceName, AccountName, FolderPath, SHA256, MD5, InitiatingProcessFileName
| extend IoCMatch = "Operation ShadowRecruit Hash"
powershell
# Operation ShadowRecruit - Local IOC Hunter
# Scans for specific file hashes and suspicious scheduled tasks
$TargetHashes = @(
"6bcf91af52b9577ba81cbae9368f91f8",
"6f2fd5cb3901d6818316423ac72da5e8",
"90682a7c53132750b1517f80cab2281c"
)
Write-Host "[*] Starting Hunt for Operation ShadowRecruit Artifacts..." -ForegroundColor Cyan
# 1. Scan for Malicious Files in User Directories
Write-Host "[*] Scanning user profiles for known malicious hashes..." -ForegroundColor Yellow
$UserProfiles = Get-ChildItem "C:\Users" -Directory
foreach ($User in $UserProfiles) {
$Paths = @(
"$($User.FullName)\Downloads",
"$($User.FullName)\Desktop",
"$($User.FullName)\AppData\Local\Temp"
)
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($Hash -in $TargetHashes) {
Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
Write-Host " Hash: $Hash" -ForegroundColor DarkGray
}
}
}
}
}
# 2. Check for Suspicious Scheduled Tasks (Persistence)
Write-Host "[*] Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
$Tasks = Get-ScheduledTask -TaskPath "\" | Where-Object { $_.State -eq "Ready" -or $_.State -eq "Running" }
foreach ($Task in $Tasks) {
$Action = $Task.Actions.Execute
if ($Action -like "*powershell*" -or $Action -like "*ControlR*" -or $Action -like "*.exe*") {
# Check for tasks running from user directories or unusual locations
$Arg = $Task.Actions.Arguments
if ($Arg -like "*DownloadString*" -or $Arg -like "*sheets.google.com*" -or $Arg -like "*docs.google.com*") {
Write-Host "[!] SUSPICIOUS TASK FOUND: $($Task.TaskName)" -ForegroundColor Red
Write-Host " Action: $Action $Arg" -ForegroundColor DarkGray
}
}
}
Write-Host "[*] Hunt complete." -ForegroundColor Green
Response Priorities
Immediate Actions:
- Block Hashes: Upload all provided MD5 and SHA256 hashes to EDR blocklists and AV signatures.
- Isolate Victims: If execution is detected, isolate the host immediately to prevent lateral movement via ControlR.
- Suspend Macro/Scripting: Temporarily restrict PowerShell execution policies for non-admin users if the threat is widespread.
Within 24 Hours:
- Credential Audit: Given the RAT capabilities, assume credentials are compromised. Reset passwords for accounts accessed from infected endpoints.
- Email Review: Quarantine emails containing "Senior Field Officer" or "Cabinet Secretariat" recruitment lures.
Within 1 Week:
- Application Control: Implement allow-listing for remote administration tools like ControlR to prevent abuse.
- Network Segmentation: Restrict access to Google Workspace APIs to only approved applications/browsers to disrupt SheetAgent C2 channels.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.