gridtide

EvilBit Threat Digest - Sheets, Shellcode, and SeaFlowers

Cloud-first malware roundup: GRIDTIDE uses Google Sheets as C2, PlugX evolutions, React RCE, SeaFlower wallet clones, fixes.

KryptoKat

KryptoKat

5 min read

Sunday morning. Coffee in one hand, packet captures in the other.

This week had a little of everything: a suspected PRC-nexus Linux backdoor hiding in Google Sheets, PlugX wearing new clothes (twice), wallet-cloning malware siphoning seed phrases, Cisco quietly patching the plumbing, and Europol kicking in doors on a decentralized crime scene.

Let's get into it.

Living off the Cloud: GRIDTIDE and the Google Sheets C2

If you had "Google Sheets as C2" on your 2026 bingo card, congratulations, you win a free existential crisis.

Google's Threat Intelligence Group and Mandiant detailed GRIDTIDE, a Linux backdoor used by UNC2814. Attributed to a suspected PRC-nexus actor, it targets telecoms and government orgs across 42 countries (53 confirmed victims, with suspected operations in 70+ more) in a campaign now disrupted by Google (Google Cloud Blog; coverage at SecurityWeek).

The trick: Google Sheets as a bidirectional message bus

GRIDTIDE is a C-based Linux backdoor that:

  • Authenticates to Google APIs using service account credentials
  • Communicates with sheets.googleapis.com
  • Uses batchClear (confirmed) and likely batchUpdate to exchange commands and results
  • Encodes tasking inside spreadsheet cells

This isn't "paste C2 into a cell and poll it." It's structured API abuse. The malware blends into legitimate HTTPS traffic to Google infrastructure. From a network perspective, it looks like a host doing what developers do every day.

That's the point.

Post-exploitation tradecraft

Once in, operators:

  • Dropped payloads under /var/tmp with short alphanumeric names
  • Created rogue systemd services (e.g., masquerading like xapt.service)
  • Leveraged SSH and tunneling for lateral movement
  • Used SoftEther VPN components (hamcore.se2) in some cases

The elegance here isn't in 0-days. It's in cloud trust transitivity. "Allow Google" is effectively the new "Allow 443."

Blue Team implications

You can't just block Google APIs. But you can:

  • Hunt for non-browser processes talking to sheets.googleapis.com
  • Flag unusual API parameters (batchClear from a headless Linux server?)
  • Monitor service account use and Cloud project sprawl
  • Watch for config files dropped in /usr/sbin, /sbin, /var/tmp

This is living-off-the-cloud C2 done right. Expect copycats.

PlugX: Two Campaigns, Same Old Ghost

PlugX is like that villain who never stays dead. This week saw two distinct delivery evolutions.

1. STATICPLUGIN variant (government targeting)

IIJ documented a new PlugX variant dubbed STATICPLUGIN. Attributed to UNC6384, it targets government entities (IIJ blog).

Tradecraft highlights:

  • Obfuscated loaders
  • Discovery routines across processes, network, and registry
  • Encrypted C2 channels
  • Registry Run key persistence

PlugX's staying power comes from modularity. The core loader adapts; the playbook stays familiar.

2. Meeting invite via MSBuild + G DATA sideloading

LAB52 detailed a campaign delivering PlugX through phishing lures themed as meeting invitations (LAB52).

What's clever here:

  • MSBuild is abused as an execution proxy
  • DLL sideloading via legitimate G DATA Avk.exe
  • Registry persistence under benign-looking keys
  • C2 domains like decoraat[.]net

This is classic LOLBin theater. You trust your AV vendor's executable? So does the attacker.

Red take: DLL sideloading remains undefeated when orgs allow-list by signer but not by path integrity.

Blue take: If Avk.exe is loading a DLL from a user-writable directory, that's not "endpoint protection." That's cosplay.

React RCE (CVE-2025-55182) in the Wild

CVE-2025-55182 is a pre-auth RCE in React Server Components caused by insecure deserialization of the RSC Flight protocol payload. CVSS 10.0. Patches were released in December 2025 (react.dev advisory).

Multiple threat clusters have since picked it up. Kaspersky's Securelist documented active exploitation campaigns (Securelist), and Unit 42 published additional analysis of exploitation chains targeting exposed Next.js deployments (Unit 42).

