{
  "name": "Disrupting the GRIDTIDE Global Cyber Espionage Campaign",
  "slug": "disrupting-the-gridtide-global-cyber-espionage-campaign",
  "description": "A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.",
  "published": "2026-02-26T10:04:20+00:00",
  "created_at": "2026-02-26T10:04:20+00:00",
  "modified_at": "2026-02-26T11:59:42+00:00",
  "created_at_opencti": "2026-02-26T10:04:20+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-26",
    "api abuse",
    "backdoor",
    "china",
    "cyber espionage",
    "google sheets",
    "government",
    "gridtide",
    "telecommunications"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "38.54.82.69"
      },
      {
        "id": "",
        "name": "38.60.224.25"
      },
      {
        "id": "",
        "name": "38.54.32.244"
      },
      {
        "id": "",
        "name": "38.60.194.21"
      },
      {
        "id": "",
        "name": "38.60.171.242"
      },
      {
        "id": "",
        "name": "195.123.211.70"
      },
      {
        "id": "",
        "name": "38.60.252.66"
      },
      {
        "id": "",
        "name": "38.54.112.184"
      },
      {
        "id": "",
        "name": "130.94.6.228"
      },
      {
        "id": "",
        "name": "38.54.37.196"
      },
      {
        "id": "",
        "name": "38.54.31.146"
      },
      {
        "id": "",
        "name": "http://130.94.6.228/update.tar.gz"
      },
      {
        "id": "",
        "name": "4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9"
      },
      {
        "id": "",
        "name": "d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606"
      },
      {
        "id": "",
        "name": "669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966"
      },
      {
        "id": "",
        "name": "01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb"
      },
      {
        "id": "",
        "name": "ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47"
      },
      {
        "id": "",
        "name": "eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:bd9c99bdbd574333",
        "name": "GRIDTIDE",
        "slug": "gridtide"
      }
    ],
    "intrusion_sets": [
      {
        "id": "07f556a3-f91a-478d-bc66-109e09b291b3",
        "name": "UNC2814",
        "slug": "unc2814"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Government and administrations"
      },
      {
        "id": "",
        "name": "appler.kozow.com"
      },
      {
        "id": "",
        "name": "officeshan.kozow.com"
      },
      {
        "id": "",
        "name": "prdanjana01.ddnsfree.com"
      },
      {
        "id": "",
        "name": "ksv01sokudwongsj.theworkpc.com"
      },
      {
        "id": "",
        "name": "ccammutom.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "mosplosaq.accesscam.org"
      },
      {
        "id": "",
        "name": "zwmn350n3o1vsdrggs.ddnsfree.com"
      },
      {
        "id": "",
        "name": "zmcmvmbm.ddnsfree.com"
      },
      {
        "id": "",
        "name": "peisuesacae.loseyourip.com"
      },
      {
        "id": "",
        "name": "huygdr12.loseyourip.com"
      },
      {
        "id": "",
        "name": "transport.dynuddns.net"
      },
      {
        "id": "",
        "name": "sgsn.accesscam.org"
      },
      {
        "id": "",
        "name": "meetls.kozow.com"
      },
      {
        "id": "",
        "name": "camsqewivo.kozow.com"
      },
      {
        "id": "",
        "name": "serious.kozow.com"
      },
      {
        "id": "",
        "name": "fasceadvcva3.gleeze.com"
      },
      {
        "id": "",
        "name": "setupcodpr2.freeddns.org"
      },
      {
        "id": "",
        "name": "1cv2f3d5s6a9w.ddnsfree.com"
      },
      {
        "id": "",
        "name": "t31c0mopocuveop.accesscam.org"
      },
      {
