PulseRAT - Google Sheets-based RAT Using UAE-India Partnership Lure
On May 19, 2026, I came across an interesting ISO uploaded from UAE. The ISO is named UAE-India_Strategic_Partnership_Week.iso, and it is likely related to the defense partnership between India and UAE announced in May 2026. The ISO contains payload that leads to a RAT which I had not seen before. I will temporarily call this RAT 'PulseRAT', but if the reader recognizes it as a known or previously reported malware family, I will be happy to update the name and reference previous research.
The ISO contains 2 files:
Document_11052026-03578240540350-93.exeUAE-India_Strategic_Partnership-Week.lnk
The LNK file does just one thing: it runs the accompanying executable file:
1
2
3
4
5
6
7
8
9
10
11
[Link Info]
Location flags: 0x00000001 (VolumeIDAndLocalBasePath)
Drive type: 3 (DRIVE_FIXED)
Drive serial number: 58b8-3afb
Volume label (ASCII):
Local path (ASCII): C:\Windows\System32\cmd.exe
[String Data]
Relative path (UNICODE): ..\..\..\..\Windows\System32\cmd.exe
Arguments (UNICODE): /c start "" "Document_11052026-03578240540350-93.exe"
Icon location (UNICODE): shell32.dll
The LNK metadata shows that it was created on May 11, 2026 on a machine named desktop-526nitv (more on that later).
1
2
3
4
5
6
7
8
9
10
[Distributed Link Tracker Properties]
Version: 0
NetBIOS name: desktop-526nitv
Droid volume identifier: abd093c6-5b6c-46bf-b353-a42862fd2a91
Droid file identifier: 6e548727-4cfb-11f1-8b05-005056c00008
Birth droid volume identifier: abd093c6-5b6c-46bf-b353-a42862fd2a91
Birth droid file identifier: 6e548727-4cfb-11f1-8b05-005056c00008
MAC address: 00:50:56:c0:00:08
UUID timestamp: 05/11/2026 (05:36:59.673) [UTC]
UUID sequence number: 2821
Document_11052026-03578240540350-93.exe is a .NET executable. Its original file name is FinalTool.exe and it was compiled on May 11, 2026, 8 days before I found it. This executable is a simple dropper for a RAT. When executed, it checks if the directory %LOCALAPPDATA%\Microsoft\Vault exists. If not, it creates it. Then, it extracts 2 embedded resources:
InternalExeis the final payload. This executable is saved as%LOCALAPPDATA%\Microsoft\Vault\vaultsvc.exeand is executed with a Scheduled Task that has 2 triggers.InternalBaitis saved to disk and opened. This “decoy PDF” is a 0 byte resource, so it does not render as a PDF.
The Scheduled Task is implemented via the CreatePersistence method using the Windows Task Scheduler COM interface. The Task created for initial execution and persistence is called WindowsVaultSyncService and has the following description: Windows Edge Core Update Task Machine Discord Update. Two triggers are set for the execution of vaultsvc.exe: 3 minutes after the Scheduled Task creation and when the current user logs on.
After setting up the Scheduled Task, the dropper runs the Melt method to:
- Implement a 2 second delay via
choice.exe. - Self-delete.
- Move the
InternalBait“PDF” to the dropper’s directory.
PulseRAT - Google Sheets-based RAT
The final payload in this infection chain is the .NET RAT dropped by Document_11052026-03578240540350-93.exe as vaultsvc.exe. This RAT uses Google Sheets as a C2 channel. The RAT has the following metadata:
- Original File Name:
Syn.exe - Compilation date:
May 8, 2026 - Description:
Windows System Synchronization Service
The first thing the RAT does is generate a UID for each victim. The UID is generated by computing a SHA-256 hash of the concatenated username + machine name:
The UID is subsequently used to generate and check the presence of the following mutex: Global\\WinSync_ + UID. If the mutex does not exist, it continues execution and:
- Hides the console.
- Sets connection properties via the ServicePointManager class.
- Calls the
Pulsemethod. This method implements the RAT functionality.
