HOMETHREATSGRIDTIDE
APT / THREAT GROUP

GRIDTIDE

2
aliases
Last seen:May 13, 2026

Intelligence Profile

According to Google, GRIDTIDE is a sophisticated backdoor written in C and delivered as a Linux ELF binary that provides remote shell command execution, file upload, and file download capabilities. It uses a cloud-based spreadsheet service as its command-and-control channel, interacting via official APIs and encoding all traffic with a URL-safe Base64 scheme to blend into legitimate HTTPS traffic. The malware relies on an external 16-byte key file to decrypt its cloud configuration using AES-128 in CBC mode, then performs detailed host reconnaissance (user, host, OS, network, and locale information) and stores this metadata in designated spreadsheet cells. GRIDTIDE establishes persistence through a system service, uses a cell-based polling mechanism for tasking and responses, and can stage tooling and exfiltrated data in spreadsheet cells to avoid traditional network-based detection.

Threat Analysis

GRIDTIDE is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning GRIDTIDE

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

GRIDTIDEelf.gridtide

External Intelligence

Malpedia: elf.gridtide

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.