        "id": "",
        "name": "indoodchat.theworkpc.com"
      },
      {
        "id": "",
        "name": "lcskiecjj.loseyourip.com"
      },
      {
        "id": "",
        "name": "btbtutil.theworkpc.com"
      },
      {
        "id": "",
        "name": "ancisesic.accesscam.org"
      },
      {
        "id": "",
        "name": "pcvmts3.kozow.com"
      },
      {
        "id": "",
        "name": "camcampkes.ddnsfree.com"
      },
      {
        "id": "",
        "name": "idstandsuui.kozow.com"
      },
      {
        "id": "",
        "name": "asdad21ww.freeddns.org"
      },
      {
        "id": "",
        "name": "ttsiou12.loseyourip.com"
      },
      {
        "id": "",
        "name": "losiesca.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "boemobww.ddnsfree.com"
      },
      {
        "id": "",
        "name": "nims.gleeze.com"
      },
      {
        "id": "",
        "name": "jarvis001.freeddns.org"
      },
      {
        "id": "",
        "name": "hamkorg.kozow.com"
      },
      {
        "id": "",
        "name": "scopps.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "unnjunnani.ddnsfree.com"
      },
      {
        "id": "",
        "name": "zwt310n3o2unety6a3k.kozow.com"
      },
      {
        "id": "",
        "name": "vmtools.loseyourip.com"
      },
      {
        "id": "",
        "name": "codemicros12.gleeze.com"
      },
      {
        "id": "",
        "name": "khyes001ndfpnuewdm.kozow.com"
      },
      {
        "id": "",
        "name": "brcallletme.theworkpc.com"
      },
      {
        "id": "",
        "name": "cvabiasbae.ddnsfree.com"
      },
      {
        "id": "",
        "name": "udieyg.gleeze.com"
      },
      {
        "id": "",
        "name": "modgood.gleeze.com"
      },
      {
        "id": "",
        "name": "tlse001hdfuwwgdgpnn.theworkpc.com"
      },
      {
        "id": "",
        "name": "ml3.freeddns.org"
      },
      {
        "id": "",
        "name": "mms.bumbleshrimp.com"
      },
      {
        "id": "",
        "name": "ppsabedon.gleeze.com"
      },
      {
        "id": "",
        "name": "t3lc0mcanyqbfac.loseyourip.com"
      },
      {
        "id": "",
        "name": "maliclick1.ddnsfree.com"
      },
      {
        "id": "",
        "name": "winfoss1.kozow.com"
      },
      {
        "id": "",
        "name": "timpe.kozow.com"
      },
      {
        "id": "",
        "name": "mailsdy.gleeze.com"
      },
      {
        "id": "",
        "name": "globoss.kozow.com"
      },
      {
        "id": "",
        "name": "googlett.camdvr.org"
      },
      {
        "id": "",
        "name": "zwt31n3t0nidoqmve.camdvr.org"
      },
      {
        "id": "",
        "name": "nodekeny11.freeddns.org"
      },
      {
        "id": "",
        "name": "updatasuccess.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "pplodsssead222.loseyourip.com"
      },
      {
        "id": "",
        "name": "vass.ooguy.com"
      },
      {
        "id": "",
        "name": "pepesetup.ddnsfree.com"
      },
      {
        "id": "",
        "name": "t31c0mopmiuewklg.webredirect.org"
      },
      {
        "id": "",
        "name": "sn0son4t31opc.freeddns.org"
      },
      {
        "id": "",
        "name": "googles.ddnsfree.com"
      },
      {
        "id": "",
        "name": "dnsfreedb.ddnsfree.com"
      },
      {
        "id": "",
        "name": "thbio.kozow.com"
      },
      {
        "id": "",
        "name": "zwt310n3o1unety2kab.webredirect.org"
      },
      {
        "id": "",
        "name": "sdsuytoins63.kozow.com"
      },
      {
        "id": "",
        "name": "wdlcamaakc.ooguy.com"
      },
      {
        "id": "",
        "name": "dclcwpdtsdcc.ddnsfree.com"
      },
      {
        "id": "",
        "name": "updatamail.kozow.com"
      },
      {
