PulseRAT Campaign Targets Strategic UAE-India Partnerships
A sophisticated cyber campaign is currently leveraging a malicious ISO archive disguised as a strategic partnership document between the United Arab Emirates and India to distribute a .NET-based Remote Access Trojan (RAT) known as PulseRAT. The malware utilizes a hidden dropper to establish persistence on compromised systems and employs Google Sheets as a command-and-control (C2) channel to facilitate unauthorized data exfiltration and control.
How PulseRAT Establishes Persistence
Once the malicious ISO is mounted and the embedded LNK file is executed, the dropper initiates a multi-stage infection process. To maintain long-term access, the malware creates a scheduled task explicitly named WindowsVaultSyncService. It further anchors itself by constructing a dedicated directory for its operations under %LOCALAPPDATA%. To prevent multiple instances from running simultaneously on a single host, the malware utilizes a specific mutex, a common technique for ensuring the stability of the infection while avoiding detection by system resource monitors.
The Role of Google Sheets in C2 Operations
PulseRAT distinguishes itself by eschewing traditional server-based command infrastructure in favor of legitimate cloud services. By using Google Sheets as a C2 channel, the attackers blend malicious traffic with standard encrypted web activity, making detection more difficult for conventional network security tools. The malware executes PowerShell commands directly within the process memory, which helps it evade disk-based signature detection. Security analysts have documented the specific spreadsheet identifiers and communication patterns associated with this campaign to assist defenders in identifying and blocking this traffic.
Defensive Measures and Incident Response
Organizations must adopt a proactive stance to mitigate the risk posed by PulseRAT. Security teams should prioritize the following actions:
- Block External Binaries: Restrict the execution of unknown binary files originating from removable or mounted media.
- Monitor Task Scheduling: Set alerts for the creation of any scheduled tasks labeled
WindowsVaultSyncService. - Control Application Execution: Enforce strict application control policies for binaries attempting to run from the
%LOCALAPPDATA%MicrosoftVaultpath. - Analyze API Traffic: Inspect Google Sheets API traffic for signs of unauthorized account access or anomalous spreadsheet activity.
If an infection is identified, the immediate isolation of the affected endpoint is critical. Responders should collect volatile memory and disk images for forensic analysis before removing the malicious scheduled task and deleting vaultsvc.exe. Furthermore, all compromised Google service accounts must be reset, and a comprehensive forensic review is recommended to identify potential lateral movement within the network. Relevant stakeholders in the UAE and India should be notified if sensitive diplomatic or partnership data is suspected to have been accessed.
Key Takeaways
- Campaign Vector: The attack uses a fake “strategic partnership” document between the UAE and India as a social engineering lure.
- Persistence Mechanism: The malware creates a scheduled task named
WindowsVaultSyncServiceto survive reboots. - C2 Strategy: It leverages Google Sheets to mask its command-and-control communications.
- Detection: Analysts recommend focusing on PowerShell memory execution and unauthorized scheduled task creation.
As threat actors increasingly abuse trusted cloud platforms to facilitate their operations, organizations must transition toward behavioral-based detection rather than relying solely on file-based signatures. Maintaining visibility into API traffic and enforcing strict execution policies remains the most effective defense against evolving threats like PulseRAT.