Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

Date: 03/02/2026

Severity: High

Summary

UNC2814, a suspected PRC-linked cyber espionage group active since 2017, conducted a large-scale global campaign targeting telecommunications and government organizations across 42 countries, impacting at least 53 confirmed victims. The group deployed a novel backdoor named GRIDTIDE, abusing legitimate Google Sheets API functionality as command-and-control (C2) infrastructure to disguise malicious traffic as normal cloud activity rather than exploiting product vulnerabilities. The disruption effort terminated attacker-controlled cloud projects, dismantled known infrastructure, revoked abused API access, and released associated IOCs, effectively severing persistent access and limiting further compromise, while confirming the activity is distinct from publicly reported “Salt Typhoon” operations.

Indicators of Compromise (IOC) List

URLs/Domain

1cv2f3d5s6a9w.ddnsfree.com

admina.freeddns.org

afsaces.accesscam.org

ancisesic.accesscam.org

applebox.camdvr.org

appler.kozow.com

asdad21ww.freeddns.org

aw2o25forsbc.camdvr.org

awcc001jdaigfwdagdcew.giize.com

bab2o25com.accesscam.org

babaji.accesscam.org

babi5599ss.ddnsgeek.com

balabalabo.mywire.org

bggs.giize.com

bibabo.freeddns.org

binmol.webredirect.org

bioth.giize.com

Boemobww.ddnsfree.com

brcallletme.theworkpc.com

btbtutil.theworkpc.com

btltan.ooguy.com

camcampkes.ddnsfree.com

camsqewivo.kozow.com

ccammutom.ddnsgeek.com

cdnvmtools.theworkpc.com

cloacpae.ddnsfree.com

cmwwoods1.theworkpc.com

cnrpaslceas.freeddns.org

codemicros12.gleeze.com

cressmiss.ooguy.com

cvabiasbae.ddnsfree.com

cvnoc01da1cjmnftsd.accesscam.org

cvpc01aenusocirem.accesscam.org

cvpc01cgsdfn53hgd.giize.com

DCLCWPDTSDCC.ddnsfree.com

dlpossie.ddnsfree.com

dnsfreedb.ddnsfree.com

doboudix1024.mywire.org

evilginx2.loseyourip.com

examp1e.webredirect.org

faeelt.giize.com

fakjcsaeyhs.ddnsfree.com

fasceadvcva3.gleeze.com

ffosies2024.camdvr.org

fgdedd1dww.gleeze.com

filipinet.ddnsgeek.com

freeios.theworkpc.com

ftpuser14.gleeze.com

ftpzpak.kozow.com

globoss.kozow.com

gogo2025up.ddnsfree.com

googlel.gleeze.com

googles.accesscam.org

googles.ddnsfree.com

googlett.camdvr.org

googllabwws.gleeze.com

gtaldps31c.ddnsfree.com

hamkorg.kozow.com

honidoo.loseyourip.com

huygdr12.loseyourip.com

icekancusjhea.ddnsgeek.com

idstandsuui.kozow.com

indoodchat.theworkpc.com

jarvis001.freeddns.org

Kaushalya.freeddns.org

khyes001ndfpnuewdm.kozow.com

kskxoscieontrolanel.gleeze.com

ksv01sokudwongsj.theworkpc.com

lcskiecjj.loseyourip.com

lcskiecs.ddnsfree.com

losiesca.ddnsgeek.com

lps2staging.ddnsfree.com

lsls.casacam.net

ltiuys.ddnsgeek.com

ltiuys.kozow.com

mailsdy.gleeze.com

maliclick1.ddnsfree.com

mauritasszddb.ddnsfree.com

meetls.kozow.com

Microsoft.bumbleshrimp.com

ml3.freeddns.org

mlksucnayesk.kozow.com

mmmfaco2025.mywire.org

mms.bumbleshrimp.com

mmvmtools.giize.com

modgood.gleeze.com