        "id": "",
        "name": "ftpzpak.kozow.com"
      },
      {
        "id": "",
        "name": "mysql.casacam.net"
      },
      {
        "id": "",
        "name": "lps2staging.ddnsfree.com"
      },
      {
        "id": "",
        "name": "ltiuys.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "fgdedd1dww.gleeze.com"
      },
      {
        "id": "",
        "name": "vosies.ddnsfree.com"
      },
      {
        "id": "",
        "name": "mauritasszddb.ddnsfree.com"
      },
      {
        "id": "",
        "name": "t31c0mopamcuiomx.kozow.com"
      },
      {
        "id": "",
        "name": "cloacpae.ddnsfree.com"
      },
      {
        "id": "",
        "name": "tltlsktelko.ddnsfree.com"
      },
      {
        "id": "",
        "name": "systemsz.kozow.com"
      },
      {
        "id": "",
        "name": "onlyosun.ooguy.com"
      },
      {
        "id": "",
        "name": "ffosies2024.camdvr.org"
      },
      {
        "id": "",
        "name": "babaji.accesscam.org"
      },
      {
        "id": "",
        "name": "trvcl.bumbleshrimp.com"
      },
      {
        "id": "",
        "name": "ltiuys.kozow.com"
      },
      {
        "id": "",
        "name": "cdnvmtools.theworkpc.com"
      },
      {
        "id": "",
        "name": "aw2o25forsbc.camdvr.org"
      },
      {
        "id": "",
        "name": "telkom.ooguy.com"
      },
      {
        "id": "",
        "name": "nenignenigoncqvoo.ooguy.com"
      },
      {
        "id": "",
        "name": "osix.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "okkstt.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "fakjcsaeyhs.ddnsfree.com"
      },
      {
        "id": "",
        "name": "mlksucnayesk.kozow.com"
      },
      {
        "id": "",
        "name": "prihxlcs.ddnsfree.com"
      },
      {
        "id": "",
        "name": "prepaid127.freeddns.org"
      },
      {
        "id": "",
        "name": "priftp.kozow.com"
      },
      {
        "id": "",
        "name": "bibabo.freeddns.org"
      },
      {
        "id": "",
        "name": "vals.bumbleshrimp.com"
      },
      {
        "id": "",
        "name": "telkomservices.theworkpc.com"
      },
      {
        "id": "",
        "name": "vass2025.casacam.net"
      },
      {
        "id": "",
        "name": "sdhite43.ddnsfree.com"
      },
      {
        "id": "",
        "name": "soovuy.gleeze.com"
      },
      {
        "id": "",
        "name": "sn0son4t31bbsvopou.camdvr.org"
      },
      {
        "id": "",
        "name": "examp1e.webredirect.org"
      },
      {
        "id": "",
        "name": "pcmainecia.ddnsfree.com"
      },
      {
        "id": "",
        "name": "t3lm0rtlcagratu.kozow.com"
      },
      {
        "id": "",
        "name": "afsaces.accesscam.org"
      },
      {
        "id": "",
        "name": "oldatain1.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "uscplxsecjs.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "ysiohbk.camdvr.org"
      },
      {
        "id": "",
        "name": "ftpuser14.gleeze.com"
      },
      {
        "id": "",
        "name": "t31c0mjumpcuyerop.ooguy.com"
      },
      {
        "id": "",
        "name": "lcskiecs.ddnsfree.com"
      },
      {
        "id": "",
        "name": "filipinet.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "googlel.gleeze.com"
      },
      {
        "id": "",
        "name": "nmszablogs.ddnsfree.com"
      },
      {
        "id": "",
        "name": "pplosad231.kozow.com"
      },
      {
        "id": "",
        "name": "zwmn350n3o1fsdf3gs.kozow.com"
      },
      {
        "id": "",
        "name": "lsls.casacam.net"
      },
      {
        "id": "",
        "name": "binmol.webredirect.org"
      },
      {
        "id": "",
        "name": "supceasfg1.loseyourip.com"
      },
      {
        "id": "",
        "name": "t3lc0mczmoihwc.camdvr.org"
      },
      {
        "id": "",
        "name": "cvpc01aenusocirem.accesscam.org"
      },
      {
        "id": "",
        "name": "nisaldwoa.theworkpc.com"
      },
      {
        "id": "",
        "name": "telen.bumbleshrimp.com"
      },
      {
        "id": "",
        "name": "t3lc0mh4udncifw.casacam.net"
      },
      {
        "id": "",
        "name": "selfad.gleeze.com"
      },
      {
        "id": "",
        "name": "honidoo.loseyourip.com"
      },
      {
        "id": "",
        "name": "cnrpaslceas.freeddns.org"
      },
      {
        "id": "",
        "name": "vpaspmine.freeddns.org"
      },
      {
        "id": "",
        "name": "gtaldps31c.ddnsfree.com"
      },
      {
        "id": "",
        "name": "microsoft.bumbleshrimp.com"
      },
      {
        "id": "",
        "name": "pxlaxvvva.freeddns.org"
      },
      {
        "id": "",
        "name": "freeios.theworkpc.com"
      },
      {
        "id": "",
        "name": "cmwwoods1.theworkpc.com"
      },
      {
        "id": "",
        "name": "rsm323.kozow.com"
      },
      {
        "id": "",
        "name": "evilginx2.loseyourip.com"
      },
      {
        "id": "",
        "name": "polokinyea.gleeze.com"
      },
      {
        "id": "",
        "name": "plcoaweniva.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "pewsus.freeddns.org"
      },
      {
        "id": "",
        "name": "admina.freeddns.org"
      },
      {
        "id": "",
        "name": "zwmn350n3o1ugety2xbe.camdvr.org"
      },
      {
        "id": "",
        "name": "icekancusjhea.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "updateservices.kozow.com"
      },
      {
        "id": "",
        "name": "palamolscueajfvc.gleeze.com"
      },
      {
        "id": "",
        "name": "prihxlcsw.theworkpc.com"
      },
      {
        "id": "",
        "name": "zwt3ln3t1aimckalw.theworkpc.com"
      },
      {
        "id": "",
        "name": "usoshared1.ddnsfree.com"
      },
      {
        "id": "",
        "name": "timpe.webredirect.org"
      },
      {
        "id": "",
        "name": "vmtools.camdvr.org"
      },
      {
        "id": "",
        "name": "npeoples.theworkpc.com"
      },
      {
        "id": "",
        "name": "btltan.ooguy.com"
      },
      {
        "id": "",
        "name": "gogo2025up.ddnsfree.com"
      },
      {
        "id": "",
        "name": "dlpossie.ddnsfree.com"
      },
      {
        "id": "",
        "name": "zammffayhd.ddnsfree.com"
      },
      {
        "id": "",
        "name": "cressmiss.ooguy.com"
      },
      {
        "id": "",
        "name": "cvnoc01da1cjmnftsd.accesscam.org"
      },
      {
        "id": "",
        "name": "bab2o25com.accesscam.org"
      },
      {
        "id": "",
        "name": "applebox.camdvr.org"
      },
      {
        "id": "",
        "name": "kaushalya.freeddns.org"
      },
      {
        "id": "",
        "name": "babi5599ss.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "googles.accesscam.org"
      },
      {
        "id": "",
        "name": "nenigoncqnutgo.accesscam.org"
      },
      {
        "id": "",
        "name": "policyagent.theworkpc.com"
      },
      {
        "id": "",
        "name": "pawanp.kozow.com"
      },
      {
        "id": "",
        "name": "kskxoscieontrolanel.gleeze.com"
      },
      {
        "id": "",
        "name": "googllabwws.gleeze.com"
      },
      {
        "id": "",
        "name": "ua2o25yth.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "peowork.ddnsgeek.com"
      },
      {
        "id": "",
        "name": "rabbit.ooguy.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69a028b4c9477a7b9420328f",
    "https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign"
  ]
}