How a Global Espionage Group Hid Malware Inside Google Sheets
Feb 25, 2026
On February 25, the Google Threat Intelligence Group (GTIG), working with Mandiant, detailed and disrupted a large-scale cyber espionage campaign attributed to a group tracked as UNC2814.
The campaign affected telecommunications providers and government organizations across dozens of countries. What makes it particularly important from a defensive standpoint is not just who was targeted, but how the attackers operated.
This is a case study in modern stealth.
The Bigger Pattern: Abuse, Not Exploitation
There was no reported vulnerability in Google products involved here.
Instead, the attackers relied on legitimate cloud services functioning exactly as designed. Their malware used normal API calls to a cloud-hosted spreadsheet platform to receive instructions and send data back.
From a network monitoring perspective, the traffic blended in with routine SaaS activity. That is the key takeaway.
We are seeing a steady shift in espionage operations toward:
- Living-off-the-land techniques
- Abuse of trusted cloud services
- Encryption by default
- Minimal custom infrastructure
For defenders, this means blocking “known bad” infrastructure is no longer enough.
What the Malware Actually Did
The backdoor deployed in this campaign, tracked as GRIDTIDE, gave attackers full remote control of compromised systems. Based on public reporting, its capabilities included:
- Executing shell commands
- Uploading and downloading files
- Collecting system metadata
- Maintaining persistence through system services
- Communicating through cloud API calls
Rather than connecting to an obvious command server, the malware treated a spreadsheet like a command console. Specific cells acted as an instruction queue, a data transfer channel, and a location to store victim system details.
All communication was encoded and wrapped in legitimate API traffic. From the outside, it looked like automation. Underneath, it was a remote access channel.
How the Intrusion Was Spotted
The investigation began with what appeared to be a small anomaly: a suspicious binary running from a temporary directory and spawning a shell with root privileges.
That kind of activity is subtle but significant. Temporary directories should not typically contain executables that escalate privileges and begin reconnaissance.
From there, analysts uncovered:
- Lateral movement using SSH and service accounts
- Persistence via system service creation
- Deployment of VPN tooling for encrypted outbound connectivity
- Placement of the backdoor on systems containing sensitive data
It’s a reminder that advanced campaigns are often uncovered through behavioral detection, not signature matching.
Why Telecommunications Were a Prime Target
Telecom environments are high-value espionage targets because they sit at the center of communications infrastructure. Access to these systems can potentially enable:
- Visibility into call metadata
- Monitoring of SMS traffic
- Mapping of relationships between individuals
- Identification of high-value persons of interest
Even without direct evidence of data exfiltration in this case, the level of access described would provide significant surveillance capability. For governments and telecom operators, that risk is strategic, not just technical.
Defensive Lessons for Security Teams
1. Monitor Behavior, Not Just Domains
Cloud API calls to trusted services are not automatically safe. Detection should focus on unusual process behavior initiating those calls, especially non-browser processes.
2. Watch Temporary Directories
Executables running from locations like /var/tmp or /tmp deserve scrutiny, especially when they spawn shells or escalate privileges.
3. Limit Service Account Abuse
Service accounts can enable quiet lateral movement. Monitor their SSH usage and privilege levels carefully.
4. Inspect Outbound VPN Activity
Unexpected encrypted tunnels to external IPs from internal servers should trigger investigation.
5. Protect High-Sensitivity Systems
Endpoints containing personally identifiable information or telecom metadata should have enhanced logging and tighter controls.
The Strategic Takeaway
UNC2814’s campaign shows how mature espionage groups operate today: they use legitimate tools, minimize noise, blend into cloud-native environments, and build access that can last years.