Mosplosaq.accesscam.org

mysql.casacam.net

nenigncagvawr.giize.com

nenignenigoncqvoo.ooguy.com

nenigoncqnutgo.accesscam.org

nenigoncuopzc.giize.com

nims.gleeze.com

nisaldwoa.theworkpc.com

nmszablogs.ddnsfree.com

nodekeny11.freeddns.org

nodjs2o25nodjs.giize.com

Npeoples.theworkpc.com

officeshan.kozow.com

okkstt.ddnsgeek.com

oldatain1.ddnsgeek.com

onlyosun.ooguy.com

osix.ddnsgeek.com

ovmmiuy.mywire.org

palamolscueajfvc.gleeze.com

pawanp.kozow.com

pcmainecia.ddnsfree.com

pcvmts3.kozow.com

peisuesacae.loseyourip.com

peowork.ddnsgeek.com

pepesetup.ddnsfree.com

pewsus.freeddns.org

plcoaweniva.ddnsgeek.com

PolicyAgent.theworkpc.com

polokinyea.gleeze.com

pplodsssead222.loseyourip.com

pplosad231.kozow.com

ppsaBedon.gleeze.com

prdanjana01.ddnsfree.com

prepaid127.freeddns.org

PRIFTP.kozow.com

prihxlcs.ddnsfree.com

prihxlcsw.theworkpc.com

pxlaxvvva.freeddns.org

quitgod2023luck.giize.com

rabbit.ooguy.com

rsm323.kozow.com

saf3asg.giize.com

Scopps.ddnsgeek.com

sdhite43.ddnsfree.com

sdsuytoins63.kozow.com

selfad.gleeze.com

serious.kozow.com

setupcodpr2.freeddns.org

sgsn.accesscam.org

Smartfren.giize.com

sn0son4t31bbsvopou.camdvr.org

sn0son4t31opc.freeddns.org

soovuy.gleeze.com

styuij.mywire.org

supceasfg1.loseyourip.com

systemsz.kozow.com

t31c0mjumpcuyerop.ooguy.com

t31c0mopamcuiomx.kozow.com

t31c0mopmiuewklg.webredirect.org

t31c0mopocuveop.accesscam.org

t3lc0mcanyqbfac.loseyourip.com

t3lc0mczmoihwc.camdvr.org

t3lc0mh4udncifw.casacam.net

t3lc0mhasvnctsk.giize.com

t3lm0rtlcagratu.kozow.com

tch.giize.com

telcomn.giize.com

telen.bumbleshrimp.com

telkom.ooguy.com

telkomservices.theworkpc.com

thbio.kozow.com

timpe.kozow.com

timpe.webredirect.org

tlse001hdfuwwgdgpnn.theworkpc.com

tltlsktelko.ddnsfree.com

transport.dynuddns.net

trvcl.bumbleshrimp.com

ttsiou12.loseyourip.com

ua2o25yth.ddnsgeek.com

udieyg.gleeze.com

unnjunnani.ddnsfree.com

updatamail.kozow.com

updatasuccess.ddnsgeek.com

updateservices.kozow.com

updatetools.giize.com

uscplxsecjs.ddnsgeek.com

USOShared1.ddnsfree.com

vals.bumbleshrimp.com

vass.ooguy.com

vass2025.casacam.net

vmtools.camdvr.org

vmtools.loseyourip.com

vosies.ddnsfree.com

vpaspmine.freeddns.org

wdlcamaakc.ooguy.com

winfoss1.kozow.com

ysiohbk.camdvr.org

zammffayhd.ddnsfree.com

zmcmvmbm.ddnsfree.com

zwmn350n3o1fsdf3gs.kozow.com

zwmn350n3o1ugety2xbe.camdvr.org

zwmn350n3o1vsdrggs.ddnsfree.com

zwt310n3o1unety2kab.webredirect.org

zwt310n3o2unety6a3k.kozow.com

zwt31n3t0nidoqmve.camdvr.org

zwt3ln3t1aimckalw.theworkpc.com

http://130.94.6.228/apt.tar.gz

http://130.94.6.228/update.tar.gz

http://130.94.6.228/amp.tar.gz

https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A1?valueRenderOption=FORMULA

https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchClear

https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchUpdate

https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A2:A<cell_number>?valueRenderOption=FORMULA

