Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC2814 multi-country cyber espionage campaign

Campaign
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

The UNC2814 espionage campaign was disrupted after it was tied to breaches at 53 organizations across 42 countries, reducing infrastructure used for long-term access and data collection. The group had also been linked to infections in more than 20 additional nations and to operations spanning over 70 countries. Its tradecraft relied on Google Sheets API-based command-and-control, GRIDTIDE backdoors, and covert lateral movement inside victim environments. The disruption matters because the activity focused on governments and telecommunications organizations across Africa, Asia, and the Americas.

Related Happenings

CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT

Campaign
H score18 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...

UNC6508 China-linked REDCap espionage campaign

Campaign
H score39 First: 15.06.2026 17:00 Last: 15.06.2026 17:00 Sources 1

About this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...

Unit 42 Zealot proves autonomous cloud attack chaining in GCP

Technical Analysis
H score28 First: 23.04.2026 13:00 Last: 23.04.2026 13:00 Sources 1

About this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...

TA416 European government espionage campaign

Campaign
H score32 First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

UNC4899 cryptocurrency cloud compromise campaign

Campaign
H score35 First: 09.03.2026 16:50 Last: 09.03.2026 16:50 Sources 1

About this happening: The **UNC4899** campaign against a **cryptocurrency organization** in **2025** escalated into a **cloud compromise** that enabled theft of **millions of dollars** in digital asset...

Timeline

  1. 25.02.2026 19:46 2 articles · 4mo ago

    UNC2814 infrastructure disruption disclosed

    Initial Disclosure

    Google disclosed that it worked with industry partners to disrupt infrastructure used by UNC2814, a suspected China-nexus cyber espionage group tied to breaches at at least 53 organizations across 42 countries. Google said the group used GRIDTIDE backdoors, Google Sheets API-based command-and-control, service-account lateral movement over SSH, living-off-the-land binaries, and SoftEther VPN Bridge, while also noting suspected links to more than 20 additional nations, confirmed or suspected activity in over 70 countries, formal victim notifications, support for verified compromises, and no observed data exfiltration during the campaign.

    Show sources