GridTide Google Sheets C2 backdoor
Malware Activity
Summary
Hide ▲
Show ▼
The GridTide backdoor was exposed as a covert Google Sheets C2 tool for UNC2814, allowing operators to run shell commands and move files inside targeted environments. The malware mattered because it hid control traffic inside legitimate-looking cloud API requests, making detection harder. Google and partners later disrupted the infrastructure and cut off attacker-controlled access.
Related Happenings
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Target Trend
First: 10.03.2026 17:30
Last: 10.03.2026 17:30
Sources 1
About this happening:
Threat actors targeting **Google Cloud environments** shifted in **H2 2025** from credential abuse to **unpatched third-party vulnerabilities**, materially changing initial-access...
Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Target TrendAbout this happening: Threat actors targeting **Google Cloud environments** shifted in **H2 2025** from credential abuse to **unpatched third-party vulnerabilities**, materially changing initial-access...
Timeline
-
26.02.2026 14:09 2 articles · 3mo ago
Google details GridTide Google Sheets command-and-control and disrupts UNC2814 infrastructure
Technical Analysis UpdateGoogle and Mandiant described GridTide, a novel backdoor used by UNC2814, as a covert command-and-control tool that leveraged Google Sheets to execute arbitrary shell commands, upload and download files, and hide traffic inside legitimate cloud API requests. Google said the China-linked operation had been active since 2017, targeted governments and global telecommunications organizations across Africa, Asia and the Americas, impacted at least 53 victims across 42 nations, and was disrupted by disabling attacker accounts, revoking Google Sheets API use for C2, and terminating attacker-controlled Google Cloud Projects.
Show sources
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09