IP Address

130.94.6.228

38.180.205.14

38.60.194.21

38.54.112.184

38.60.171.242

195.123.211.70

202.59.10.122

38.60.252.66

45.76.184.214

45.90.59.129

195.123.226.235

65.20.104.91

5.34.176.6

139.84.236.237

149.28.128.128

38.54.31.146

178.79.188.181

38.54.37.196

207.148.73.18

38.60.224.25

149.28.139.125

38.54.32.244

38.54.82.69

45.76.157.113

45.77.254.168

139.180.219.115

Hash

ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47

01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb

eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033

4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9

669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966

d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "doboudix1024.mywire.org" or siteurl like "doboudix1024.mywire.org" or url like "doboudix1024.mywire.org" or domainname like "mlksucnayesk.kozow.com" or siteurl like "mlksucnayesk.kozow.com" or url like "mlksucnayesk.kozow.com" or domainname like "zwt31n3t0nidoqmve.camdvr.org" or siteurl like "zwt31n3t0nidoqmve.camdvr.org" or url like "zwt31n3t0nidoqmve.camdvr.org" or domainname like "examp1e.webredirect.org" or siteurl like "examp1e.webredirect.org" or url like "examp1e.webredirect.org" or domainname like "ysiohbk.camdvr.org" or siteurl like "ysiohbk.camdvr.org" or url like "ysiohbk.camdvr.org" or domainname like "pawanp.kozow.com" or siteurl like "pawanp.kozow.com" or url like "pawanp.kozow.com" or domainname like "pplodsssead222.loseyourip.com" or siteurl like "pplodsssead222.loseyourip.com" or url like "pplodsssead222.loseyourip.com" or domainname like "wdlcamaakc.ooguy.com" or siteurl like "wdlcamaakc.ooguy.com" or url like "wdlcamaakc.ooguy.com" or domainname like "nenigncagvawr.giize.com" or siteurl like "nenigncagvawr.giize.com" or url like "nenigncagvawr.giize.com" or domainname like "gogo2025up.ddnsfree.com" or siteurl like "gogo2025up.ddnsfree.com" or url like "gogo2025up.ddnsfree.com" or domainname like "ancisesic.accesscam.org" or siteurl like "ancisesic.accesscam.org" or url like "ancisesic.accesscam.org" or domainname like "losiesca.ddnsgeek.com" or siteurl like "losiesca.ddnsgeek.com" or url like "losiesca.ddnsgeek.com" or domainname like "ccammutom.ddnsgeek.com" or siteurl like "ccammutom.ddnsgeek.com" or url like "ccammutom.ddnsgeek.com" or domainname like "telkom.ooguy.com" or siteurl like "telkom.ooguy.com" or url like "telkom.ooguy.com" or domainname like "fgdedd1dww.gleeze.com" or siteurl like "fgdedd1dww.gleeze.com" or url like "fgdedd1dww.gleeze.com" or domainname like "nisaldwoa.theworkpc.com" or siteurl like "nisaldwoa.theworkpc.com" or url like "nisaldwoa.theworkpc.com" or domainname like "vmtools.loseyourip.com" or siteurl like "vmtools.loseyourip.com" or url like "vmtools.loseyourip.com" or domainname like "cloacpae.ddnsfree.com" or siteurl like "cloacpae.ddnsfree.com" or url like "cloacpae.ddnsfree.com" or domainname like "vass2025.casacam.net" or siteurl like "vass2025.casacam.net" or url like "vass2025.casacam.net" or domainname like "bioth.giize.com" or siteurl like "bioth.giize.com" or url like "bioth.giize.com" or domainname like "lcskiecjj.loseyourip.com" or siteurl like "lcskiecjj.loseyourip.com" or url like "lcskiecjj.loseyourip.com" or domainname like "prepaid127.freeddns.org" or siteurl like "prepaid127.freeddns.org" or url like "prepaid127.freeddns.org" or domainname like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchClear" or siteurl like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchClear" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchClear" or domainname like "transport.dynuddns.net" or siteurl like "transport.dynuddns.net" or url like "transport.dynuddns.net" or domainname like "vass.ooguy.com" or siteurl like "vass.ooguy.com" or url like "vass.ooguy.com" or domainname like "t31c0mjumpcuyerop.ooguy.com" or siteurl like "t31c0mjumpcuyerop.ooguy.com" or url like "t31c0mjumpcuyerop.ooguy.com" or domainname like "bggs.giize.com" or siteurl like "bggs.giize.com" or url like "bggs.giize.com" or domainname like "pepesetup.ddnsfree.com" or siteurl like "pepesetup.ddnsfree.com" or url like "pepesetup.ddnsfree.com" or domainname like "sgsn.accesscam.org" or siteurl like "sgsn.accesscam.org" or url like "sgsn.accesscam.org" or domainname like "timpe.kozow.com" or siteurl like "timpe.kozow.com" or url like "timpe.kozow.com" or domainname like "sn0son4t31bbsvopou.camdvr.org" or siteurl like "sn0son4t31bbsvopou.camdvr.org" or url like "sn0son4t31bbsvopou.camdvr.org" or