GRIDTIDE backdoor using Google Sheets API
Malware Activity
Summary
Hide ▲
Show ▼
The GRIDTIDE backdoor is using the Google Sheets API for covert command-and-control, giving infected systems a hidden channel for execution, file transfer, and reconnaissance. The activity matters because the implant is designed to blend with normal SaaS traffic while maintaining remote control over compromised hosts. It also collects system details from victims and stages files through spreadsheet cells, expanding the operator’s ability to manage intrusions quietly. The malware was deployed in a recently disrupted espionage operation, indicating active operational use rather than a lab-only proof of concept.
Related Happenings
UNC2814 global cyber-espionage campaign disrupted
Campaign
First: 26.02.2026 14:09
Last: 26.02.2026 14:09
Sources 1
About this happening:
The **UNC2814** cyber-espionage campaign was disrupted, cutting off a long-running operation that had reached **53 victims in 42 nations** and targeted **government** and **teleco...
UNC2814 global cyber-espionage campaign disrupted
CampaignAbout this happening: The **UNC2814** cyber-espionage campaign was disrupted, cutting off a long-running operation that had reached **53 victims in 42 nations** and targeted **government** and **teleco...
GridTide Google Sheets C2 backdoor
Malware Activity
First: 26.02.2026 14:09
Last: 26.02.2026 14:09
Sources 1
About this happening:
The **GridTide** backdoor was exposed as a covert **Google Sheets C2** tool for **UNC2814**, allowing operators to run **shell commands** and move files inside targeted environmen...
GridTide Google Sheets C2 backdoor
Malware ActivityAbout this happening: The **GridTide** backdoor was exposed as a covert **Google Sheets C2** tool for **UNC2814**, allowing operators to run **shell commands** and move files inside targeted environmen...
UNC2814 multi-country cyber espionage campaign
Campaign
First: 25.02.2026 19:46
Last: 25.02.2026 19:46
Sources 1
About this happening:
The **UNC2814** espionage campaign was disrupted after it was tied to breaches at **53 organizations** across **42 countries**, reducing infrastructure used for long-term access a...
UNC2814 multi-country cyber espionage campaign
CampaignAbout this happening: The **UNC2814** espionage campaign was disrupted after it was tied to breaches at **53 organizations** across **42 countries**, reducing infrastructure used for long-term access a...
VoidLink Linux C2 malware activity
Malware Activity
First: 09.02.2026 17:25
Last: 09.02.2026 17:25
Sources 1
About this happening:
**VoidLink** is an operational **Linux C2 framework** used by **UAT-9921** as a **post-compromise tool** against **technology and financial services** targets. Cisco Talos says th...
VoidLink Linux C2 malware activity
Malware ActivityAbout this happening: **VoidLink** is an operational **Linux C2 framework** used by **UAT-9921** as a **post-compromise tool** against **technology and financial services** targets. Cisco Talos says th...
AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling
Malware Activity
First: 24.01.2026 17:23
Last: 24.01.2026 17:23
Sources 1
About this happening:
The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...
AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling
Malware ActivityAbout this happening: The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...
Timeline
-
25.02.2026 19:00 2 articles · 3mo ago
GRIDTIDE uses Google Sheets API for covert C2
Technical Analysis UpdateThe UNC2814 espionage campaign used the GRIDTIDE backdoor to abuse the Google Sheets API as a covert command-and-control channel against telecom and government networks. GRIDTIDE authenticated with a hardcoded private key, sanitized spreadsheets, polled cell A1 for instructions, and collected host details; Google also confirmed deployment on a system containing sensitive PII. Google, Mandiant, and partners terminated cloud projects controlled by UNC2814, revoked Google Sheets API access, disabled known infrastructure, and sinkholed current and historical domains.
Show sources
- Chinese cyberspies breached dozens of telecom firms, govt agencies — www.bleepingcomputer.com — 25.02.2026 19:00
- Chinese cyberspies breached dozens of telecom firms, govt agencies — www.bleepingcomputer.com — 25.02.2026 19:00