UNC2814 - Stealth Espionage via GRIDTIDE Backdoor

    Monday, March 23, 2026 In: Threat Research Print

    Date: 03/23/2026

    Severity: High

    Summary

    UNC2814 is a PRC-aligned cyber espionage group active since at least 2017. It targets telecom and government sectors to steal communications intelligence and PII. The group has operated in 42 confirmed countries and over 70 suspected across multiple regions Africa, Asia, and the Americas. It gains access via compromised internet-facing systems and moves laterally using SSH with privileged accounts. Attackers deploy the GRIDTIDE backdoor, using Google Sheets for covert C2 and LOLBins for persistence and escalation.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    kozow.com

    ddnsgeek.com

    ooguy.com

    accesscam.org

    camdvr.org

    theworkpc.com

    mywire.org

    loseyourip.com

    casacam.net

    webredirect.org

    ddnsfree.com

    bumbleshrimp.com

    IP Address : 

    5.34.176.6

    207.148.73.18

    38.54.82.69

    38.180.205.14

    38.60.194.21

    38.54.112.184

    65.20.104.91

    38.60.171.242

    130.94.6.228

    45.76.157.113

    38.54.31.146

    45.76.184.214

    38.54.32.244

    149.28.128.128

    38.54.37.196

    139.84.236.237

    38.60.224.25

    149.28.139.125

    38.60.252.66

    178.79.188.181

    45.90.59.129

    195.123.211.70

    202.59.10.122

    139.180.219.115

    45.77.254.168

    195.123.226.235

    Hash : 

    2d261e232233eb8027dc8c1fcc128682

    2d873e91ac1a0423b186bd4fbf8e50d0

    be0a15969da42365acc8cbc91c9e8bed9b6362f5

    852c068dca060ab0268a920d52704888abf17e9a

    4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9

    ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "bumbleshrimp.com" or url like "bumbleshrimp.com" or siteurl like "bumbleshrimp.com" or domainname like "ooguy.com" or url like "ooguy.com" or siteurl like "ooguy.com" or domainname like "kozow.com" or url like "kozow.com" or siteurl like "kozow.com" or domainname like "ddnsgeek.com" or url like "ddnsgeek.com" or siteurl like "ddnsgeek.com" or domainname like "accesscam.org" or url like "accesscam.org" or siteurl like "accesscam.org" or domainname like "camdvr.org" or url like "camdvr.org" or siteurl like "camdvr.org" or domainname like "theworkpc.com" or url like "theworkpc.com" or siteurl like "theworkpc.com" or domainname like "mywire.org" or url like "mywire.org" or siteurl like "mywire.org" or domainname like "loseyourip.com" or url like "loseyourip.com" or siteurl like "loseyourip.com" or domainname like "casacam.net" or url like "casacam.net" or siteurl like "casacam.net" or domainname like "webredirect.org" or url like "webredirect.org" or siteurl like "webredirect.org" or domainname like "ddnsfree.com" or url like "ddnsfree.com" or siteurl like "ddnsfree.com"

    Detection Query 2 :

    dstipaddress IN ("202.59.10.122","38.54.37.196","38.54.82.69","45.76.157.113","130.94.6.228","178.79.188.181","139.84.236.237","139.180.219.115","195.123.211.70","149.28.139.125","38.60.171.242","195.123.226.235","45.77.254.168","38.180.205.14","38.60.194.21","38.60.252.66","149.28.128.128","38.60.224.25","5.34.176.6","38.54.112.184","207.148.73.18","38.54.31.146","45.76.184.214","65.20.104.91","38.54.32.244","45.90.59.129") or srcipaddress IN ("202.59.10.122","38.54.37.196","38.54.82.69","45.76.157.113","130.94.6.228","178.79.188.181","139.84.236.237","139.180.219.115","195.123.211.70","149.28.139.125","38.60.171.242","195.123.226.235","45.77.254.168","38.180.205.14","38.60.194.21","38.60.252.66","149.28.128.128","38.60.224.25","5.34.176.6","38.54.112.184","207.148.73.18","38.54.31.146","45.76.184.214","65.20.104.91","38.54.32.244","45.90.59.129")

    Detection Query 3 :

    md5hash IN ("2d873e91ac1a0423b186bd4fbf8e50d0","2d261e232233eb8027dc8c1fcc128682")

    Detection Query 4 :

    sha1hash IN ("852c068dca060ab0268a920d52704888abf17e9a","be0a15969da42365acc8cbc91c9e8bed9b6362f5")

    Detection Query 5 :

    sha256hash IN ("ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47","4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9")

    Reference:     

    https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2026/03/kpmg-ctip-unc2814-03-mar-2026.pdf.coredownload.inline.pdf  


    Tags

    MalwareThreat ActorBackdoorCommunicationsGovernment Services and FacilitiesCyber EspionageAfricaAsiaAmericaLOLBins

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.