domainname like "telkomservices.theworkpc.com" or siteurl like "telkomservices.theworkpc.com" or url like "telkomservices.theworkpc.com" or domainname like "pewsus.freeddns.org" or siteurl like "pewsus.freeddns.org" or url like "pewsus.freeddns.org" or domainname like "evilginx2.loseyourip.com" or siteurl like "evilginx2.loseyourip.com" or url like "evilginx2.loseyourip.com" or domainname like "zwt310n3o2unety6a3k.kozow.com" or siteurl like "zwt310n3o2unety6a3k.kozow.com" or url like "zwt310n3o2unety6a3k.kozow.com" or domainname like "zwt3ln3t1aimckalw.theworkpc.com" or siteurl like "zwt3ln3t1aimckalw.theworkpc.com" or url like "zwt3ln3t1aimckalw.theworkpc.com" or domainname like "onlyosun.ooguy.com" or siteurl like "onlyosun.ooguy.com" or url like "onlyosun.ooguy.com" or domainname like "rsm323.kozow.com" or siteurl like "rsm323.kozow.com" or url like "rsm323.kozow.com" or domainname like "googlel.gleeze.com" or siteurl like "googlel.gleeze.com" or url like "googlel.gleeze.com" or domainname like "btbtutil.theworkpc.com" or siteurl like "btbtutil.theworkpc.com" or url like "btbtutil.theworkpc.com" or domainname like "updateservices.kozow.com" or siteurl like "updateservices.kozow.com" or url like "updateservices.kozow.com" or domainname like "http://130.94.6.228/apt.tar.gz" or siteurl like "http://130.94.6.228/apt.tar.gz" or url like "http://130.94.6.228/apt.tar.gz" or domainname like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchUpdate" or siteurl like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchUpdate" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values:batchUpdate" or domainname like "ftpuser14.gleeze.com" or siteurl like "ftpuser14.gleeze.com" or url like "ftpuser14.gleeze.com" or domainname like "supceasfg1.loseyourip.com" or siteurl like "supceasfg1.loseyourip.com" or url like "supceasfg1.loseyourip.com"
Detection Query 2 :	domainname like "tltlsktelko.ddnsfree.com" or siteurl like "tltlsktelko.ddnsfree.com" or url like "tltlsktelko.ddnsfree.com" or domainname like "dlpossie.ddnsfree.com" or siteurl like "dlpossie.ddnsfree.com" or url like "dlpossie.ddnsfree.com" or domainname like "googllabwws.gleeze.com" or siteurl like "googllabwws.gleeze.com" or url like "googllabwws.gleeze.com" or domainname like "Mosplosaq.accesscam.org" or siteurl like "Mosplosaq.accesscam.org" or url like "Mosplosaq.accesscam.org" or domainname like "peowork.ddnsgeek.com" or siteurl like "peowork.ddnsgeek.com" or url like "peowork.ddnsgeek.com" or domainname like "nenigoncuopzc.giize.com" or siteurl like "nenigoncuopzc.giize.com" or url like "nenigoncuopzc.giize.com" or domainname like "nims.gleeze.com" or siteurl like "nims.gleeze.com" or url like "nims.gleeze.com" or domainname like "brcallletme.theworkpc.com" or siteurl like "brcallletme.theworkpc.com" or url like "brcallletme.theworkpc.com" or domainname like "nmszablogs.ddnsfree.com" or siteurl like "nmszablogs.ddnsfree.com" or url like "nmszablogs.ddnsfree.com" or domainname like "Smartfren.giize.com" or siteurl like "Smartfren.giize.com" or url like "Smartfren.giize.com" or domainname like "ltiuys.ddnsgeek.com" or siteurl like "ltiuys.ddnsgeek.com" or url like "ltiuys.ddnsgeek.com" or domainname like "t3lm0rtlcagratu.kozow.com" or siteurl like "t3lm0rtlcagratu.kozow.com" or url like "t3lm0rtlcagratu.kozow.com" or domainname like "pcmainecia.ddnsfree.com" or siteurl like "pcmainecia.ddnsfree.com" or url like "pcmainecia.ddnsfree.com" or domainname like "unnjunnani.ddnsfree.com" or siteurl like "unnjunnani.ddnsfree.com" or url like "unnjunnani.ddnsfree.com" or domainname like "Scopps.ddnsgeek.com" or siteurl like "Scopps.ddnsgeek.com" or url like "Scopps.ddnsgeek.com" or domainname like "babi5599ss.ddnsgeek.com" or siteurl like "babi5599ss.ddnsgeek.com" or url like "babi5599ss.ddnsgeek.com" or domainname like "officeshan.kozow.com" or siteurl like "officeshan.kozow.com" or url like "officeshan.kozow.com" or domainname like "t3lc0mhasvnctsk.giize.com" or siteurl like "t3lc0mhasvnctsk.giize.com" or url like "t3lc0mhasvnctsk.giize.com" or domainname like "kskxoscieontrolanel.gleeze.com" or siteurl like "kskxoscieontrolanel.gleeze.com" or url like "kskxoscieontrolanel.gleeze.com" or domainname like "selfad.gleeze.com" or siteurl like "selfad.gleeze.com" or url like "selfad.gleeze.com" or domainname like "prdanjana01.ddnsfree.com" or siteurl like "prdanjana01.ddnsfree.com" or url like "prdanjana01.ddnsfree.com" or domainname like "cmwwoods1.theworkpc.com" or siteurl like "cmwwoods1.theworkpc.com" or url like "cmwwoods1.theworkpc.com" or domainname like "trvcl.bumbleshrimp.com" or siteurl like "trvcl.bumbleshrimp.com" or url like "trvcl.bumbleshrimp.com" or domainname like "binmol.webredirect.org" or siteurl like "binmol.webredirect.org" or url like "binmol.webredirect.org" or domainname like "pplosad231.kozow.com" or siteurl like "pplosad231.kozow.com" or url like "pplosad231.kozow.com" or domainname like "camcampkes.ddnsfree.com" or siteurl like "camcampkes.ddnsfree.com" or url like "camcampkes.ddnsfree.com" or domainname like "prihxlcs.ddnsfree.com" or siteurl like "prihxlcs.ddnsfree.com" or url like "prihxlcs.ddnsfree.com" or domainname like "zwmn350n3o1vsdrggs.ddnsfree.com" or siteurl like "zwmn350n3o1vsdrggs.ddnsfree.com" or url like "zwmn350n3o1vsdrggs.ddnsfree.com" or domainname like "jarvis001.freeddns.org" or siteurl like "jarvis001.freeddns.org" or url like "jarvis001.freeddns.org" or domainname like "googles.ddnsfree.com" or siteurl like "googles.ddnsfree.com" or url like "googles.ddnsfree.com" or domainname like "nenigoncqnutgo.accesscam.org" or siteurl like "nenigoncqnutgo.accesscam.org" or url like "nenigoncqnutgo.accesscam.org" or domainname like "palamolscueajfvc.gleeze.com" or siteurl like "palamolscueajfvc.gleeze.com" or url like "palamolscueajfvc.gleeze.com" or domainname like "idstandsuui.kozow.com" or siteurl like "idstandsuui.kozow.com" or url like "idstandsuui.kozow.com" or domainname like "fasceadvcva3.gleeze.com" or siteurl like "fasceadvcva3.gleeze.com" or url like "fasceadvcva3.gleeze.com" or domainname like "PolicyAgent.theworkpc.com" or siteurl like "PolicyAgent.theworkpc.com" or url like "PolicyAgent.theworkpc.com" or domainname like "dnsfreedb.ddnsfree.com" or siteurl like "dnsfreedb.ddnsfree.com" or url like "dnsfreedb.ddnsfree.com" or domainname like "http://130.94.6.228/update.tar.gz" or siteurl like "http://130.94.6.228/update.tar.gz" or url like "http://130.94.6.228/update.tar.gz" or domainname like "okkstt.ddnsgeek.com" or siteurl like "okkstt.ddnsgeek.com" or url like "okkstt.ddnsgeek.com" or domainname like "lcskiecs.ddnsfree.com" or siteurl like "lcskiecs.ddnsfree.com" or url like "lcskiecs.ddnsfree.com" or domainname like "saf3asg.giize.com" or siteurl like "saf3asg.giize.com" or url like "saf3asg.giize.com" or domainname like "zwmn350n3o1fsdf3gs.kozow.com" or siteurl like "zwmn350n3o1fsdf3gs.kozow.com" or url like "zwmn350n3o1fsdf3gs.kozow.com" or domainname like "updatetools.giize.com" or siteurl like "updatetools.giize.com" or url like "updatetools.giize.com" or domainname like "applebox.camdvr.org" or siteurl like "applebox.camdvr.org" or url like "applebox.camdvr.org" or domainname like "btltan.ooguy.com" or siteurl like "btltan.ooguy.com" or url like "btltan.ooguy.com" or domainname like "sdhite43.ddnsfree.com" or siteurl like "sdhite43.ddnsfree.com" or url like "sdhite43.ddnsfree.com" or domainname like "faeelt.giize.com" or siteurl like "faeelt.giize.com" or url like "faeelt.giize.com" or domainname like "osix.ddnsgeek.com" or siteurl like "osix.ddnsgeek.com" or url like "osix.ddnsgeek.com" or domainname like "udieyg.gleeze.com" or siteurl like "udieyg.gleeze.com" or url like "udieyg.gleeze.com"
Detection Query 3 :	domainname like "lsls.casacam.net" or siteurl like "lsls.casacam.net" or url like "lsls.casacam.net" or domainname like "sdsuytoins63.kozow.com" or siteurl like "sdsuytoins63.kozow.com" or url like "sdsuytoins63.kozow.com" or domainname like "telen.bumbleshrimp.com" or siteurl like "telen.bumbleshrimp.com" or url like "telen.bumbleshrimp.com" or domainname like "icekancusjhea.ddnsgeek.com" or siteurl like "icekancusjhea.ddnsgeek.com" or url like "icekancusjhea.ddnsgeek.com" or domainname like "afsaces.accesscam.org" or siteurl like "afsaces.accesscam.org" or url like "afsaces.accesscam.org" or domainname like "setupcodpr2.freeddns.org" or siteurl like "setupcodpr2.freeddns.org" or url like "setupcodpr2.freeddns.org" or domainname like "telcomn.giize.com" or siteurl like "telcomn.giize.com" or url like "telcomn.giize.com" or domainname like "zwmn350n3o1ugety2xbe.camdvr.org" or siteurl like "zwmn350n3o1ugety2xbe.camdvr.org" or url like "zwmn350n3o1ugety2xbe.camdvr.org" or domainname like "USOShared1.ddnsfree.com" or siteurl like "USOShared1.ddnsfree.com" or url like "USOShared1.ddnsfree.com" or domainname like "awcc001jdaigfwdagdcew.giize.com" or siteurl like "awcc001jdaigfwdagdcew.giize.com" or url like "awcc001jdaigfwdagdcew.giize.com" or domainname