What is the GRIDTIDE backdoor?

GRIDTIDE's a novel implant from UNC2814, persisting via systemd, using SoftEther VPN, and C2'ing over Google Sheets API to blend in.

Who is behind GRIDTIDE cyber espionage?

UNC2814, China-linked since 2017, targeting telcos and govs in 42+ countries—no Salt Typhoon ties.

Terminated Cloud projects, disabled infrastructure/accounts/APIs, released IOCs—done with Mandiant.

🌐 Nation-State Threats

Google slammed the door on UNC2814's GRIDTIDE campaign. China's spies hid in plain sight—using legit cloud tools. Pathetic, yet brilliant.

theAIcatchup Apr 08, 2026 3 min read

Google and Mandiant disrupted UNC2814's GRIDTIDE, hitting 53 victims in 42 countries. 𝕏
Attackers abused Google Sheets API for stealthy C2—no vulnerabilities exploited. 𝕏
Expect copycats; cloud abuse is the new state-spy normal. 𝕏

Published by

Threat intelligence. Zero noise.

#China cyber espionage #GRIDTIDE #Google Mandiant disruption #UNC2814

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Mandiant Blog