There is a certain dark elegance to UNC2814's approach. Traditional espionage malware calls home to suspicious servers. It pings hardcoded IP addresses. It reaches out to domains that, with enough effort and coordination, defenders can identify, blocklist, and sinkhole. UNC2814 did none of that. Instead, this suspected People's Republic of China (PRC)-nexus threat group turned the world's most widely used cloud productivity platform into a covert communications channel—and spent years operating undetected across four continents before Google, Mandiant, and unnamed industry partners finally shut them down.
The disruption, announced by the Google Threat Intelligence Group (GTIG) on February 25, 2026, confirmed that UNC2814 had compromised at least 53 organizations across 42 countries, with suspected infections reaching into over 20 additional nations. The targets were telecommunications providers and government entities across Africa, Asia, and the Americas—the kind of organizations that hold the keys to an entire population's communications metadata.
The Discovery: A Binary Named xapt
The trail began during a routine Mandiant Threat Defense investigation into suspicious activity within a customer's environment. Analysts using Google Security Operations (SecOps) flagged an anomalous process tree on a CentOS server. A binary located at /var/tmp/xapt had spawned a root shell, then immediately executed a command to verify it had successfully escalated privileges.
# Suspicious process tree identified by Mandiant
/var/tmp/xapt
└── /bin/sh
└── sh -c id 2>&1
└── [Output] uid=0(root) gid=0(root) groups=0(root)The binary's name was deliberate. According to GTIG's report, it was chosen to masquerade as xapt, a legitimate command-line utility found in Debian and Ubuntu-based systems—camouflage by convention. This is a classic living-off-the-land tactic, but what came next was anything but conventional.
From that initial foothold, the attacker leveraged a compromised service account to move laterally via SSH, performed reconnaissance using native system binaries, and then installed a previously undocumented backdoor as a persistent systemd service. GTIG described the persistence mechanism in their report: the threat actor created a service file at /etc/systemd/system/xapt.service and, once enabled, spawned the backdoor from /usr/sbin/xapt. The attackers also deployed SoftEther VPN Bridge to establish encrypted outbound tunnels—with configuration metadata suggesting that particular infrastructure had been in use since as far back as July 2018.
GRIDTIDE: The Spreadsheet as a Spy Tool
The novel backdoor at the center of this campaign is what GTIG and Mandiant have designated GRIDTIDE—and its C2 architecture is what sets this campaign apart from everything else in the current threat landscape.
GRIDTIDE is a compiled C-based backdoor capable of executing arbitrary shell commands, uploading files to compromised hosts, and downloading data from them. Those capabilities are common enough in the world of state-sponsored malware. What is not common is how it communicates with its operators. As GTIG stated in their official report, the backdoor treats Google Sheets not as a document, but as a dedicated communications channel for transferring raw data and shell commands.
"The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands." — Google Threat Intelligence Group (GTIG), February 25, 2026
Here is how the mechanism works in practice. GRIDTIDE expects a 16-byte cryptographic key to be present in a separate file on the infected host. It uses this key to decrypt its embedded Google Drive configuration via AES-128 in CBC mode. That decrypted configuration contains Google service account credentials, the spreadsheet ID for the C2 sheet, and the private keys needed for API authentication. Once connected, the malware uses a cell-based polling system where specific spreadsheet cells serve defined roles for bidirectional communication. Cell A1 is polled for attacker commands. When GRIDTIDE receives an instruction, it executes the command locally, writes the output to cells A2 through An, and then overwrites A1 with a status code like "S-C-R" (Server-Command-Success) to signal completion. GRIDTIDE polls A1 every second for new instructions, but if it encounters 120 consecutive failed attempts, it shifts to randomized delays of 5 to 10 minutes—throttling its own activity to reduce detection noise. At the start of each session, GRIDTIDE clears the first 1,000 rows across columns A through Z using the batchClear API method—wiping traces of prior activity like a clean slate before each engagement.
GRIDTIDE's C2 traffic flows to sheets.googleapis.com—a domain that cannot be blocked without breaking Google Workspace for the entire organization. It is TLS-encrypted by default, and content inspection only reveals standard API calls to Google. There is no attacker-owned infrastructure to seize, no suspicious domain to sinkhole, and no beacon pattern to flag. Traditional network-based detection is functionally blind to this technique.
GTIG explicitly noted that this is not the result of a security vulnerability in any Google product. The attackers are abusing legitimate Google Sheets API functionality exactly as designed. As GTIG put it in their blog post, attackers of this kind rely on cloud-hosted products to function correctly, making their malicious traffic appear indistinguishable from legitimate use. And while the analyzed sample used Google Sheets, GTIG warned that the same approach could easily be adapted to abuse any cloud-based spreadsheet platform.