like "bibabo.freeddns.org" or siteurl like "bibabo.freeddns.org" or url like "bibabo.freeddns.org" or domainname like "Boemobww.ddnsfree.com" or siteurl like "Boemobww.ddnsfree.com" or url like "Boemobww.ddnsfree.com" or domainname like "ovmmiuy.mywire.org" or siteurl like "ovmmiuy.mywire.org" or url like "ovmmiuy.mywire.org" or domainname like "fakjcsaeyhs.ddnsfree.com" or siteurl like "fakjcsaeyhs.ddnsfree.com" or url like "fakjcsaeyhs.ddnsfree.com" or domainname like "honidoo.loseyourip.com" or siteurl like "honidoo.loseyourip.com" or url like "honidoo.loseyourip.com" or domainname like "mailsdy.gleeze.com" or siteurl like "mailsdy.gleeze.com" or url like "mailsdy.gleeze.com" or domainname like "indoodchat.theworkpc.com" or siteurl like "indoodchat.theworkpc.com" or url like "indoodchat.theworkpc.com" or domainname like "ppsaBedon.gleeze.com" or siteurl like "ppsaBedon.gleeze.com" or url like "ppsaBedon.gleeze.com" or domainname like "prihxlcsw.theworkpc.com" or siteurl like "prihxlcsw.theworkpc.com" or url like "prihxlcsw.theworkpc.com" or domainname like "babaji.accesscam.org" or siteurl like "babaji.accesscam.org" or url like "babaji.accesscam.org" or domainname like "polokinyea.gleeze.com" or siteurl like "polokinyea.gleeze.com" or url like "polokinyea.gleeze.com" or domainname like "winfoss1.kozow.com" or siteurl like "winfoss1.kozow.com" or url like "winfoss1.kozow.com" or domainname like "uscplxsecjs.ddnsgeek.com" or siteurl like "uscplxsecjs.ddnsgeek.com" or url like "uscplxsecjs.ddnsgeek.com" or domainname like "gtaldps31c.ddnsfree.com" or siteurl like "gtaldps31c.ddnsfree.com" or url like "gtaldps31c.ddnsfree.com" or domainname like "timpe.webredirect.org" or siteurl like "timpe.webredirect.org" or url like "timpe.webredirect.org" or domainname like "cvpc01aenusocirem.accesscam.org" or siteurl like "cvpc01aenusocirem.accesscam.org" or url like "cvpc01aenusocirem.accesscam.org" or domainname like "vmtools.camdvr.org" or siteurl like "vmtools.camdvr.org" or url like "vmtools.camdvr.org" or domainname like "sn0son4t31opc.freeddns.org" or siteurl like "sn0son4t31opc.freeddns.org" or url like "sn0son4t31opc.freeddns.org" or domainname like "googles.accesscam.org" or siteurl like "googles.accesscam.org" or url like "googles.accesscam.org" or domainname like "plcoaweniva.ddnsgeek.com" or siteurl like "plcoaweniva.ddnsgeek.com" or url like "plcoaweniva.ddnsgeek.com" or domainname like "nenignenigoncqvoo.ooguy.com" or siteurl like "nenignenigoncqvoo.ooguy.com" or url like "nenignenigoncqvoo.ooguy.com" or domainname like "rabbit.ooguy.com" or siteurl like "rabbit.ooguy.com" or url like "rabbit.ooguy.com" or domainname like "http://130.94.6.228/amp.tar.gz" or siteurl like "http://130.94.6.228/amp.tar.gz" or url like "http://130.94.6.228/amp.tar.gz" or domainname like "thbio.kozow.com" or siteurl like "thbio.kozow.com" or url like "thbio.kozow.com" or domainname like "cdnvmtools.theworkpc.com" or siteurl like "cdnvmtools.theworkpc.com" or url like "cdnvmtools.theworkpc.com" or domainname like "cnrpaslceas.freeddns.org" or siteurl like "cnrpaslceas.freeddns.org" or url like "cnrpaslceas.freeddns.org" or domainname like "bab2o25com.accesscam.org" or siteurl like "bab2o25com.accesscam.org" or url like "bab2o25com.accesscam.org" or domainname like "peisuesacae.loseyourip.com" or siteurl like "peisuesacae.loseyourip.com" or url like "peisuesacae.loseyourip.com" or domainname like "mmmfaco2025.mywire.org" or siteurl like "mmmfaco2025.mywire.org" or url like "mmmfaco2025.mywire.org" or domainname like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A2:A<cell_number>?valueRenderOption=FORMULA" or siteurl like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A2:A<cell_number>?valueRenderOption=FORMULA" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A2:A<cell_number>?valueRenderOption=FORMULA" or domainname like "cressmiss.ooguy.com" or siteurl like "cressmiss.ooguy.com" or url like "cressmiss.ooguy.com" or domainname like "updatasuccess.ddnsgeek.com" or siteurl like "updatasuccess.ddnsgeek.com" or url like "updatasuccess.ddnsgeek.com"
