Trending Topics

GRIDTIDE Disruption: PRC-Linked UNC2814 Abused Google Sheets API for Global Espionage

Google Threat Intelligence Group (GTIG), alongside Mandiant and other partners, disrupted a large-scale espionage campaign attributed to UNC2814, a suspected PRC-nexus threat actor active since at least 2017. The operation leveraged a novel C-based backdoor, GRIDTIDE, which used the legitimate Google Sheets API as command-and-control infrastructure, disguising malicious activity as routine SaaS traffic rather than exploiting a product vulnerability. Confirmed intrusions impacted 53 organizations across 42 countries, primarily targeting telecommunications providers and government entities, with suspected infections in at least 20 additional nations, including Russia, Chile, and Brazil. Once deployed, GRIDTIDE authenticated to attacker-controlled Google service accounts, sanitized spreadsheets to remove prior artifacts, fingerprinted compromised hosts, and used specific spreadsheet cells to execute commands, transfer files, and exfiltrate data in 45-KB fragments via URL-safe Base64 encoding. In at least one case, the malware was deployed on systems containing highly sensitive PII, including national ID data and voter information, aligning with historic PRC-linked telecom espionage aimed at tracking persons of interest. GTIG emphasized there is no security flaw in Google products; the actor abused legitimate cloud functionality to blend into expected network behavior. Post-compromise activity included privilege escalation, lateral movement via SSH using service accounts, deployment of SoftEther VPN for encrypted outbound connectivity, and persistence through systemd services masquerading as legitimate binaries such as xapt. The disruption effort involved terminating attacker-controlled Google Cloud projects, disabling malicious service accounts, revoking Google Sheets API access, sinkholing infrastructure, and notifying impacted victims. Detection guidance highlights suspicious non-browser processes accessing sheets[.]googleapis[.]com endpoints, anomalous file creation in directories such as /var/tmp or /usr/sbin, and shell execution from temporary paths with short alphanumeric filenames. While the infrastructure takedown significantly degraded UNC2814’s access, GTIG assesses the actor will likely attempt to reconstitute operations using new cloud accounts and alternate SaaS platforms. Organizations should enforce strict monitoring and anomaly detection of SaaS API usage, restrict service account key exposure, implement least-privilege access controls, and deploy behavioral analytics to flag non-browser processes communicating with cloud APIs, such as Google Sheets, to prevent similar API-abuse–based command-and-control activity.

Industrialized Malvertising: 1Campaign Cloaking Platform Enables Scalable Google Ads Abuse

Varonis has identified 1Campaign, a purpose-built cloaking platform designed to help threat actors systematically abuse Google Ads by evading platform screening, security scanners, and brand protection services. Operated by an individual using the alias DuppyMeister, the service has reportedly been active for more than three years and offers Telegram-based support alongside a centralized dashboard for managing campaigns. At its core, 1Campaign enables malvertising at scale by presenting benign “white” pages to Google reviewers and automated detection systems, while routing real users to phishing pages or cryptocurrency drainer infrastructure. The platform integrates real-time visitor profiling, fraud scoring, IP and ASN-based filtering, and device/geographic targeting to ensure that over 99% of security-related traffic is blocked before it can observe malicious content. By filtering traffic from major cloud providers, VPNs, and known security vendors such as Microsoft, Google, OVH, and Tencent, attackers significantly extend the lifespan of fraudulent ad campaigns. This operational model transforms cloaking from a niche evasion tactic into a fully commercialized infrastructure layer supporting large-scale ad fraud and credential theft. Beyond simple traffic filtering, 1Campaign includes tooling specifically tailored to Google Ads abuse, including modules that help operators launch both “white” (benign) and “black” (malicious) campaigns while bypassing ad policy enforcement. Campaign analytics reveal highly selective victim routing, with granular geographic and device-based filtering that enables attackers to focus on monetizable regions while excluding areas commonly associated with researchers. Fraud scores (0–100) are assigned based on IP reputation, ISP ownership, and behavioral signals, allowing the system to automatically block suspected automated analysis environments. Defenders must increasingly rely on behavioral analysis, realistic browser emulation, and diversified infrastructure visibility to expose cloaked content that static scanners will never observe. Organizations should implement advanced behavioral URL analysis that emulates real user interactions, continuously monitor paid search results for brand impersonation, and collaborate directly with advertising platforms to rapidly report and disrupt cloaked malvertising campaigns before large-scale victim exposure. 