The Pulse method uses a string decoding/decryption method named JIT to base64-decode and XOR decrypt the strings for the Spreadsheet ID and the Service Account used by the RAT. The XOR key passed to the decryption function is discrete.
The decoded/decrypted Spreadsheet ID is: 1Lb5BEIsehbCGe8p1jkfWf5Mw1dBAcw5RHWFdga5gFq8.
After decoding the Spreadsheet ID, the RAT authenticates to Google Spreadsheets via the RefreshAuth function. The Service Account for authentication is decoded/decrypted with the JIT function (using the same discrete key).
The decoded/decrypted Service Account is: sheet5@sheet5-495707.iam.gserviceaccount.com.
RefreshAuth creates a JWT, signs it with an embedded RSA private key, and exchanges it with Google’s OAuth2 token endpoint to obtain an access token for the Google Sheets API.
When the RAT connects to the attacker-controlled Google Spreadsheet, it checks if a sheet exists for the previously generated victim UID. If it does not exist, it creates a new sheet for the victim UID.
The RAT then writes the following to the spreadsheet cells:
| Cell | Content | Purpose |
|---|---|---|
| A1 | First: <timestamp> | Timestamp of first connection |
| B1:C1 | Pulse: <timestamp> | Heartbeat, updated with every beacon |
| A2:C2 | I | O | T | Input / Output / Timestamp for command execution logging |
| A3:C3 | c3lzdGVtaW5mbw== | <systeminfo output> | <timestamp> | System Info Data |
The systeminfo command is run once via an in-process PowerShell execution. The output of the command is logged to the attacker-controlled spreadsheet. The attacker can also write base64-encoded PowerShell commands starting on cell A4. The RAT will read the commands from cell A4 onwards, it will base64-decode them, execute them, and will base64-encode the output that is written back to the spreadsheet. This includes a timestamp logging time of command execution. For this, it uses the I(nput), O(utput), and T(imestamp) sections created before.
In my attempts to connect to the Google Spreadsheet using the authentication material embedded to the RAT, I noticed that the account may have been deleted. However, based on the way that the RAT interacts with the spreadsheet, we may reconstruct what a sheet may look like:
The base64 decoding of commands, in-process PowerShell execution, and base64 encoding of outputs is implemented in the RunPS method. This method creates a PowerShell runspace to avoid spawning a PowerShell process, which is typically suspicious.
Possible Connection with an XLS
While hunting for additional artifacts associated with the host used to create the LNK file (desktop-526nitv), I came across a benign Excel file uploaded on April 1, 2026 from Afghanistan: Compliance_Checklist.xlsx (9c713a33fd9a3f6327faa3eae256732dedf7e19399d55a2ca8d395263f26c2d7). This XLS was originally created by user atra.gov.af (associated with the Afghanistan Telecom Regulatory Authority), but it was modified by a ‘Default User’ using a machine named desktop-526nitv, the same machine name that we saw in the LNK. The associated path is Desktop\CAMP\31-03, potentially referencing a campaign date.
The link between the XLSX and the LNK is relatively weak, and I could not find any specific threats associated with the Excel file. However, given the time proximity and the overlap between machine names, I continue looking for artifacts that may prove or refute a meaningful link between the artifacts.
IOCs
UAE-India_Strategic_Partnership_Week.iso: 1ba67bb1cfad42446880cca53cbd05fe66d7514b2bb139b48e5c63adff14be7bDocument_11052026-03578240540350-93.exe: 2cc7c2d8653c98e5bac32fcaf5e45b861efb4bb87df3b3f96285edb475e75bbaUAE-India_Strategic_Partnership-Week.lnk: 3b16f1a2d74578beed77d870350d75202b54bd5b0460c8cf79316bc9ba812907vaultsvc.exe: 62d62950ff7a0e43550a5d0ba55d32d5083b9de5538e0f012e406b6d951e16aa- Google Spreadsheet ID: 1Lb5BEIsehbCGe8p1jkfWf5Mw1dBAcw5RHWFdga5gFq8