Google Threat Intelligence Group (GTIG), Mandiant, and industry partners reported disrupting infrastructure used by suspected China-nexus cyber-espionage actor UNC2814, assessed to have breached at least 53 organizations across 42 countries, with additional suspected infections in 20+ more countries. The activity primarily targeted government and telecommunications networks across Africa, Asia, and the Americas, and used SaaS API calls to blend command-and-control (C2) traffic into legitimate cloud application activity; the initial access vector remains under investigation, though the actor has a history of exploiting web servers and edge systems.
The disrupted campaign featured a new C-based backdoor, GRIDTIDE, which abuses the Google Sheets API as an evasive C2 channel to exchange commands and data. Reported capabilities include arbitrary shell command execution and file upload/download; the malware authenticates using a Google service account (including a hardcoded private key), uses spreadsheet cells (e.g., A1 for command/status and A2:An for output/exfiltration), and implements polling logic that shifts to less frequent randomized checks to reduce noise. Post-compromise tradecraft included lateral movement via SSH using a service account, living-off-the-land activity for recon/privilege escalation/persistence, persistence via a systemd service at /etc/systemd/system/xapt.service launching /usr/sbin/xapt, and use of SoftEther VPN Bridge to establish encrypted outbound connectivity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Following the disclosure, Google published indicators of compromise, updated detections, and a YARA rule to help defenders identify GRIDTIDE activity and related UNC2814 infrastructure. The guidance included monitoring for suspicious Google Sheets API behavior and Linux artifacts tied to the malware.
Google publicly reported the UNC2814 espionage campaign, attributing it to a suspected PRC-linked actor and detailing the novel GRIDTIDE backdoor's abuse of Google Sheets for command-and-control. The company also said it had not directly observed data exfiltration during the disrupted operation, despite finding malware on at least one system containing sensitive PII.
Google Threat Intelligence Group, Mandiant, and partners disrupted the campaign by terminating attacker-controlled Google Cloud projects and accounts, revoking Google Sheets API access, disabling infrastructure, and sinkholing domains. Affected organizations were notified, though Google warned the actor may rebuild its infrastructure.
Investigators first identified the campaign during a Mandiant investigation after finding suspicious activity on a customer CentOS server, including a root-privileged binary at /var/tmp/xapt. The intrusion also involved privilege escalation, SSH-based lateral movement, systemd persistence, and reconnaissance.
As of February 18, 2026, Google assessed that UNC2814 had impacted 53 organizations across 42 countries, with suspected additional infections in at least 20 more countries. The victims were primarily telecom and government entities.
Google's published detections and indicators of compromise were noted as having been used since 2023, showing the operational use of the GRIDTIDE malware and related infrastructure by UNC2814 by that time. The malware abused the Google Sheets API for stealthy command-and-control.
Researchers reported that in some cases dating back to at least July 2018, UNC2814 deployed SoftEther VPN Bridge to create encrypted outbound command-and-control tunnels. This formed part of the group's post-compromise tradecraft alongside other living-off-the-land techniques.
Google and partner reporting assessed the China-linked UNC2814 campaign as active since at least 2017, focusing on telecommunications and government organizations across Africa, Asia, and the Americas. The operation ultimately spread across dozens of countries.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
sdsg.moe
Open sourcesecurityaffairs.com
Open sourcecybersecuritynews.com
Open sourcetherecord.media
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourcethehackernews.com
Open sourcebleepingcomputer.com
Open sourcego.theregister.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.