The Bigger Picture: A Parallel to Salt Typhoon—but Not the Same
When a China-linked threat group is caught targeting global telecommunications providers, the immediate comparison is to Salt Typhoon—the PRC-backed operation that penetrated several major American telecom firms beginning as early as 2019 and, according to FBI officials, compromised data belonging to nearly every American. Google anticipated this comparison and addressed it head-on.
"It is important to highlight that UNC2814 has no observed overlaps with activity publicly reported as 'Salt Typhoon,' and targets different victims globally using distinct tactics, techniques, and procedures (TTPs)." — GTIG, Disrupting the GRIDTIDE Global Cyber Espionage Campaign
The implication of that distinction is significant. It means the PRC is operating at least two entirely independent, large-scale telecom espionage campaigns simultaneously—each with separate teams, separate tools, and separate infrastructure, all pursuing the same strategic objective: access to communications metadata for intelligence collection. GTIG tech lead Dan Perez told The Register that while the specific targeting details could not be shared, previous PRC-nexus telecom intrusions have focused on surveillance of dissidents and activists, alongside more traditional intelligence targets.
The data UNC2814 was positioned to harvest paints a clear picture of its intelligence objectives. GRIDTIDE was deployed on endpoints containing personally identifiable information including full names, phone numbers, dates of birth, places of birth, voter ID numbers, and national ID numbers. While GTIG did not directly observe data being exfiltrated during the campaign, they assessed that this kind of targeting is consistent with telecom-focused espionage designed to identify, track, and monitor persons of interest. As GTIG's official report noted, previous campaigns with similar access have been used to steal call data records, intercept unencrypted SMS messages, and even abuse lawful intercept systems built into telecom infrastructure.
The Disruption and Its Limits
The coordinated takedown was comprehensive. GTIG and its partners terminated all Google Cloud Projects controlled by UNC2814, severing persistent access to compromised environments. They identified and disabled all known UNC2814 infrastructure, sinkholed both current and historical domains, disabled attacker-controlled accounts, and revoked access to the Google Sheets instances used for C2. Victim organizations across all 42 confirmed countries received formal notifications and were offered direct support from Google to remediate their environments. GTIG also published indicators of compromise (IOCs) tied to UNC2814 infrastructure active since at least 2023 and refined detection signatures specifically designed to intercept GRIDTIDE activity.
GTIG cautioned that UNC2814 is expected to rebuild its operations. The group noted that "prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established," but added that UNC2814 will very likely work hard to re-establish its global footprint using new infrastructure.
The initial access vector for this specific campaign was not determined, but GTIG noted that UNC2814 has a documented history of gaining entry by exploiting and compromising web servers and edge systems—the same internet-facing infrastructure that remains one of the most persistently under-patched attack surfaces across the globe. Dan Perez also told The Hacker News that the GTIG team could not confirm whether all 53 confirmed intrusions involved GRIDTIDE specifically, suggesting that UNC2814 may have additional tools and capabilities not yet publicly documented.
The SaaS C2 Problem Is Bigger Than One Campaign
GRIDTIDE is alarming on its own merits, but it also represents the leading edge of a much broader trend that is reshaping how defenders have to think about malicious network traffic. UNC2814 is not the first threat actor to abuse legitimate cloud services for command and control, and it will not be the last.
In 2025, GTIG documented PRC-backed APT41 using Google Calendar as a covert C2 channel via a malware framework called TOUGHPROGRESS, targeting government organizations through phishing campaigns. In a separate campaign assessed by researchers at Hunters as likely Russian in origin, an operation they dubbed "VEILDrive" leveraged Microsoft Teams, SharePoint, Quick Assist, and OneDrive for both malware delivery and command-and-control operations against U.S. critical infrastructure. The Recorded Future Insikt Group's 2025 Cloud Threat Hunting and Defense Landscape report documented how threat actors are increasingly registering their own legitimate cloud resources specifically for use in attack chains—a trend that, taken alongside GRIDTIDE, VEILDrive, and TOUGHPROGRESS, suggests the abuse of SaaS platforms for C2 hosting and payload delivery has become a defining characteristic of the modern threat landscape.
The Darktrace Annual Threat Report for 2026 reinforced this shift, finding that identity-driven compromise through cloud and SaaS accounts has become the dominant path into organizations—with nearly 70% of incidents in the Americas beginning with stolen or misused accounts, and 58% of incidents in Europe starting with compromised cloud accounts and email. As Darktrace VP of Security and AI Strategy Nathaniel Jones put it: “Traditional perimeter defenses were built for a world where attackers had to break in. Today they simply log in.”