Detection Query 4 :	domainname like "codemicros12.gleeze.com" or siteurl like "codemicros12.gleeze.com" or url like "codemicros12.gleeze.com" or domainname like "mms.bumbleshrimp.com" or siteurl like "mms.bumbleshrimp.com" or url like "mms.bumbleshrimp.com" or domainname like "serious.kozow.com" or siteurl like "serious.kozow.com" or url like "serious.kozow.com" or domainname like "ua2o25yth.ddnsgeek.com" or siteurl like "ua2o25yth.ddnsgeek.com" or url like "ua2o25yth.ddnsgeek.com" or domainname like "t31c0mopmiuewklg.webredirect.org" or siteurl like "t31c0mopmiuewklg.webredirect.org" or url like "t31c0mopmiuewklg.webredirect.org" or domainname like "modgood.gleeze.com" or siteurl like "modgood.gleeze.com" or url like "modgood.gleeze.com" or domainname like "aw2o25forsbc.camdvr.org" or siteurl like "aw2o25forsbc.camdvr.org" or url like "aw2o25forsbc.camdvr.org" or domainname like "zwt310n3o1unety2kab.webredirect.org" or siteurl like "zwt310n3o1unety2kab.webredirect.org" or url like "zwt310n3o1unety2kab.webredirect.org" or domainname like "asdad21ww.freeddns.org" or siteurl like "asdad21ww.freeddns.org" or url like "asdad21ww.freeddns.org" or domainname like "pcvmts3.kozow.com" or siteurl like "pcvmts3.kozow.com" or url like "pcvmts3.kozow.com" or domainname like "mauritasszddb.ddnsfree.com" or siteurl like "mauritasszddb.ddnsfree.com" or url like "mauritasszddb.ddnsfree.com" or domainname like "mysql.casacam.net" or siteurl like "mysql.casacam.net" or url like "mysql.casacam.net" or domainname like "nodjs2o25nodjs.giize.com" or siteurl like "nodjs2o25nodjs.giize.com" or url like "nodjs2o25nodjs.giize.com" or domainname like "quitgod2023luck.giize.com" or siteurl like "quitgod2023luck.giize.com" or url like "quitgod2023luck.giize.com" or domainname like "hamkorg.kozow.com" or siteurl like "hamkorg.kozow.com" or url like "hamkorg.kozow.com" or domainname like "nodekeny11.freeddns.org" or siteurl like "nodekeny11.freeddns.org" or url like "nodekeny11.freeddns.org" or domainname like "soovuy.gleeze.com" or siteurl like "soovuy.gleeze.com" or url like "soovuy.gleeze.com" or domainname like "t31c0mopamcuiomx.kozow.com" or siteurl like "t31c0mopamcuiomx.kozow.com" or url like "t31c0mopamcuiomx.kozow.com" or domainname like "huygdr12.loseyourip.com" or siteurl like "huygdr12.loseyourip.com" or url like "huygdr12.loseyourip.com" or domainname like "t3lc0mczmoihwc.camdvr.org" or siteurl like "t3lc0mczmoihwc.camdvr.org" or url like "t3lc0mczmoihwc.camdvr.org" or domainname like "PRIFTP.kozow.com" or siteurl like "PRIFTP.kozow.com" or url like "PRIFTP.kozow.com" or domainname like "tlse001hdfuwwgdgpnn.theworkpc.com" or siteurl like "tlse001hdfuwwgdgpnn.theworkpc.com" or url like "tlse001hdfuwwgdgpnn.theworkpc.com" or domainname like "systemsz.kozow.com" or siteurl like "systemsz.kozow.com" or url like "systemsz.kozow.com" or domainname like "freeios.theworkpc.com" or siteurl like "freeios.theworkpc.com" or url like "freeios.theworkpc.com" or domainname like "tch.giize.com" or siteurl like "tch.giize.com" or url like "tch.giize.com" or domainname like "cvpc01cgsdfn53hgd.giize.com" or siteurl like "cvpc01cgsdfn53hgd.giize.com" or url like "cvpc01cgsdfn53hgd.giize.com" or domainname like "ksv01sokudwongsj.theworkpc.com" or siteurl like "ksv01sokudwongsj.theworkpc.com" or url like "ksv01sokudwongsj.theworkpc.com" or domainname like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A1?valueRenderOption=FORMULA" or siteurl like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A1?valueRenderOption=FORMULA" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/<GoogleSheetID>/values/A1?valueRenderOption=FORMULA" or domainname like "balabalabo.mywire.org" or siteurl like "balabalabo.mywire.org" or url like "balabalabo.mywire.org" or domainname like "t31c0mopocuveop.accesscam.org" or siteurl like "t31c0mopocuveop.accesscam.org" or url like "t31c0mopocuveop.accesscam.org" or domainname like "updatamail.kozow.com" or siteurl like "updatamail.kozow.com" or url like "updatamail.kozow.com" or domainname like "zmcmvmbm.ddnsfree.com" or siteurl like "zmcmvmbm.ddnsfree.com" or url like "zmcmvmbm.ddnsfree.com" or domainname like "Microsoft.bumbleshrimp.com" or siteurl like "Microsoft.bumbleshrimp.com" or url like "Microsoft.bumbleshrimp.com" or domainname like "khyes001ndfpnuewdm.kozow.com" or siteurl like "khyes001ndfpnuewdm.kozow.com" or url like "khyes001ndfpnuewdm.kozow.com" or domainname like "zammffayhd.ddnsfree.com" or siteurl like "zammffayhd.ddnsfree.com" or url like "zammffayhd.ddnsfree.com" or domainname like "mmvmtools.giize.com" or siteurl like "mmvmtools.giize.com" or url like "mmvmtools.giize.com" or domainname like "DCLCWPDTSDCC.ddnsfree.com" or siteurl like "DCLCWPDTSDCC.ddnsfree.com" or url like "DCLCWPDTSDCC.ddnsfree.com" or domainname like "styuij.mywire.org" or siteurl like "styuij.mywire.org" or url like "styuij.mywire.org" or domainname like "cvnoc01da1cjmnftsd.accesscam.org" or siteurl like "cvnoc01da1cjmnftsd.accesscam.org" or url like "cvnoc01da1cjmnftsd.accesscam.org" or domainname like "vosies.ddnsfree.com" or siteurl like "vosies.ddnsfree.com" or url like "vosies.ddnsfree.com" or domainname like "Npeoples.theworkpc.com" or siteurl like "Npeoples.theworkpc.com" or url like "Npeoples.theworkpc.com" or domainname like "ftpzpak.kozow.com" or siteurl like "ftpzpak.kozow.com" or url like "ftpzpak.kozow.com" or domainname like "1cv2f3d5s6a9w.ddnsfree.com" or siteurl like "1cv2f3d5s6a9w.ddnsfree.com" or url like "1cv2f3d5s6a9w.ddnsfree.com"
