{
	"id": "82a710b3-21ce-4968-952c-6d6329e7772c",
	"created_at": "2026-04-06T00:06:44.305698Z",
	"updated_at": "2026-04-10T03:34:28.239939Z",
	"deleted_at": null,
	"sha1_hash": "b38b5e3b11558ba8ce883301d71620a7926cf27a",
	"title": "Disrupting the GRIDTIDE Global Cyber Espionage Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 897278,
	"plain_text": "Disrupting the GRIDTIDE Global Cyber Espionage Campaign\r\nBy Google Threat Intelligence Group, Mandiant\r\nPublished: 2026-02-25 · Archived: 2026-04-05 13:59:07 UTC\r\nIntroduction\r\nLast week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage\r\ncampaign targeting telecommunications and government organizations in dozens of nations across four continents. The\r\nthreat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has\r\ntracked since 2017. This prolific, elusive actor has a long history of targeting international governments and global\r\ntelecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when\r\nthe disruption was executed. The attacker was using API calls to communicate with SaaS apps as command-and-control\r\n(C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to\r\nimprove the stealth of their intrusions. Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted\r\nproducts to function correctly and make their malicious traffic seem legitimate. This disruption, led by GTIG in partnership\r\nwith other teams, included the following actions: \r\nTerminating all Google Cloud Projects controlled by the attacker, effectively severing their persistent access to\r\nenvironments compromised by the novel GRIDTIDE backdoor.\r\nIdentifying and disabling all known UNC2814 infrastructure. \r\nDisabling attacker accounts and revoked access to the Google Sheets API calls leveraged by the actor for command-and-control (C2) purposes.\r\nReleasing a set of IOCs linked to UNC2814 infrastructure active since at least 2023. \r\nGTIG’s understanding of this campaign was accelerated by a recent Mandiant Threat Defense investigation into UNC2814\r\nactivity. Mandiant discovered that UNC2814 was leveraging a novel backdoor tracked as GRIDTIDE. This activity is not\r\nthe result of a security vulnerability in Google’s products; rather, it abuses legitimate Google Sheets API functionality to\r\ndisguise C2 traffic.\r\nAs of Feb. 18, GTIG's investigation confirmed that UNC2814 has impacted 53 victims in 42 countries across four\r\ncontinents, and identified suspected infections in at least 20 more countries. It is important to highlight that UNC2814 has\r\nno observed overlaps with activity publicly reported as “Salt Typhoon,” and targets different victims globally using distinct\r\ntactics, techniques, and procedures (TTPs). Although the specific initial access vector for this campaign has not been\r\ndetermined, UNC2814 has a history of gaining entry by exploiting and compromising web servers and edge systems.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 1 of 26\n\nFigure 1:GRIDTIDE infection lifecycle\r\nInitial Detection\r\nMandiant leverages Google Security Operations (SecOps) to perform continuous detection, investigation, and response\r\nacross our global customer base. During this investigation, a detection flagged suspicious activity on a CentOS server.\r\nIn this case, Mandiant’s investigation revealed a suspicious process tree: the binary /var/tmp/xapt initiated a shell with\r\nroot privileges. The binary then executed the command sh -c id 2\u003e\u00261 to retrieve the system's user and group identifiers.\r\nThis reconnaissance technique enabled the threat actor to confirm their successful privilege escalation to root. Mandiant\r\nanalysts triaged the alert, confirmed the malicious intent, and reported the activity to the customer. This rapid identification\r\nof a sophisticated threat actor’s TTPs demonstrates the value of Google Cloud’s Shared Fate model, which provides\r\norganizations with curated, out-of-the-box (OOB) detection content designed to help organizations better defend against\r\nmodern intrusions.