GridTide Google Sheets C2 backdoor
Malware Activity
Summary
Hide ▲
Show ▼
The GridTide backdoor was exposed as a covert Google Sheets C2 tool for UNC2814, allowing operators to run shell commands and move files inside targeted environments. The malware mattered because it hid control traffic inside legitimate-looking cloud API requests, making detection harder. Google and partners later disrupted the infrastructure and cut off attacker-controlled access.
Related Happenings
Google Dialogflow CX Code Blocks shared-runtime isolation security flaw
Vulnerability
H score32
First: 07.07.2026 19:37
Last: 07.07.2026 19:37
Sources 1
About this happening:
**Google Dialogflow CX Code Blocks** had a shared-runtime isolation flaw that could let one editable agent affect other **Code Block-enabled agents** in the same **Google Cloud pr...
Google Dialogflow CX Code Blocks shared-runtime isolation security flaw
VulnerabilityAbout this happening: **Google Dialogflow CX Code Blocks** had a shared-runtime isolation flaw that could let one editable agent affect other **Code Block-enabled agents** in the same **Google Cloud pr...
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
Vulnerability
H score1
First: 16.06.2026 22:05
Last: 16.06.2026 22:05
Sources 1
About this happening:
**Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
VulnerabilityAbout this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
H score28
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
H score28
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Timeline
-
26.02.2026 14:09 2 articles · 4mo ago
Google details GridTide Google Sheets command-and-control and disrupts UNC2814 infrastructure
Technical Analysis UpdateGoogle and Mandiant described GridTide, a novel backdoor used by UNC2814, as a covert command-and-control tool that leveraged Google Sheets to execute arbitrary shell commands, upload and download files, and hide traffic inside legitimate cloud API requests. Google said the China-linked operation had been active since 2017, targeted governments and global telecommunications organizations across Africa, Asia and the Americas, impacted at least 53 victims across 42 nations, and was disrupted by disabling attacker accounts, revoking Google Sheets API use for C2, and terminating attacker-controlled Google Cloud Projects.
Show sources
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09