CVE-2025-55182

  • Impact: Pre-auth remote code execution via RSC Flight protocol deserialization
  • Affected: React Server Components / Next.js deployments
  • CVSS: 10.0 (Critical)
  • Status: Patches available since December 2025

Observed post-exploitation tradecraft includes:

  • PowerShell stagers
  • Scheduled task persistence
  • SSH-based tunneling
  • Cryptominer deployment and custom backdoors

The big picture: frontend framework bugs now have a backend blast radius. React isn't "just UI" anymore. Server components changed the threat model, and attackers noticed.

If you run exposed Next.js apps and didn't aggressively patch in December, now would be an excellent time to revisit that decision. Tenable has plugins for this CVE; if your scan policy covers web application infrastructure, verify it's picking these up.

Web3 Wallet Clones: SeaFlower's Seed Harvest

The SeaFlower campaign, first documented by Confiant in 2022, continues distributing trojanized clones of Coinbase Wallet, MetaMask, TokenPocket, and imToken. A recent CyberSecurityNews report indicates the campaign remains active (CyberSecurityNews; original Confiant research from 2022).

Key elements:

  • Lookalike domains
  • Provisioning profile abuse on iOS
  • Inline hooking and injected libraries
  • Seed phrase harvesting and exfiltration

This isn't a smart contract exploit. It's supply chain and social engineering. Clone the wallet. Add a backdoor. Wait for the 12 magic words.

The uncomfortable truth: seed phrases are bearer bonds. If exfiltrated once, game over. No SOC, no clawback.

Cisco: Quietly Fixing the Management Plane

Two Cisco advisories worth noting:

CVE-2026-20091: Stored XSS in FXOS / UCS Manager

(Advisory)

  • Impact: Stored XSS in the web management interface
  • Access required: Admin or AAA Admin
  • CVSS: 4.8 (Medium)
  • Fix: Upgrade to patched releases (check advisory for version matrix)

This is post-compromise candy. If an attacker gets admin creds, they can persist a malicious script in the management UI and hijack other admin sessions.

CVE-2026-20107: APIC DoS

(Advisory)

  • Impact: An authenticated CLI user can crash APIC 6.1
  • CVSS: 5.5 (Medium)
  • Fix: Upgrade to patched 6.1 release (check advisory for fixed version)

Not sexy. But an insider threat or a compromised low-priv CLI account equals a controller reload. In ACI environments, that's not a great afternoon.

Email, DNSBLs, and April Deadlines

Spamhaus announced that users querying its free DNSBL public mirrors via Oracle's network must migrate to the free Data Query Service (DQS) by 8 April 2026 (enforcement begins 9 April), or risk deliverability issues (Spamhaus).

Operational takeaway:

  • If you're querying Spamhaus via Oracle infra, switch to DQS.
  • Ensure MTAs parse the 127.255.255.254 return code correctly.
  • Don't wait until your outbound mail starts bouncing.

This is policy, not vulnerability. But mail flow outages tend to become executive-level incidents very quickly.

Law Enforcement: The Com Disrupted

Europol-led action resulted in 30 arrests tied to the decentralized cybercrime collective "The Com," with 179 suspects identified (BleepingComputer).

The group has been linked to extortion, grooming, and ransomware activity targeting minors.

The structural insight: decentralization doesn't mean invulnerability. Discord-era crime crews leave artifacts: accounts, payments, cross-border chatter. Enough breadcrumbs, and coordination wins.

Briefly Noted

  • Dohdoor: Talos detailed a backdoor using DNS-over-HTTPS for C2 targeting US education and healthcare, with DLL sideloading and PowerShell staging (Talos). DoH remains the stealth tax you pay for encrypted DNS.
  • HijackLoader via "Free Games": Pirated game downloads delivering HijackLoader and ACRStealer, featuring module stomping and process hollowing (G Data). The warez scene is still an access broker.
  • European Parliament blocks AI features on lawmaker devices over data security concerns (TechCrunch). When legislators start threat-modeling copilots, you know the conversation has shifted.
  • Infosec job market anecdote: A Reddit thread notes increased recruiter activity over the last two months (Reddit). Anecdotal, but if your inbox is warming up, you're not alone. I haven't seen it yet in my area, but I'm optimistic this could be a good sign.

The Pattern This Week

Cloud trust abuse. Legitimate binaries as launchpads. Framework bugs are turning into server footholds. Wallet clones instead of wallet exploits.

Nothing here screams "new physics." What's evolving is placement. Attackers are embedding themselves in the default-allow paths: Google APIs, signed AV binaries, developer frameworks, and encrypted DNS.

The perimeter didn't disappear. It just moved into places we reflexively trust.

See you midweek. Bring logs.

Read more