\r\n[Process Tree]\r\n/var/tmp/xapt\r\n └── /bin/sh\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 2 of 26\n\n└── sh -c id 2\u003e\u00261\r\n └── [Output] uid=0(root) gid=0(root) groups=0(root)\r\nThe payload was likely named xapt to masquerade as the legacy tool used in Debian-based systems.\r\nPost-Compromise Activity\r\nThe threat actor used a service account to move laterally within the environment via SSH. Leveraging living-off-the-land\r\n(LotL)binaries, the threat actor performed reconnaissance activities, escalated privileges, and set up persistence for the\r\nGRIDTIDE backdoor.\r\nTo achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service , and once\r\nenabled, a new instance of the malware was spawned from /usr/sbin/xapt .\r\nThe threat actor initially executed GRIDTIDE via the command nohup ./xapt . This allows the backdoor to continue\r\nrunning even after the session is closed.\r\nSubsequently, SoftEther VPN Bridge was deployed to establish an outbound encrypted connection to an external IP address.\r\nVPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018.\r\nThe threat actor dropped GRIDTIDE on to an endpoint containing personally identifiable information (PII), including:\r\nFull name\r\nPhone number\r\nDate of birth\r\nPlace of birth\r\nVoter ID number\r\nNational ID number\r\nWe assess the targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is\r\nprimarily leveraged to identify, track, and monitor persons of interest. We expect UNC2814 used this access to exfiltrate a\r\nvariety of data on persons and their communications. Similar campaigns have been used to exfiltrate call data records,\r\nmonitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities.\r\nGTIG did not directly observe UNC2814 exfiltrate sensitive data during this campaign. However, historical PRC-nexus\r\nespionage intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the\r\ncompromise and abuse of lawful intercept systems. This focus on sensitive communications historically is intended to enable\r\nthe targeting of individuals and organizations for surveillance efforts, particularly dissidents and activists, as well as\r\ntraditional espionage targets. The access UNC2814 achieved during this campaign would likely enable clandestine efforts to\r\nsimilarly surveil targets. \r\nGRIDTIDE\r\nGRIDTIDE is a sophisticated C-based backdoor with the ability to execute arbitrary shell commands, upload files, and\r\ndownload files. The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a\r\ndocument, but as a communication channel to facilitate the transfer of raw data and shell commands. GRIDTIDE hides its\r\nmalicious traffic within legitimate cloud API requests, evading standard network detection. While the GRIDTIDE sample\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 3 of 26\n\nFLARE analyzed as part of this campaign leverages Google Sheets for its C2, the actor could easily make use of other\r\ncloud-based spreadsheet platforms in the same manner.\r\nGoogle Sheets\r\nGRIDTIDE expects a 16-byte cryptographic key to be present in a separate file on the host at the time of execution. The\r\nmalware uses this key to decrypt its Google Drive configurations using AES-128 in Cipher Block Chaining (CBC) mode.\r\nThe Google Drive configuration data contains the service account associated with UNC2814’s Google Sheets document, and\r\na private key for the account. It also contains the Google Spreadsheet ID and the private key to access the document.\r\nGRIDTIDE then connects to the malicious Google Spreadsheet using the Google Service Account for API authentication\r\n(the threat actor’s Google Service Account and associated Google Workspace have been disabled).\r\nWhen executed, GRIDTIDE sanitizes its Google Sheet. It does this by deleting the first 1000 rows, across columns A to Z in\r\nthe spreadsheet, by using the Google Sheets API batchClear method. This prevents previous commands or file data stored\r\nin the Sheet from interfering with the threat actor’s current session.\r\nOnce the Sheet is prepared, the backdoor conducts host-based reconnaissance. It fingerprints the endpoint by collecting the\r\nvictim’s username, endpoint name, OS details, local IP address, and environmental data such as the current working\r\ndirectory, language settings, and local time zone. This information is then exfiltrated and stored in cell V1 of the attacker-controlled spreadsheet.\r\nCommand Syntax\r\nThe threat actor issues instructions using a four-part command syntax: \u003ctype\u003e-\u003ccommand_id\u003e-\u003carg_1\u003e-\u003carg_2\u003e .\r\n\u003ctype\u003e Commands originating from the threat actor are categorized as type C (Client).\r\n\u003ccommand_id\u003e\r\nC (Command): Executes Base64-encoded Bash shell commands on the endpoint and redirects the output to\r\nthe spreadsheet.\r\nU (Upload): Upload the data stored in the cells A2:A\u003carg_2\u003e to the target endpoint, reconstruct and write to\r\nthe encoded file path \u003carg_1\u003e .\r\nD (Download): Reads the data from the encoded local file path on the endpoint \u003carg_1\u003e and transfers the\r\ncontents in 45-KB fragments to the spreadsheet across the A2:An range.\r\nIn response, the malware posts a Server ( S ) status message to cell A1 , confirming the successful completion of the task\r\n( R ) or returning an error:\r\n\u003ctype\u003e Responses originating from the malware are categorised as type S (Server).\r\n\u003ccommand_id\u003e Will match the \u003ccommand_id\u003e value sent by the threat actor.\r\n\u003carg_1\u003e Indicating the command executed successfully ( R ), or an error message.\r\n\u003carg_2\u003e Exfiltrated data is saved within the range A2:A\u003carg_2\u003e . This value displays the upper cell number of the\r\ndata.\r\nCell-Based C2\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 4 of 26\n\nGRIDTIDE’s C2 communication works on a cell-based polling mechanism, assigning specific roles to spreadsheet cells to\r\nfacilitate communication.\r\nA1 : The malware polls this cell via the Google Sheets API for attacker commands, and subsequently overwrites it\r\nwith a status response upon completion (e.g., S-C-R or Server-Command-Success. If no command exists in the cell,\r\nthe malware sleeps for one second before trying again. If the number of trials reaches 120, it changes the sleep time\r\nto be a random duration between 5–10 minutes, likely to reduce noise when the threat actor is not active. When a\r\ncommand does exist in the cell, GRIDTIDE executes it and resets the wait time to one second.\r\nA2-An : Used for the transfer of data, such as command output, uploading tools, or exfiltrating files.\r\nV1 : Stores system data from the victim endpoint. When executed, the malware updates this cell with an encoded\r\nstring containing host-based metadata.\r\nObfuscation and Evasion\r\nTo evade detection and web filtering, GRIDTIDE employs a URL-safe Base64 encoding scheme for all data sent and\r\nreceived. This encoding variant replaces standard Base64 characters ( + and / ) with alternatives ( - and _ ).\r\nCommand Execution Lifecycle\r\nFigure 2: GRIDTIDE execution lifecycle\r\nTargeting\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 5 of 26\n\nFigure 3: Countries with suspected or confirmed UNC2814 victims\r\nUNC2814 is a suspected PRC-nexus threat actor that has conducted global operations since at least 2017. The group's recent\r\nactivity leveraging GRIDTIDE malware has primarily focused on targeting telecommunications providers on a worldwide\r\nscale, but UNC2814 also targeted government organizations during this campaign. \r\nGTIG confirmed 53 intrusions by UNC2814 in 42 total nations globally, and identified suspected targeting in at least 20\r\nother nations. This prolific scope is likely the result of a decade of concentrated effort.\r\nDisrupting UNC2814\r\nGTIG is committed to actively countering and disrupting malicious operations, ensuring the safety of our customers and\r\nmitigating the global impact of this malicious cyber activity. \r\nTo counter UNC2814’s operations, GTIG executed a series of coordinated disruption actions:\r\nElimination of GRIDTIDE Access: We terminated all Cloud Projects controlled by the attacker, effectively severing\r\ntheir persistent access to environments compromised by the GRIDTIDE backdoor.\r\nInfrastructure Takedown: In collaboration with partners, we identified and disabled all known UNC2814\r\ninfrastructure. This included the sinkholing of both current and historical domains used by the group in order to\r\nfurther dismantle UNC2814’s access to compromised environments.\r\nAccount Disruption: GTIG and its partners disabled attacker accounts, revoked access to the Google Sheets, and\r\ndisabled all Google Cloud projects leveraged by the actor for command-and-control (C2) purposes.\r\nVictim Notifications: GTIG has issued formal victim notifications and is actively supporting organizations with\r\nverified compromises resulting from this threat.\r\nDetection Signatures: We have refined and implemented a variety of signatures and signals designed to neutralize\r\nUNC2814 operations and intercept malware linked to GRIDTIDE.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 6 of 26\n\nIOC Release: We are publicly releasing a collection of IOC’s related to UNC2814 infrastructure that the group has\r\nused since at least 2023 to help organizations identify this activity in their networks and better protect customers and\r\norganizations around the world.\r\nConclusion\r\nThe global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores\r\nthe serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade\r\ndetection by defenders. Prolific intrusions of this scale are generally the result of years of focused effort and will not be\r\neasily re-established. We expect that UNC2814 will work hard to re-establish their global footprint.\r\nDetection Through Google Security Operations\r\nGoogle SecOps customers have access to these broad category rules and more under the Mandiant Hunting rule pack. The\r\nactivity discussed in the blog post is detected in Google SecOps under the rule names:\r\nSuspicious Shell Execution From Var Directory\r\nSuspicious Sensitive File Access Via SSH\r\nConfig File Staging in Sensitive Directories\r\nShell Spawning Curl Archive Downloads from IP\r\nNumeric Permission Profiling in System Paths\r\nSudo Shell Spawning Reconnaissance Tools\r\nPotential Google Sheets API Data Exfiltration\r\nSecOps Hunting Queries\r\nThe following UDM queries can be used to identify potential compromises within your environment.\r\nSuspicious Google Sheets API Connections\r\nSearch for a non-browser process initiating outbound HTTPS requests to specific Google Sheets URIs leveraged by\r\nGRIDTIDE.\r\ntarget.url = /sheets\\.googleapis\\.com/\r\n(\r\n target.url = /batchClear/ OR\r\n target.url = /batchUpdate/ OR\r\n target.url = /valueRenderOption=FORMULA/\r\n)\r\nprincipal.process.file.full_path != /chrome|firefox|safari|msedge/\r\nConfig File Creation in Suspicious Directory\r\nIdentify configuration files being created at, modified, or moved to unexpected locations.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 7 of 26\n\n(\r\n metadata.event_type = \"FILE_CREATION\" OR\r\n metadata.event_type = \"FILE_MODIFICATION\" OR\r\n metadata.event_type = \"FILE_MOVE\"\r\n)\r\nAND target.file.full_path = /^(\\/usr\\/sbin|\\/sbin|\\/var\\/tmp)\\/[^\\\\\\/]+\\.cfg$/ nocase\r\nSuspicious Shell Execution from /var/tmp/\r\nDetects executables with short alphanumeric filenames, launching from the /var/tmp/ directory, and spawning a shell.\r\nprincipal.process.file.full_path = /^\\/var\\/tmp\\/[a-z0-9]{1,10}$/ nocase AND\r\ntarget.process.file.full_path = /\\b(ba)?sh$/ nocase\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs are available in a free Google Threat Intelligence (GTI) collection for registered users.\r\nHost-Based Artifacts\r\nArtifact Description Hash (SHA256)\r\nxapt GRIDTIDE ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47\r\nxapt.cfg\r\nKey file used by\r\nGRIDTIDE to\r\ndecrypt its Google\r\nDrive configuration.\r\n01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb\r\nxapt.service\r\nMalicious systemd\r\nservice file created\r\nfor GRIDTIDE\r\npersistence.\r\neb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033\r\nhamcore.se2\r\nSoftEtherVPN\r\nBridge component.\r\n4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9\r\nfire SoftEtherVPN\r\nBridge component\r\n(renamed from\r\nvmlog ). Extracted\r\n4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 8 of 26\n\nfrom\r\nupdate.tar.gz .\r\nvpn_bridge.config\r\nSoftEtherVPN\r\nBridge\r\nconfiguration.\r\n669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966\r\napt.tar.gz\r\nArchive downloaded\r\nfrom\r\n130.94.6[.]228 .\r\nContained\r\nGRIDTIDE.\r\nN/A\r\nupdate.tar.gz\r\nAdditional archive\r\ndownloaded.\r\nContained vmlog\r\n(renamed to fire ),\r\na SoftEtherVPN\r\nBridge component.\r\nN/A\r\namp.tar.gz\r\nAdditional archive\r\ndownloaded.\r\nContained\r\nhamcore.se2 , a\r\nSoftEtherVPN\r\nBridge component.\r\nN/A\r\npmp GRIDTIDE variant. N/A\r\npmp.cfg\r\nGRIDTIDE variant\r\nkey file.\r\nN/A\r\nNetwork-Based Artifacts\r\nType Description Artifact\r\nIP C2 server hosting\r\napt.tar.gz ,\r\n130[.]94[.]6[.]228\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 9 of 26\n\nupdate.tar.g z, and\r\namp.tar.gz .\r\nIP\r\nTarget of a curl -ik\r\ncommand to verify\r\nHTTPS access to their\r\ninfrastructure.\r\n38[.]180[.]205[.]14\r\nIP\r\nThreat actor’s\r\nSoftEtherVPN server.\r\n38[.]60[.]194[.]21\r\nIP Attacker IP 38[.]54[.]112[.]184\r\nIP Attacker IP 38[.]60[.]171[.]242\r\nIP Attacker IP 195[.]123[.]211[.]70\r\nIP Attacker IP 202[.]59[.]10[.]122\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n38[.]60[.]252[.]66\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n45[.]76[.]184[.]214\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n45[.]90[.]59[.]129\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n195[.]123[.]226[.]235\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n65[.]20[.]104[.]91\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 10 of 26\n\nIP\r\nHosting malicious C2\r\ndomain.\r\n5[.]34[.]176[.]6\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n139[.]84[.]236[.]237\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n149[.]28[.]128[.]128\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n38[.]54[.]31[.]146\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n178[.]79[.]188[.]181\r\nIP\r\nHosting malicious C2\r\ndomain.\r\n38[.]54[.]37[.]196\r\nIP SoftEtherVPN server. 207[.]148[.]73[.]18\r\nIP SoftEtherVPN server. 38[.]60[.]224[.]25\r\nIP SoftEtherVPN server. 149[.]28[.]139[.]125\r\nIP SoftEtherVPN server. 38[.]54[.]32[.]244\r\nIP SoftEtherVPN server. 38[.]54[.]82[.]69\r\nIP SoftEtherVPN server. 45[.]76[.]157[.]113\r\nIP SoftEtherVPN server. 45[.]77[.]254[.]168\r\nIP SoftEtherVPN server. 139[.]180[.]219[.]115\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 11 of 26\n\nUser-Agent\r\nGRIDTIDE User-Agent\r\nstring.\r\nDirectory API Google-API-Java-Client/2.0.0 Google-HTTP-Java-Client/1.42.3 (gzip)\r\nUser-AgentGRIDTIDE User-Agent\r\nstring.\r\nGoogle-HTTP-Java-Client/1.42.3 (gzip)\r\nDomain C2 domain 1cv2f3d5s6a9w[.]ddnsfree[.]com\r\nDomain C2 domain admina[.]freeddns[.]org\r\nDomain C2 domain afsaces[.]accesscam[.]org\r\nDomain C2 domain ancisesic[.]accesscam[.]org\r\nDomain C2 domain applebox[.]camdvr[.]org\r\nDomain C2 domain appler[.]kozow[.]com\r\nDomain C2 domain asdad21ww[.]freeddns[.]org\r\nDomain C2 domain aw2o25forsbc[.]camdvr[.]org\r\nDomain C2 domain awcc001jdaigfwdagdcew[.]giize[.]com\r\nDomain C2 domain bab2o25com[.]accesscam[.]org\r\nDomain C2 domain babaji[.]accesscam[.]org\r\nDomain C2 domain babi5599ss[.]ddnsgeek[.]com\r\nDomain C2 domain balabalabo[.]mywire[.]org\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 