GRIDTIDE
GRIDTIDE is a previously undocumented C-based backdoor used by the threat actor UNC2814, which Google Threat Intelligence Group and Mandiant assess as a suspected PRC-nexus cyber-espionage group active since at least 2017. It was used in a global espionage campaign targeting telecommunications and government organizations, with confirmed victims in 42 countries and suspected additional infections in at least 20 more countries. Reporting states UNC2814 historically targeted international governments and global telecommunications organizations across Africa, Asia, and the Americas, and that the activity does not overlap with Salt Typhoon.
The malware abuses legitimate Google Sheets API functionality for command-and-control rather than exploiting a vulnerability in Google products. Its traffic is designed to blend into normal cloud API activity. GRIDTIDE authenticates using Google service account credentials and private key material stored in encrypted configuration data; it uses a 16-byte key file on the host to decrypt this configuration with AES-128-CBC. The decrypted configuration contains the Google service account, private key material, and spreadsheet ID used for C2. On startup, GRIDTIDE clears rows across A:Z using the Google Sheets API batchClear method, stores victim host metadata in cell V1, uses cell A1 for command polling and status responses, and uses cells A2 through An for data transfer. Reported capabilities include executing arbitrary shell commands, uploading files, and downloading files.
Observed victim-side behavior included deployment on CentOS systems, including a binary named /var/tmp/xapt that spawned /bin/sh and verified root access. The filename xapt was assessed as likely chosen to masquerade as a legacy Debian-related tool. UNC2814 was observed executing GRIDTIDE with nohup ./xapt, establishing persistence via a malicious systemd service at /etc/systemd/system/xapt.service, and spawning a new instance from /usr/sbin/xapt. Associated post-compromise activity included lateral movement via SSH using a service account, use of living-off-the-land binaries for reconnaissance, privilege escalation, and persistence, and deployment of SoftEther VPN Bridge to establish encrypted outbound connectivity to external infrastructure.
The campaign targeted systems containing sensitive personally identifiable information, including full name, phone number, date of birth, place of birth, voter ID number, and national ID number. GTIG assessed this targeting as consistent with telecommunications espionage intended to identify, track, and monitor persons of interest. Although direct data exfiltration was not observed in the described campaign, reporting notes GRIDTIDE was capable of transferring raw data and shell commands through Google Sheets and was deployed on endpoints containing sensitive PII. Public reporting also states Google and partners terminated attacker-controlled Google Cloud projects, disabled attacker accounts and Google Sheets API access, sinkholed infrastructure, notified victims, and released indicators of compromise and detections related to UNC2814 and GRIDTIDE.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mandiant discovered that UNC2814 was leveraging a novel backdoor tracked as GRIDTIDE.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
3 techniques
Persistence
“GRIDTIDE authenticates to a Google Service Account using a hardcoded private key...”
"As a secondary communication channel, the group deployed SoftEther VPN Bridge, opening an encrypted outbound tunnel to external infrastructure"
To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt. | To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service.
Privilege Escalation
2 techniques
Privilege Escalation
“GRIDTIDE authenticates to a Google Service Account using a hardcoded private key...”
To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt. | To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service.
Stealth
3 techniques
Stealth
Discovery
4 techniques
Discovery
The binary then executed the command sh -c id 2>&1 to retrieve the system's user and group identifiers. This reconnaissance technique enabled the threat actor to confirm their successful privilege escalation to root.
It fingerprints the endpoint by collecting the victim’s username, endpoint name, OS details, local IP address, and environmental data such as the current working directory, language settings, and local time zone.
Collection
3 techniques
Collection
The threat actor dropped GRIDTIDE on to an endpoint containing personally identifiable information (PII)... We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications.
Command and Control
7 techniques
Command and Control
This activity is not the result of a security vulnerability in Google’s products; rather, it abuses legitimate Google Sheets API functionality to disguise C2 traffic. | The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign... GRIDTIDE leverages Google Sheets as a high-availability C2 platform.
“...deployed a new C-based backdoor named ‘GRIDTIDE,’ which abuses the Google Sheets API for evasive command-and-control (C2) operations.”
The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands.
"The malware is designed to use Google Sheets... for command-and-control. Hackers used the spreadsheet API to convert the service into a communication channel relaying shell commands and the transfer of stolen data."
U (Upload): Upload the data stored in the cells A2:A<arg_2> to the target endpoint, reconstruct and write to the encoded file path <arg_1>.
IOCs tracked for this family
227 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Google Sheets APIをC2チャネルとして悪用し、被害端末からホスト情報を収集し、スプレッドシート経由でコマンド受信・実行結果送信を行うマルウェアとして説明されている。本文では、Google Sheets上のセルを使ってコマンド、出力、ホスト情報をやり取りし、SaaS C2/LoTSの一例として扱われている。
Backdoor that uses Google Sheets API as a command-and-control channel to blend in with trusted cloud traffic and enable data transfer and remote command execution.
Backdoor used for cyber-espionage that leverages Google Sheets API as a covert command-and-control channel to blend in with trusted Google service traffic and enable data transfer and remote command execution.
Backdoor used in a China-linked cyberespionage campaign; noted for cloud-based API abuse for covert command-and-control and surveillance.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.