OpenAI Discloses Chinese Law Enforcement–Linked Covert Influence Operations Leveraging AI and Cross-Platform Harassment Campaigns

OpenAI disclosed the disruption of a ChatGPT account linked to an individual associated with Chinese law enforcement who attempted to use the model to support what they described as “cyber special operations”. The user sought assistance in planning a covert influence campaign targeting Japanese Prime Minister Sanae Takaichi, alongside requests to edit and refine internal status reports detailing broader operations against dissidents and foreign political figures. While the model refused to assist with operational planning, the user later returned with polished reporting on activities that appeared to have proceeded independently. An open-source investigation linked aspects of the described activity to previously exposed influence operations, including the China-origin network known as Spamouflage, which platforms and researchers have publicly attributed to actors tied to Chinese public security services. The reported operations reflect a blended online and offline harassment model that includes large-scale fake account creation, hashtag campaigns, impersonation of officials, forged documentation, abusive reporting to trigger platform enforcement, doxxing websites, and coordinated smear efforts against critics of the Chinese Communist Party. Targets spanned domestic dissidents, overseas activists, foreign policymakers, and human rights organizations, with tactics designed to suppress speech, erode credibility, and induce psychological pressure. The user’s reports referenced the use of locally deployed open-weight AI models such as DeepSeek and Qwen for content generation, monitoring, translation, and internal documentation, suggesting a structured integration of AI into influence workflows. Although much of the observed social media activity showed limited authentic engagement, the scope, staffing levels, and sustained nature of the described operations indicate a resource-backed strategy aimed at shaping narratives, intimidating critics, and extending state influence across global digital platforms. Organizations and platforms should strengthen coordinated inauthentic behavior detection, enhance cross-platform intelligence sharing, implement robust identity verification and abuse-report monitoring controls, and provide targeted support and incident response pathways for individuals facing state-linked harassment or influence operations.

Steaelite RAT Consolidates Data Theft and Ransomware into a Single Double-Extortion Platform

Steaelite is a newly marketed remote access trojan first observed on underground forums in November 2025 that consolidates credential harvesting, surveillance, and ransomware deployment into a single browser-based control panel. Advertised as fully undetectable and compatible with Windows 10 and 11, the tool provides operators with remote code execution, file system access, live screen streaming, webcam and microphone control, hidden RDP, UAC bypass, and built-in ransomware deployment. Notably, Steaelite automatically exfiltrates browser-stored passwords, session cookies, and application tokens immediately upon establishing a connection with the victim, reducing the attacker's effort and accelerating monetization. Advanced modules include Windows Defender tampering, persistence installation, clipboard-based cryptocurrency address replacement, and a developer panel capable of keylogging, USB spreading, and removing competing malware. The seller has also announced an Android ransomware module in development, signaling expansion beyond traditional Windows environments. For enterprise defenders, this convergence of surveillance tooling, credential harvesting, and ransomware within one dashboard compresses the attack lifecycle and reduces opportunities for detection before impact. Because data exfiltration occurs prior to manual operator interaction, organizations face exposure risk even if encryption is never triggered. The integrated use of HVNC monitoring, administrative-level command execution, and Defender tampering complicates traditional signature-based detection and emphasizes the need for behavioral controls. Additionally, clipboard manipulation for cryptocurrency redirection introduces financial fraud risk alongside classic ransomware exposure. Organizations should implement robust endpoint detection and response with behavioral monitoring to detect UAC bypass, Defender modification, and anomalous outbound data transfers; enforce strict egress filtering and application control policies; restrict unnecessary RDP access; and deploy phishing-resistant multi-factor authentication to limit credential abuse and disrupt double-extortion execution paths.