Detection Query 5 :	domainname like "camsqewivo.kozow.com" or siteurl like "camsqewivo.kozow.com" or url like "camsqewivo.kozow.com" or domainname like "maliclick1.ddnsfree.com" or siteurl like "maliclick1.ddnsfree.com" or url like "maliclick1.ddnsfree.com" or domainname like "appler.kozow.com" or siteurl like "appler.kozow.com" or url like "appler.kozow.com" or domainname like "ttsiou12.loseyourip.com" or siteurl like "ttsiou12.loseyourip.com" or url like "ttsiou12.loseyourip.com" or domainname like "googlett.camdvr.org" or siteurl like "googlett.camdvr.org" or url like "googlett.camdvr.org" or domainname like "admina.freeddns.org" or siteurl like "admina.freeddns.org" or url like "admina.freeddns.org" or domainname like "meetls.kozow.com" or siteurl like "meetls.kozow.com" or url like "meetls.kozow.com" or domainname like "vals.bumbleshrimp.com" or siteurl like "vals.bumbleshrimp.com" or url like "vals.bumbleshrimp.com" or domainname like "cvabiasbae.ddnsfree.com" or siteurl like "cvabiasbae.ddnsfree.com" or url like "cvabiasbae.ddnsfree.com" or domainname like "Kaushalya.freeddns.org" or siteurl like "Kaushalya.freeddns.org" or url like "Kaushalya.freeddns.org" or domainname like "t3lc0mcanyqbfac.loseyourip.com" or siteurl like "t3lc0mcanyqbfac.loseyourip.com" or url like "t3lc0mcanyqbfac.loseyourip.com" or domainname like "vpaspmine.freeddns.org" or siteurl like "vpaspmine.freeddns.org" or url like "vpaspmine.freeddns.org" or domainname like "filipinet.ddnsgeek.com" or siteurl like "filipinet.ddnsgeek.com" or url like "filipinet.ddnsgeek.com" or domainname like "ffosies2024.camdvr.org" or siteurl like "ffosies2024.camdvr.org" or url like "ffosies2024.camdvr.org" or domainname like "globoss.kozow.com" or siteurl like "globoss.kozow.com" or url like "globoss.kozow.com" or domainname like "oldatain1.ddnsgeek.com" or siteurl like "oldatain1.ddnsgeek.com" or url like "oldatain1.ddnsgeek.com" or domainname like "t3lc0mh4udncifw.casacam.net" or siteurl like "t3lc0mh4udncifw.casacam.net" or url like "t3lc0mh4udncifw.casacam.net" or domainname like "ltiuys.kozow.com" or siteurl like "ltiuys.kozow.com" or url like "ltiuys.kozow.com" or domainname like "pxlaxvvva.freeddns.org" or siteurl like "pxlaxvvva.freeddns.org" or url like "pxlaxvvva.freeddns.org" or domainname like "ml3.freeddns.org" or siteurl like "ml3.freeddns.org" or url like "ml3.freeddns.org" or domainname like "lps2staging.ddnsfree.com" or siteurl like "lps2staging.ddnsfree.com" or url like "lps2staging.ddnsfree.com"
Detection Query 6 :	dstipaddress IN ("38.54.32.244","195.123.226.235","178.79.188.181","139.180.219.115","149.28.128.128","38.180.205.14","38.54.112.184","38.60.252.66","38.60.224.25","195.123.211.70","202.59.10.122","139.84.236.237","45.90.59.129","45.76.184.214","38.60.194.21","207.148.73.18","45.76.157.113","5.34.176.6","38.54.31.146","149.28.139.125","38.60.171.242","38.54.37.196","65.20.104.91","130.94.6.228","45.77.254.168","38.54.82.69") or srcipaddress IN ("38.54.32.244","195.123.226.235","178.79.188.181","139.180.219.115","149.28.128.128","38.180.205.14","38.54.112.184","38.60.252.66","38.60.224.25","195.123.211.70","202.59.10.122","139.84.236.237","45.90.59.129","45.76.184.214","38.60.194.21","207.148.73.18","45.76.157.113","5.34.176.6","38.54.31.146","149.28.139.125","38.60.171.242","38.54.37.196","65.20.104.91","130.94.6.228","45.77.254.168","38.54.82.69")
Detection Query 7 :	`sha256hash IN ("01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb","4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9","669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966","ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47","eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033","d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606")`

Reference:

https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/

Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments