SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.gridtide (Back to overview)

GRIDTIDE

Actor(s): UNC2814

According to Google, GRIDTIDE is a sophisticated backdoor written in C and delivered as a Linux ELF binary that provides remote shell command execution, file upload, and file download capabilities. It uses a cloud-based spreadsheet service as its command-and-control channel, interacting via official APIs and encoding all traffic with a URL-safe Base64 scheme to blend into legitimate HTTPS traffic. The malware relies on an external 16-byte key file to decrypt its cloud configuration using AES-128 in CBC mode, then performs detailed host reconnaissance (user, host, OS, network, and locale information) and stores this metadata in designated spreadsheet cells. GRIDTIDE establishes persistence through a system service, uses a cell-based polling mechanism for tasking and responses, and can stage tooling and exfiltrated data in spreadsheet cells to avoid traditional network-based detection.

References
2026-02-25GoogleGoogle Threat Intelligence Group, Mandiant
Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign
GRIDTIDE UNC2814

There is no Yara-Signature yet.