MITRE ATT&CK Techniques editorially mapped to UNC2814/GRIDTIDE based on reported TTPs: T1102.002 (Web Service: Bidirectional Communication), T1071.001 (Application Layer Protocol: Web Protocols), T1190 (Exploit Public-Facing Application), T1543.002 (Create or Modify System Process: Systemd Service), T1059 (Command and Scripting Interpreter), T1041 (Exfiltration Over C2 Channel), T1021.004 (Remote Services: SSH), T1005 (Data from Local System).
What Defenders Should Do Right Now
The GRIDTIDE campaign exposes a gap in how organizations think about trusted traffic. Cloud API calls to Google, Microsoft, and other major SaaS providers are almost universally allowlisted. GRIDTIDE exploits that trust by design. Addressing this requires a fundamental shift from domain-based filtering to behavior-based anomaly detection. Here is where to start.
Audit Google Sheets API access on your servers. If non-browser processes on Linux servers are making Sheets API calls, that is an immediate red flag. Legitimate server workloads rarely need to interact with Google Sheets, and automated polling patterns from system-level processes are a strong indicator of C2 activity.
Hunt for unexplained systemd services. UNC2814 persisted through custom systemd service files. Any service running from an unusual path—particularly /var/tmp/ or directories that should not contain persistent executables—warrants immediate investigation.
Investigate SoftEther VPN components. SoftEther VPN has been linked to multiple Chinese APT groups and is not a standard enterprise tool. Its presence on any server in your environment should be treated as suspicious until proven otherwise.
Review SSH authorized_keys across all service accounts. UNC2814 used harvested credentials for lateral movement via SSH. Regularly auditing authorized keys, especially on service accounts that should not have interactive access, is an essential hygiene practice that would disrupt this specific TTP.
Monitor SaaS API traffic patterns. Regular, automated polling intervals from server processes to googleapis.com or similar cloud endpoints, particularly outside of business hours, is not normal behavior. Invest in cloud access security broker (CASB) capabilities or behavioral analytics that can distinguish legitimate SaaS usage from automated C2 communication.
Review GTIG's published IOCs. Google has released indicators of compromise covering UNC2814 infrastructure active since at least 2023. These IOCs are available via Google's official GTIG blog post and through the Google Threat Intelligence platform. Apply them to your SIEM and EDR immediately.
Key Takeaways
- Trusted cloud services are the new attack surface: GRIDTIDE demonstrates that C2 traffic no longer needs to touch attacker-owned infrastructure. When the command channel is a Google spreadsheet, every firewall rule in your environment is irrelevant to detection. Organizations must move beyond domain-based allowlisting and invest in behavioral anomaly detection for SaaS API traffic.
- China is running parallel telecom espionage operations at global scale: UNC2814 and Salt Typhoon are confirmed to be entirely separate operations with distinct tools and tradecraft, both targeting telecommunications infrastructure worldwide. The PRC's investment in communications intelligence collection is broader and more redundant than many defenders have assumed.
- Edge systems remain the front door: Despite the sophistication of GRIDTIDE's C2, UNC2814's initial access vector remains consistent with exploiting internet-facing web servers and edge devices. Patching and hardening these systems is still the single most effective way to prevent the initial compromise that makes everything else possible.
- Disruption is not elimination: Google's takedown was thorough, but GTIG expects UNC2814 to rebuild. A group that has been active since at least 2017 and has operated across 70 countries has the resources, expertise, and strategic mandate to adapt and return. Continuous monitoring, not one-time remediation, is the only appropriate defensive posture.
The GRIDTIDE campaign is a case study in how state-sponsored espionage has adapted to the cloud-first world. The perimeter did not fail because it was weak—it failed because it was never designed for a threat that hides inside the tools organizations cannot afford to block. As cloud adoption accelerates and SaaS APIs become the connective tissue of enterprise operations, the lesson from UNC2814 is clear: trust in your tools must be verified, not assumed. The spreadsheet is no longer just a spreadsheet. In the hands of a patient, well-resourced adversary, it is a weapon.
Sources: Google GTIG Official Blog, The Register, The Hacker News, SecurityWeek, CSO Online, Infosecurity Magazine, Bleeping Computer, Recorded Future, Google GTIG — APT41/TOUGHPROGRESS, Hunters — VEILDrive, Darktrace Annual Threat Report 2026