UNC2814
UNC2814 is a suspected People’s Republic of China (PRC)-nexus cyber espionage group that Google Threat Intelligence Group (GTIG) has tracked since 2017. The group has historically targeted international governments and global telecommunications organizations across Africa, Asia, and the Americas. GTIG disclosed and disrupted a global UNC2814 espionage campaign that impacted 53 victims in 42 countries across four continents, with suspected infections in at least 20 additional countries. Reporting states the group has no observed overlap with activity publicly reported as Salt Typhoon. UNC2814 is associated with a novel C-based backdoor named GRIDTIDE. GRIDTIDE abused legitimate Google Sheets API functionality for command-and-control, allowing malicious traffic to blend in with normal cloud API activity rather than exploiting a vulnerability in Google products. The malware is capable of executing arbitrary shell commands and uploading and downloading files. Reported tradecraft in victim environments included use of a service account for SSH-based lateral movement, living-off-the-land binaries for reconnaissance, privilege escalation, and persistence, creation of a malicious systemd service for persistence, and deployment of SoftEther VPN Bridge to establish outbound encrypted connectivity. UNC2814 was also reported to target systems containing personally identifiable information, which GTIG assessed as consistent with telecommunications espionage used to identify, track, and monitor persons of interest. Separate reporting states UNC2814 used persona-driven jailbreaking against AI systems for vulnerability research, including prompts such as “senior security auditor,” “network security expert specializing in embedded devices,” and “senior C/C++ binary security expert.” These prompts were used to push past model safety guardrails while researching TP-Link firmware, remote code execution flaws, and Odette File Transfer Protocol (OFTP) implementations. One source cited in the content states UNC2814 is also known as Gallium.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Telecommunication Services
- Government & Administration
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
227 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PRC-linked actor using AI personas to bypass model safety guardrails and accelerate vulnerability research against firmware and file transfer software.
Uses AI models to bypass safety guardrails and assist vulnerability research against TP-Link firmware and Odette File Transfer Protocol implementations.
Using AI systems for exploit development and vulnerability research.
Conducting cyberespionage activity and using jailbreak prompts against Gemini to analyze TP-Link firmware.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.