12 of 26\n\nDomain C2 domain bggs[.]giize[.]com\r\nDomain C2 domain bibabo[.]freeddns[.]org\r\nDomain C2 domain binmol[.]webredirect[.]org\r\nDomain C2 domain bioth[.]giize[.]com\r\nDomain C2 domain Boemobww[.]ddnsfree[.]com\r\nDomain C2 domain brcallletme[.]theworkpc[.]com\r\nDomain C2 domain btbtutil[.]theworkpc[.]com\r\nDomain C2 domain btltan[.]ooguy[.]com\r\nDomain C2 domain camcampkes[.]ddnsfree[.]com\r\nDomain C2 domain camsqewivo[.]kozow[.]com\r\nDomain C2 domain ccammutom[.]ddnsgeek[.]com\r\nDomain C2 domain cdnvmtools[.]theworkpc[.]com\r\nDomain C2 domain cloacpae[.]ddnsfree[.]com\r\nDomain C2 domain cmwwoods1[.]theworkpc[.]com\r\nDomain C2 domain cnrpaslceas[.]freeddns[.]org\r\nDomain C2 domain codemicros12[.]gleeze[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 13 of 26\n\nDomain C2 domain cressmiss[.]ooguy[.]com\r\nDomain C2 domain cvabiasbae[.]ddnsfree[.]com\r\nDomain C2 domain cvnoc01da1cjmnftsd[.]accesscam[.]org\r\nDomain C2 domain cvpc01aenusocirem[.]accesscam[.]org\r\nDomain C2 domain cvpc01cgsdfn53hgd[.]giize[.]com\r\nDomain C2 domain DCLCWPDTSDCC[.]ddnsfree[.]com\r\nDomain C2 domain dlpossie[.]ddnsfree[.]com\r\nDomain C2 domain dnsfreedb[.]ddnsfree[.]com\r\nDomain C2 domain doboudix1024[.]mywire[.]org\r\nDomain C2 domain evilginx2[.]loseyourip[.]com\r\nDomain C2 domain examp1e[.]webredirect[.]org\r\nDomain C2 domain faeelt[.]giize[.]com\r\nDomain C2 domain fakjcsaeyhs[.]ddnsfree[.]com\r\nDomain C2 domain fasceadvcva3[.]gleeze[.]com\r\nDomain C2 domain ffosies2024[.]camdvr[.]org\r\nDomain C2 domain fgdedd1dww[.]gleeze[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 14 of 26\n\nDomain C2 domain filipinet[.]ddnsgeek[.]com\r\nDomain C2 domain freeios[.]theworkpc[.]com\r\nDomain C2 domain ftpuser14[.]gleeze[.]com\r\nDomain C2 domain ftpzpak[.]kozow[.]com\r\nDomain C2 domain globoss[.]kozow[.]com\r\nDomain C2 domain gogo2025up[.]ddnsfree[.]com\r\nDomain C2 domain googlel[.]gleeze[.]com\r\nDomain C2 domain googles[.]accesscam[.]org\r\nDomain C2 domain googles[.]ddnsfree[.]com\r\nDomain C2 domain googlett[.]camdvr[.]org\r\nDomain C2 domain googllabwws[.]gleeze[.]com\r\nDomain C2 domain gtaldps31c[.]ddnsfree[.]com\r\nDomain C2 domain hamkorg[.]kozow[.]com\r\nDomain C2 domain honidoo[.]loseyourip[.]com\r\nDomain C2 domain huygdr12[.]loseyourip[.]com\r\nDomain C2 domain icekancusjhea[.]ddnsgeek[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 15 of 26\n\nDomain C2 domain idstandsuui[.]kozow[.]com\r\nDomain C2 domain indoodchat[.]theworkpc[.]com\r\nDomain C2 domain jarvis001[.]freeddns[.]org\r\nDomain C2 domain Kaushalya[.]freeddns[.]org\r\nDomain C2 domain khyes001ndfpnuewdm[.]kozow[.]com\r\nDomain C2 domain kskxoscieontrolanel[.]gleeze[.]com\r\nDomain C2 domain ksv01sokudwongsj[.]theworkpc[.]com\r\nDomain C2 domain lcskiecjj[.]loseyourip[.]com\r\nDomain C2 domain lcskiecs[.]ddnsfree[.]com\r\nDomain C2 domain losiesca[.]ddnsgeek[.]com\r\nDomain C2 domain lps2staging[.]ddnsfree[.]com\r\nDomain C2 domain lsls[.]casacam[.]net\r\nDomain C2 domain ltiuys[.]ddnsgeek[.]com\r\nDomain C2 domain ltiuys[.]kozow[.]com\r\nDomain C2 domain mailsdy[.]gleeze[.]com\r\nDomain C2 domain maliclick1[.]ddnsfree[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 16 of 26\n\nDomain C2 domain mauritasszddb[.]ddnsfree[.]com\r\nDomain C2 domain meetls[.]kozow[.]com\r\nDomain C2 domain Microsoft[.]bumbleshrimp[.]com\r\nDomain C2 domain ml3[.]freeddns[.]org\r\nDomain C2 domain mlksucnayesk[.]kozow[.]com\r\nDomain C2 domain mmmfaco2025[.]mywire[.]org\r\nDomain C2 domain mms[.]bumbleshrimp[.]com\r\nDomain C2 domain mmvmtools[.]giize[.]com\r\nDomain C2 domain modgood[.]gleeze[.]com\r\nDomain C2 domain Mosplosaq[.]accesscam[.]org\r\nDomain C2 domain mysql[.]casacam[.]net\r\nDomain C2 domain nenigncagvawr[.]giize[.]com\r\nDomain C2 domain nenignenigoncqvoo[.]ooguy[.]com\r\nDomain C2 domain nenigoncqnutgo[.]accesscam[.]org\r\nDomain C2 domain nenigoncuopzc[.]giize[.]com\r\nDomain C2 domain