UNC2814 multi-country cyber espionage campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC2814 espionage campaign was disrupted after it was tied to breaches at 53 organizations across 42 countries, reducing infrastructure used for long-term access and data collection. The group had also been linked to infections in more than 20 additional nations and to operations spanning over 70 countries. Its tradecraft relied on Google Sheets API-based command-and-control, GRIDTIDE backdoors, and covert lateral movement inside victim environments. The disruption matters because the activity focused on governments and telecommunications organizations across Africa, Asia, and the Americas.
Related Happenings
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignAbout this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
H score28
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
TA416 European government espionage campaign
Campaign
H score32
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
UNC4899 cryptocurrency cloud compromise campaign
Campaign
H score35
First: 09.03.2026 16:50
Last: 09.03.2026 16:50
Sources 1
About this happening:
The **UNC4899** campaign against a **cryptocurrency organization** in **2025** escalated into a **cloud compromise** that enabled theft of **millions of dollars** in digital asset...
UNC4899 cryptocurrency cloud compromise campaign
CampaignAbout this happening: The **UNC4899** campaign against a **cryptocurrency organization** in **2025** escalated into a **cloud compromise** that enabled theft of **millions of dollars** in digital asset...
Timeline
-
25.02.2026 19:46 2 articles · 4mo ago
UNC2814 infrastructure disruption disclosed
Initial DisclosureGoogle disclosed that it worked with industry partners to disrupt infrastructure used by UNC2814, a suspected China-nexus cyber espionage group tied to breaches at at least 53 organizations across 42 countries. Google said the group used GRIDTIDE backdoors, Google Sheets API-based command-and-control, service-account lateral movement over SSH, living-off-the-land binaries, and SoftEther VPN Bridge, while also noting suspected links to more than 20 additional nations, confirmed or suspected activity in over 70 countries, formal victim notifications, support for verified compromises, and no observed data exfiltration during the campaign.
Show sources
- Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries — thehackernews.com — 25.02.2026 19:46
- Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries — thehackernews.com — 25.02.2026 19:46