SheetRAT Has Nothing to Do With Sheets: Inside a 32-Plugin RAT Builder Using Pinggy Tunnels as Unblockable C2
First public analysis — monoalphabetic cipher cracked, 1,043 strings decoded, PDB path C:\Users\Malware\
The name says "SheetRAT." Every instinct says Google Sheets command and control -- the technique popularized by a dozen different malware families over the last five years, abusing a ubiquitous cloud service to hide C2 traffic in plain sight. We expected to find API keys, spreadsheet IDs, and Base64 payloads tucked into cells.
Instead, we found Pinggy TCP tunnels, a monoalphabetic substitution cipher we broke in under an hour, a developer who literally named their Windows account "Malware," and a 32-plugin modular RAT framework with zero prior public reporting -- deployed against targets in Chile five times in three days.
This is the first public analysis of SheetRAT.
Five Samples, Three Days, One Country
On March 31, 2026, a sample called my.exe appeared on MalwareBazaar, submitted from Chile. Pulling the imphash -- f34d5f2d4577ed6d9ceec516c1f5a744 -- and pivoting across the database revealed four more samples submitted in the preceding 48 hours. All five shared the same imphash, confirming they were stamped from the same builder. All carried a Chile origin tag. All were .NET Framework 4.0 binaries.
| Sample | File | Size | First Seen |
|---|---|---|---|
| e98a790e... | my.exe | 498 KB | 2026-03-31 17:19 |
| 4c192817... | Clint.exe | 374 KB | 2026-03-30 17:01 |
| b1586fa7... | Client.exe | 365 KB | 2026-03-30 16:24 |
| ef036cd4... | Client.exe | 615 KB | 2026-03-30 07:00 |
| 285eeaf4... | Client.exe | 561 KB | 2026-03-29 14:11 |
Five builds in 72 hours. The filenames tell their own story -- the operator didn't even bother renaming most of them beyond the default Client.exe. One got renamed to Clint.exe, possibly a typo. One became my.exe. The varying file sizes (365 KB to 615 KB) reflect different plugin configurations and the builder's "PUMPER" option, which inflates file size to evade sandbox thresholds.
We checked ThreatFox. Zero results. URLhaus. Nothing. VirusTotal community comments. Silent. No public analysis, no YARA rules, no vendor write-ups. SheetRAT had been operating in a complete intelligence vacuum.
The Pinggy Problem
Here is where the name becomes a lie.
SheetRAT does not use Google Sheets for command and control. The actual C2 mechanism is Pinggy -- a legitimate TCP/HTTP tunnel service at pinggy.io that lets anyone expose a local port to the internet through a tunnel endpoint. The operator runs the SheetRAT server on their own machine, creates a Pinggy tunnel, and every infected victim beacons out to a Pinggy-assigned subdomain:
[random-subdomain].a.free.pinggy.link:[port]
From a network defender's perspective, this is a nightmare. The victim's machine makes what appears to be a standard HTTPS connection to a subdomain of pinggy.link. The traffic is encrypted. The destination resolves to Pinggy's infrastructure at 185.199.108-111.153 -- legitimate IP space. There is no malicious IP to blocklist, no sketchy domain to flag, no unusual port to trigger an alert. The C2 traffic is indistinguishable from a developer using Pinggy to demo a local web app.
You cannot block the C2 IP without blocking all of Pinggy. You cannot block the domain pattern without breaking every legitimate Pinggy tunnel in your environment. And because the operator is using Pinggy's free tier, there is no payment trail, no identity verification, no account to subpoena.
The free tier does have one limitation: tunnel URLs rotate periodically. This means the C2 address is ephemeral -- the operator needs to update the tunnel URL and push new builds or rely on a reconnection mechanism. But for a spray-and-pray RAT campaign with builds going out every few hours, this barely matters. By the time a tunnel URL expires, the next batch of victims is already connecting to a fresh one.
This is not the first time we have seen tunnel services abused for C2 -- ngrok and Cloudflare Tunnels have both appeared in malware campaigns. But Pinggy is newer, less monitored, and absent from most threat intelligence feeds. It represents an expanding category of infrastructure that defenders need to watch: legitimate tunnel-as-a-service platforms being weaponized for C2 relay.
Cracking the Cipher
Every string in SheetRAT's .NET binary is obfuscated. The C2 URL, the registry paths, the WMI queries, the process names to kill, the masquerade filenames -- all of it is stored as ciphertext in the .NET User Strings heap. The binary contains 1,043 obfuscated strings totaling 27,244 bytes.
The obfuscation scheme is a monoalphabetic substitution cipher. Each character in the plaintext is replaced with a different character according to a fixed substitution alphabet. The alphabet is randomized at build time, meaning every compiled sample gets a unique cipher. Simple string-matching signatures will never work across samples -- the same string produces different ciphertext in every build.
But monoalphabetic substitution is a solved problem. It has been since the 9th century, when Arab mathematician Al-Kindi published the first known description of frequency analysis. SheetRAT's developer chose an obfuscation technique that was breakable before the printing press existed.
We started with a known-plaintext attack. String index [1] in the binary was short enough to be a configuration path and appeared in a context suggesting Windows Defender interaction. We hypothesized the plaintext was root/microsoft/windows/Defender -- a 31-character string that, if correct, would immediately give us mappings for 22 unique characters.
It matched. From those 22 character mappings, we expanded outward using contextual analysis:
- WMI class names (
MSFT_MpPreference,ExclusionPath) gave us more uppercase letters - Known API endpoints (
api64.ipify.org) filled in digits - Registry paths (
CurrentVersion\Run) confirmed slash and backslash mappings - File extensions (
.exe,.dll) locked in the period and remaining lowercase letters
Within the hour, we had recovered 55 of the approximately 95 character mappings used in this sample's alphabet. That was enough to decode every operationally significant string in the binary. The C2 URL emerged. The persistence mechanisms became readable. The full capability set was laid bare.
Here is a selection of what we extracted:
- C2 URL:
[subdomain].a.free.pinggy.link:[port] - Version string:
2.6.4 - IP discovery:
hxxps://api64.ipify.org/ - Dropped DLL:
xdwd.dll - Masquerade names:
Google SketchUp Update.exe,OBS Studio.exe,RuntimeBroker.exe - Sandbox detection DLLs:
SbieDll.dll,snxhk.dll,cmdvrt32.dll,Sf2.dll - Process kill targets:
taskmgr.exe,ProcessHacker.exe,procexp.exe
Every one of those 1,043 strings was hiding in plain sight, protected by a cipher technique that a determined analyst with a pencil and paper could break. Per-build randomization makes automated detection harder, but once you understand the scheme, any individual sample falls in minutes.
C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2
The PDB path is the single best artifact in the entire binary. PDB paths are embedded at compile time and point to the debug symbol file on the developer's machine. Most malware authors either strip PDB paths or don't notice they are there. SheetRAT's developer falls into the second category:
C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2\Src\Client\obj\Release\Client.pdb
Let that path sink in. The Windows username is Malware. Not a handle, not an alias -- the actual Windows user account on the development machine is named "Malware." The project lives in a folder called hack tool\Backdoor\. The directory structure reads like a filing system for someone who maintains a portfolio of malicious tools and felt no need to obscure it.
The version in the PDB path is 2.2, but the deployed samples are version 2.6.4. This tells us the PDB path was set early in development and never updated as the project evolved through at least four major versions. The development history stretches back months -- the earliest GitHub repository hosting SheetRAT code dates to December 2025.
The Builder Kit
SheetRAT is distributed as a complete builder kit on GitHub. Not a compiled binary with a configuration panel -- the full source code, compilation toolchain, and all 32 plugin DLLs. We identified at least seven GitHub accounts hosting variants between December 2025 and March 2026:
| Date | Repository | Notes |
|---|---|---|
| 2025-12-19 | artem33xd-star/Sheet-rat | Earliest known repo |
| 2026-01-23 | ratertelephon1-sys/... | Russian-language description |
| 2026-02-06 | brawlervenia2-oss/SheetRatHelper | Helper tool |
| 2026-02-14 | vvv002462-beep/... | Mirror |
| 2026-02-19 | percohack/sheetrat | Full builder + all 32 plugin DLLs |
| 2026-03-11 | gamersergiusddd-blip/... | Another mirror |
| 2026-03-16 | TheOralCigaretts-1/SheetRat-2.6.4. | v2.6.4 ZIP |
The Russian-language repository is particularly telling. Its description translates roughly to: "SheetRat Builder autoload, no RCE, new version, can build on a VM!" -- a sales pitch emphasizing that the builder itself won't backdoor you (a common concern in the malware community, where builders are frequently trojaned) and can be safely run in a virtual machine. The language, the tone, the reassurance about builder safety -- this is marketing for a Russian-speaking audience of aspiring cybercriminals.
The percohack/sheetrat repository contains the complete arsenal: the builder application, configuration templates, and all 32 compiled plugin DLLs ready for deployment.
32 Plugins: A Modular Arsenal
SheetRAT's plugin system is where the framework's ambition becomes clear. The builder lets the operator select which capabilities to include in each compiled client. Thirty-two plugin DLLs cover nearly every offensive capability a RAT operator could want:
Surveillance: RemoteDesktop (1.3 MB, full desktop control), RemoteCamera (webcam), MicroPhone (audio recording), Keylogger, Images (screenshot capture), Clipboard monitoring
Data Theft: Stealer (602 KB, browser credentials and stored data), FileManager (browse/upload/download)
Persistence & Control: Shell (command execution), Regedit (registry manipulation), Service (Windows service manipulation), Scheduler, AutoTask, AutoRun
Lateral Movement: WormSMB (SMB network worm), WormJoiner (file binding for propagation)
Monetization: MinerXmr (Monero mining), MinerEtc (Ethereum Classic mining), DDos (DDoS-for-hire)
Network: ReverseProxy (SOCKS proxy through victim), Netstat (connection enumeration), Map (geolocation)
Miscellaneous: Uac (UAC bypass), SystemDisable (disable system functions), SendFile (push files to victim), Chat (operator-to-victim messaging), Fun (harassment/prank functions), SpeakBot (text-to-speech on victim), Message (display messages), FreendConnect (peer connection), TaskMgr (task manager manipulation)
The presence of both XMR and ETC miners alongside a DDoS module and credential stealer paints a clear picture of the intended operator: someone who wants to extract maximum value from every compromised machine. Mine crypto when idle, steal credentials at first access, rent out DDoS capacity, and proxy traffic through victims for additional revenue. SheetRAT is designed for operators who treat their botnet as a diversified portfolio.
Defense Evasion
SheetRAT layers multiple evasion techniques, all configurable through the builder:
AMSI Bypass: Disables the Antimalware Scan Interface to prevent runtime .NET inspection.
Windows Defender Exclusion: Uses WMI to add itself to Defender's exclusion paths via MSFT_MpPreference, so even if Defender is running, it will ignore the RAT's files.
Sandbox Detection: Checks for the presence of known sandbox DLLs (SbieDll.dll for Sandboxie, snxhk.dll for Avast, cmdvrt32.dll for Comodo, Sf2.dll for Avast sandbox). If any are found, the malware alters its behavior.
Process Killer: Actively monitors for and terminates analysis tools -- Task Manager, Process Hacker, Process Explorer.
Masquerading: Copies itself using legitimate-sounding filenames: Google SketchUp Update.exe, OBS Studio.exe, RuntimeBroker.exe.
Multi-Layer Persistence: The builder can enable any combination of five persistence mechanisms simultaneously:
- Registry Run keys (HKCU and HKLM)
- Scheduled tasks (OnLogon trigger + recurring interval)
- Startup folder placement
- Userinit registry hijack (Winlogon)
- AppInit_DLLs registry injection
Code Obfuscation: Beyond the monoalphabetic cipher for strings, the builder applies ConfuserEx-style protections: control flow flattening, junk code injection (configurable, default 300 iterations), symbol renaming, proxy method calls, and arithmetic obfuscation.
Timestamp Forgery: The PE compilation timestamp is set to 2100-10-13 -- a date so far in the future that it is obviously forged, which paradoxically makes it harder to use for timeline analysis than a realistic fake date would be.
Who Built This
Attribution confidence is low-to-medium, but the evidence points toward a Russian-speaking developer or development community:
The Russian-language GitHub description is the strongest linguistic indicator. The PDB path username "Malware" is English but generic -- it could belong to anyone. The distribution pattern across multiple GitHub accounts with seemingly random usernames (artem33xd-star, ratertelephon1-sys, percohack, brawlervenia2-oss) suggests either a single developer using throwaway accounts or a small community sharing and re-uploading the builder.
The version progression from 2.2 in the PDB path through 2.6 on GitHub to 2.6.4 in the latest samples shows active, sustained development over at least four months. This is not abandoned code being re-shared -- someone is actively maintaining and improving the framework.
The Chilean deployment is interesting. All five MalwareBazaar samples carry a Chile origin, suggesting either a Chilean operator using the Russian-developed builder or a campaign specifically targeting Chilean organizations. The reporter BastianHein_ submitted four of the five samples, indicating they may be tracking this campaign from the receiving end.
What This Means
SheetRAT is not sophisticated. The cipher is trivial. The code is .NET 4.0 with standard ConfuserEx protections. The builder is literally on GitHub for anyone to download. The developer named their user account "Malware."
But sophistication is not the point. SheetRAT is dangerous for two reasons:
The Pinggy C2 technique is genuinely difficult to defend against. Tunnel-as-a-service platforms create a class of C2 infrastructure that cannot be IP-blocked, domain-blocked, or certificate-blocked without collateral damage to legitimate services. As more malware families discover Pinggy, Cloudflare Tunnels, and similar services, network-layer detection becomes increasingly inadequate. Defenders need to focus on endpoint behavior: the persistence mechanisms, the Defender exclusion via WMI, the sandbox DLL checks, the process kills. The network indicators are designed to be invisible.
Open-source RAT builders lower the barrier to zero. SheetRAT does not require a subscription to a C2 framework, a license key for a cracked tool, or even technical skill beyond clicking a GUI. Download from GitHub, configure options, click build. The 32-plugin architecture means an operator can customize their payload for their specific operation without writing a line of code. When the builder is free and the C2 infrastructure costs nothing (Pinggy free tier), the only barrier to entry is finding victims -- and that has never been hard.
Indicators of Compromise
File Hashes (SHA256)
e98a790eb7a81cb9243128d3eff6767ede03715a0d732dafee1fce76a1a15264
4c192817f54f244f3988505f6d6ac3ac5205ab6051fabb5b4419be5a9c529dd6
b1586fa715a867e6c983818cd9e07fa6123d444a263b410de6fba5e97319fad2
ef036cd46e63f884bb90cdc46ca36706edbbbace48fd344a0aa10820c37fb8ec
285eeaf46e455ad7a4405c71c404750a6882e7718e31cf2ba9636ad79d147384
71824238c3baec179911bd6e4655ebff234e15d0f14248077e2c388ef4337009 (stub)
Additional File Indicators
| Type | Value |
|---|---|
| Imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| MD5 (primary) | 8eff9a21c933ad469ac5cd4df8f44380 |
| SHA1 (primary) | 7778a64305a6b2c71ead6cdde9fad488719d7f3d |
| ssdeep | 6144:ujySA4Amr3/lZTKSP473r209jzwtetZpXbvtNp6Xn/ENxjguHrXMsSTQZR15Codf:ujxAmr3Pu2a3vHU3/ENXrXMqdf |
| Assembly GUID | a7805e28-c8db-482c-8b04-06c0ca884f7d |
| Module GUID | b7cbb3ce-ee82-4780-bc40-1b616c83adc2 |
Network Indicators
| Indicator | Value |
|---|---|
| C2 Domain Pattern | *[.]a[.]free[.]pinggy[.]link (any port) |
| IP Discovery | hxxps://api64[.]ipify[.]org/ |
| Pinggy Infrastructure | 185[.]199[.]108-111[.]153 |
Host Indicators
| Indicator | Value |
|---|---|
| PDB Path | C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2\Src\Client\obj\Release\Client.pdb |
| Obfuscated Namespace | vnrelhhbkamt |
| Dropped DLL | xdwd.dll |
| Masquerade | Google SketchUp Update.exe |
| Masquerade | OBS Studio.exe |
| Masquerade | RuntimeBroker.exe |
| Registry | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Registry | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Registry | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit |
| Registry | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs |
| WMI | MSFT_MpPreference ExclusionPath modification |
| Process Kill | taskmgr.exe, ProcessHacker.exe, procexp.exe |
| Sandbox DLLs | SbieDll.dll, snxhk.dll, cmdvrt32.dll, Sf2.dll |
MITRE ATT&CK Coverage
| Tactic | Technique | ID |
|---|---|---|
| Execution | User Execution | T1204.002 |
| Persistence | Registry Run Keys | T1547.001 |
| Persistence | Scheduled Task | T1053.005 |
| Persistence | Winlogon Helper | T1547.004 |
| Persistence | AppInit DLLs | T1546.010 |
| Privilege Escalation | UAC Bypass | T1548.002 |
| Defense Evasion | Disable Defenses | T1562.001 |
| Defense Evasion | Masquerading | T1036.005 |
| Defense Evasion | Obfuscated Files | T1027 |
| Defense Evasion | Virtualization Evasion | T1497.001 |
| Credential Access | Credentials from Stores | T1555 |
| Collection | Keylogging | T1056.001 |
| Collection | Screen Capture | T1113 |
| Collection | Audio Capture | T1123 |
| Collection | Video Capture | T1125 |
| Collection | Clipboard Data | T1115 |
| C2 | Application Layer Protocol | T1071.001 |
| C2 | Protocol Tunneling | T1572 |
| Lateral Movement | SMB/Windows Admin Shares | T1021.002 |
| Impact | Resource Hijacking | T1496 |
| Impact | Network DoS | T1498 |
| Exfiltration | Over C2 Channel | T1041 |
GitHub Repositories (Report to Trust & Safety)
github.com/percohack/sheetrat
github.com/TheOralCigaretts-1/SheetRat-2.6.4.
github.com/brawlervenia2-oss/SheetRat
github.com/brawlervenia2-oss/SheetRatHelper
Detection Guidance
DNS/Proxy: Block *.a.free.pinggy.link if Pinggy tunnels are not used in your environment. If they are, monitor for connections from non-browser processes.
Endpoint: Hunt for the imphash f34d5f2d4577ed6d9ceec516c1f5a744 across your fleet. Search for xdwd.dll drops. Monitor for MSFT_MpPreference WMI modifications adding exclusion paths -- this is a high-fidelity signal regardless of the malware family. Alert on api64.ipify.org connections from non-browser processes.
Registry: Monitor the five persistence locations listed above, particularly the Userinit and AppInit_DLLs keys, which are less commonly used by legitimate software and therefore higher signal.
Process: Alert on process termination targeting ProcessHacker.exe, procexp.exe, or taskmgr.exe -- these are classic RAT self-defense behaviors.
This investigation was conducted by Breakglass Intelligence's autonomous GHOST investigation system. SheetRAT samples were identified through MalwareBazaar monitoring. Builder analysis was performed through open-source intelligence collection. All cipher-cracking was accomplished through known-plaintext analysis against the obfuscated .NET User Strings heap. No samples were executed during this investigation.
Breakglass Intelligence | March 31, 2026