Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

This report is an IOC feed documenting an active malware campaign's infrastructure: multiple C2 IPs and hosting servers, numerous dynamic/DDNS domains used as C2, SoftEther VPN servers and attacker IPs, two GRIDTIDE-related User-Agent strings, and a self-signed X.509 certificate SHA256 hash — intended for detection, blocking, and enrichment rather than detailed analysis of exploitation or victims.