nims[.]gleeze[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 17 of 26\n\nDomain C2 domain nisaldwoa[.]theworkpc[.]com\r\nDomain C2 domain nmszablogs[.]ddnsfree[.]com\r\nDomain C2 domain nodekeny11[.]freeddns[.]org\r\nDomain C2 domain nodjs2o25nodjs[.]giize[.]com\r\nDomain C2 domain Npeoples[.]theworkpc[.]com\r\nDomain C2 domain officeshan[.]kozow[.]com\r\nDomain C2 domain okkstt[.]ddnsgeek[.]com\r\nDomain C2 domain oldatain1[.]ddnsgeek[.]com\r\nDomain C2 domain onlyosun[.]ooguy[.]com\r\nDomain C2 domain osix[.]ddnsgeek[.]com\r\nDomain C2 domain ovmmiuy[.]mywire[.]org\r\nDomain C2 domain palamolscueajfvc[.]gleeze[.]com\r\nDomain C2 domain pawanp[.]kozow[.]com\r\nDomain C2 domain pcmainecia[.]ddnsfree[.]com\r\nDomain C2 domain pcvmts3[.]kozow[.]com\r\nDomain C2 domain peisuesacae[.]loseyourip[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 18 of 26\n\nDomain C2 domain peowork[.]ddnsgeek[.]com\r\nDomain C2 domain pepesetup[.]ddnsfree[.]com\r\nDomain C2 domain pewsus[.]freeddns[.]org\r\nDomain C2 domain plcoaweniva[.]ddnsgeek[.]com\r\nDomain C2 domain PolicyAgent[.]theworkpc[.]com\r\nDomain C2 domain polokinyea[.]gleeze[.]com\r\nDomain C2 domain pplodsssead222[.]loseyourip[.]com\r\nDomain C2 domain pplosad231[.]kozow[.]com\r\nDomain C2 domain ppsaBedon[.]gleeze[.]com\r\nDomain C2 domain prdanjana01[.]ddnsfree[.]com\r\nDomain C2 domain prepaid127[.]freeddns[.]org\r\nDomain C2 domain PRIFTP[.]kozow[.]com\r\nDomain C2 domain prihxlcs[.]ddnsfree[.]com\r\nDomain C2 domain prihxlcsw[.]theworkpc[.]com\r\nDomain C2 domain pxlaxvvva[.]freeddns[.]org\r\nDomain C2 domain quitgod2023luck[.]giize[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 19 of 26\n\nDomain C2 domain rabbit[.]ooguy[.]com\r\nDomain C2 domain rsm323[.]kozow[.]com\r\nDomain C2 domain saf3asg[.]giize[.]com\r\nDomain C2 domain Scopps[.]ddnsgeek[.]com\r\nDomain C2 domain sdhite43[.]ddnsfree[.]com\r\nDomain C2 domain sdsuytoins63[.]kozow[.]com\r\nDomain C2 domain selfad[.]gleeze[.]com\r\nDomain C2 domain serious[.]kozow[.]com\r\nDomain C2 domain setupcodpr2[.]freeddns[.]org\r\nDomain C2 domain sgsn[.]accesscam[.]org\r\nDomain C2 domain Smartfren[.]giize[.]com\r\nDomain C2 domain sn0son4t31bbsvopou[.]camdvr[.]org\r\nDomain C2 domain sn0son4t31opc[.]freeddns[.]org\r\nDomain C2 domain soovuy[.]gleeze[.]com\r\nDomain C2 domain styuij[.]mywire[.]org\r\nDomain C2 domain supceasfg1[.]loseyourip[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 20 of 26\n\nDomain C2 domain systemsz[.]kozow[.]com\r\nDomain C2 domain t31c0mjumpcuyerop[.]ooguy[.]com\r\nDomain C2 domain t31c0mopamcuiomx[.]kozow[.]com\r\nDomain C2 domain t31c0mopmiuewklg[.]webredirect[.]org\r\nDomain C2 domain t31c0mopocuveop[.]accesscam[.]org\r\nDomain C2 domain t3lc0mcanyqbfac[.]loseyourip[.]com\r\nDomain C2 domain t3lc0mczmoihwc[.]camdvr[.]org\r\nDomain C2 domain t3lc0mh4udncifw[.]casacam[.]net\r\nDomain C2 domain t3lc0mhasvnctsk[.]giize[.]com\r\nDomain C2 domain t3lm0rtlcagratu[.]kozow[.]com\r\nDomain C2 domain tch[.]giize[.]com\r\nDomain C2 domain telcomn[.]giize[.]com\r\nDomain C2 domain telen[.]bumbleshrimp[.]com\r\nDomain C2 domain telkom[.]ooguy[.]com\r\nDomain C2 domain telkomservices[.]theworkpc[.]com\r\nDomain C2 domain thbio[.]kozow[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 21 of 26\n\nDomain C2 domain timpe[.]kozow[.]com\r\nDomain C2 domain timpe[.]webredirect[.]org\r\nDomain C2 domain tlse001hdfuwwgdgpnn[.]theworkpc[.]com\r\nDomain C2 domain tltlsktelko[.]ddnsfree[.]com\r\nDomain C2 domain transport[.]dynuddns[.]net\r\nDomain C2 domain trvcl[.]bumbleshrimp[.]com\r\nDomain C2 domain ttsiou12[.]loseyourip[.]com\r\nDomain C2 domain ua2o25yth[.]ddnsgeek[.]com\r\nDomain C2 domain udieyg[.]gleeze[.]com\r\nDomain C2 domain unnjunnani[.]ddnsfree[.]com\r\nDomain C2 domain updatamail[.]kozow[.]com\r\nDomain C2 domain updatasuccess[.]ddnsgeek[.]com\r\nDomain C2 domain updateservices[.]kozow[.]com\r\nDomain C2 domain updatetools[.]giize[.]com\r\nDomain C2 domain uscplxsecjs[.]ddnsgeek[.]com\r\nDomain C2 domain USOShared1[.]ddnsfree[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 22 of 26\n\nDomain C2 domain vals[.]bumbleshrimp[.]com\r\nDomain C2 domain vass[.]ooguy[.]com\r\nDomain C2 domain vass2025[.]casacam[.]net\r\nDomain C2 domain vmtools[.]camdvr[.]org\r\nDomain C2 domain vmtools[.]loseyourip[.]com\r\nDomain C2 domain vosies[.]ddnsfree[.]com\r\nDomain C2 domain vpaspmine[.]freeddns[.]org\r\nDomain C2 domain wdlcamaakc[.]ooguy[.]com\r\nDomain C2 domain winfoss1[.]kozow[.]com\r\nDomain C2 domain ysiohbk[.]camdvr[.]org\r\nDomain C2 domain zammffayhd[.]ddnsfree[.]com\r\nDomain C2 domain zmcmvmbm[.]ddnsfree[.]com\r\nDomain C2 domain zwmn350n3o1fsdf3gs[.]kozow[.]com\r\nDomain C2 domain zwmn350n3o1ugety2xbe[.]camdvr[.]org\r\nDomain C2 domain zwmn350n3o1vsdrggs[.]ddnsfree[.]com\r\nDomain C2 domain zwt310n3o1unety2kab[.]webredirect[.]org\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 23 of 26\n\nDomain C2 domain zwt310n3o2unety6a3k[.]kozow[.]com\r\nDomain C2 domain zwt31n3t0nidoqmve[.]camdvr[.]org\r\nDomain C2 domain zwt3ln3t1aimckalw[.]theworkpc[.]com\r\nSHA256\r\nHash\r\nSelf-signed X.509 SSL\r\ncertificate\r\nd25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606\r\nDescription URLs\r\nArchive\r\ncontained\r\nGRIDTIDE.\r\nhttp://130[.]94[.]6[.]228/apt.tar.gz\r\nArchive\r\ncontained a\r\nSoftEtherVPN\r\nBridge\r\ncomponent.\r\nhttp://130[.]94[.]6[.]228/update.tar.gz\r\nArchive\r\ncontained a\r\nSoftEtherVPN\r\nBridge\r\ncomponent.\r\nhttp://130[.]94[.]6[.]228/amp.tar.gz\r\nGRIDTIDE\r\nleverages this\r\nAPI endpoint\r\nto monitor\r\ncell A1 of the\r\nspreadsheet\r\nfor threat\r\nactor\r\ncommands.\r\nhttps://sheets[.]googleapis[.]com:443/v4/spreadsheets/\u003cGoogleSheetID\u003e/values/A1?\r\nvalueRenderOption=FORMULA\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 24 of 26\n\nGRIDTIDE\r\nleverages this\r\nAPI endpoint\r\nto clear data\r\nfrom the first\r\n1000 rows of\r\nthe\r\nspreadsheet.\r\nhttps://sheets[.]googleapis[.]com:443/v4/spreadsheets/\u003cGoogleSheetID\u003e/values:batchClear\r\nGRIDTIDE\r\nleverages this\r\nAPI endpoint\r\nto exfiltrate\r\nvictim host\r\nmetadata to\r\ncell V1 ,\r\nreport\r\ncommand\r\nexecution\r\noutput and\r\nstatus\r\nmessages to\r\ncell A1 , and\r\nto transfer\r\ndata into the\r\nA2:An cell\r\nrange.\r\nhttps://sheets[.]googleapis[.]com:443/v4/spreadsheets/\u003cGoogleSheetID\u003e/values:batchUpdate\r\nGRIDTIDE\r\nleverages this\r\nAPI endpoint\r\nto transfer\r\ndata from the\r\nA2:An cell\r\nrange to the\r\nvictim host.\r\nhttps://sheets[.]googleapis[.]com:443/v4/spreadsheets/\u003cGoogleSheetID\u003e/values/A2:A\u003ccell_number\u003e?\r\nvalueRenderOption=FORMULA\r\nGRIDTIDE YARA Rule\r\nrule G_APT_Backdoor_GRIDTIDE_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 25 of 26\n\n$s1 = { 7B 22 61 6C 67 22 3A 22 52 53 32 35 36 22 2C 22 6B 69 64 22 3A 22 25 73 22 2C 22 74 79 70 22 3A\r\n$s2 = { 2F 70 72 6F 63 2F 73 65 6C 66 2F 65 78 65 00 }\r\n$s3 = { 7B 22 72 61 6E 67 65 73 22 3A 5B 22 61 31 3A 7A 31 30 30 30 22 5D 7D 00 }\r\n$s4 = { 53 2D 55 2D 25 73 2D 31 00 }\r\n$s5 = { 53 2D 55 2D 52 2D 31 00 }\r\n$s6 = { 53 2D 44 2D 25 73 2D 30 00 }\r\n$s7 = { 53 2D 44 2D 52 2D 25 64 00 }\r\ncondition:\r\n(uint32(0) == 0x464c457f) and 6 of ($*)\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/"
	],
	"report_names": [
		"disrupting-gridtide-global-espionage-campaign"
	],
	"threat_actors": [
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67e374ee-2b92-4fc2-ab8b-f730543840e3",
			"created_at": "2026-03-08T02:00:03.469097Z",
			"updated_at": "2026-04-10T02:00:03.98028Z",
			"deleted_at": null,
			"main_name": "UNC2814",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2814",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775792068,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b38b5e3b11558ba8ce883301d71620a7926cf27a.pdf",
		"text": "https://archive.orkl.eu/b38b5e3b11558ba8ce883301d71620a7926cf27a.txt",
		"img": "https://archive.orkl.eu/b38b5e3b11558ba8ce883301d71620a7926cf27a.jpg"
	}
}