Category: Threat Intelligence

< div class=”block-paragraph_advanced”> Introduction In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has…

Read more →

Written by: Stuart Carrera, Brian Meyer < div class=”block-paragraph_advanced”> Executive Summary Broadcom’s VMware vSphere product remains a popular choice for private cloud virtualization, underpinning critical infrastructure. Far from fading, organizations continue to rely heavily on vSphere for stability and control.…

Read more →

Written by: Jaysn Rye Executive Summary As adversaries grow faster, stealthier, and more destructive, traditional recovery strategies are increasingly insufficient. Mandiant’s M-Trends 2025 report reinforces this shift, highlighting that ransomware operators now routinely target not just production systems but also…

Read more →

Written by: Seemant Bisht, Chris Sistrunk, Shishir Gupta, Anthony Candarini, Glen Chason, Camille Felx Leduc Introduction — Why Securing Protection Relays Matters More Than Ever Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its…

Read more →

Written by: Gabby Roncone, Wesley Shields In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted…

Read more →

< div class=”block-paragraph_advanced”> Introduction Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organization’s Salesforce instances for large-scale data theft and subsequent extortion. Over the…

Read more →

Written by: Nick Guttilla Introduction Organizations are increasingly relying on diverse digital communication channels for essential business operations. The way employees interact with colleagues, access corporate resources, and especially, receive information technology (IT) support is often conducted through calls, chat…

Read more →

Written by: Patrick Whitsell < div class=”block-paragraph_advanced”>Google Threat Intelligence Group’s (GTIG) mission is to protect Google’s billions of users and Google’s multitude of products and services. In late October 2024, GTIG discovered an exploited government website hosting malware being used…

Read more →

Written by: Diana Ion, Rommel Joven, Yash Gupta < div class=”block-paragraph_advanced”>Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos…

Read more →

Written by: Wesley Shields Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files…

Read more →

< div class=”block-paragraph_advanced”> Background UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to…

Read more →

Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov < div class=”block-paragraph_advanced”> Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98…

Read more →

< div class=”block-paragraph_advanced”> One of the ways threat actors keep up with the constantly evolving cyber defense landscape is by raising the level of sophistication of their attacks. This trend can be seen across many of our engagements, particularly when…

Read more →

Written by: Rohit Nambiar Executive Summary In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign…

Read more →

Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow…

Read more →

Written by: Jamie Collier Since our September 2024 report outlining the Democratic People’s Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate…

Read more →

Written by: Truman Brown, Emily Astranova, Steven Karschnia, Jacob Paullus, Nick McClendon, Chris Higgins < div class=”block-paragraph_advanced”> Executive Summary The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across…

Read more →

Written by: Lukasz Lamparski, Punsaen Boonyakarn, Shawn Chew, Frank Tse, Jakub Jozwiak, Mathew Potaczek, Logeswaran Nadarajan, Nick Harbour, Mustafa Nasser Introduction In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these…

Read more →

Written by: Dhanesh Kizhakkinan, Nino Isakovic Executive Summary This blog post presents an in-depth exploration of Microsoft’s Time Travel Debugging (TTD) framework, a powerful record-and-replay debugging framework for Windows user-mode applications. TTD relies heavily on accurate CPU instruction emulation to…

Read more →

Written by: Chuong Dong Overview In our day-to-day work, the FLARE team often encounters malware written in Go that is protected using garble. While recent advancements in Go analysis from tools like IDA Pro have simplified the analysis process, garble…

Read more →

Written by: Joshua Goddard Executive Summary Rosetta 2 is Apple’s translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems. Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts. Mandiant…

Read more →

Written by: Ashley Pearson, Ryan Rath, Gabriel Simches, Brian Timberlake, Ryan Magaw, Jessica Wilbur < div class=”block-paragraph_advanced”> Overview Beginning in August 2024, Mandiant observed a notable increase in phishing attacks targeting the education industry, specifically U.S.-based universities. A separate investigation conducted…

Read more →

Written by: Dan Black < div class=”block-paragraph_advanced”>Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia’s intelligence services. While this emerging operational interest…

Read more →

< div class=”block-paragraph_advanced”> Executive Summary Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders’ resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed…

Read more →

< div class=”block-paragraph_advanced”> Mobile devices have become the go-to for daily tasks like online banking, healthcare management, and personal photo storage, making them prime targets for malicious actors seeking to exploit valuable information. Bad actors often turn to publishing and…

Read more →

Written By: Jacob Paullus, Daniel McNamara, Jake Rawlins, Steven Karschnia < div class=”block-paragraph_advanced”> Executive Summary Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Software’s SysTrack installer to obtain arbitrary code execution. An attacker with low-privilege…

Read more →

< div class=”block-paragraph_advanced”> Rapid advancements in artificial intelligence (AI) are unlocking new possibilities for the way we work and accelerating innovation in science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our…

Read more →

Written by: Nino Isakovic Introduction Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as “ScatterBrain,” facilitating attacks…

Read more →

Written by: Joshua Goddard < div class=”block-paragraph_advanced”> The Rise of Crypto Heists and the Challenges in Preventing Them Cryptocurrency crime encompasses a wide range of illegal activities, from theft and hacking to fraud, money laundering, and even terrorist financing, all…

Read more →

Written by: Steven Karschnia, Truman Brown, Jacob Paullus, Daniel McNamara < div class=”block-paragraph_advanced”> Executive Summary Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilities By implementing a robust access control policy on supporting APIs, the…

Read more →

Written by: Josh Triplett < div class=”block-paragraph_advanced”> Executive Summary Backscatter is a tool developed by the Mandiant FLARE team that aims to automatically extract malware configurations. It relies on static signatures and emulation to extract this information without dynamic execution,…

Read more →

Written by: John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson < div class=”block-paragraph_advanced”>Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators,…

Read more →

Written by: Muhammad Umair Here at Mandiant FLARE, malware reverse engineering is a regular part of our day jobs. At times we are required to perform basic triages on binaries, where every hour saved is critical to incident response timelines.…

Read more →

Written by: Ilyass El Hadi, Louis Dion-Marcil, Charles Prevost Executive Summary Whether through a comprehensive Red Team engagement or a targeted external assessment, incorporating application security (AppSec) expertise enables organizations to better simulate the tactics and techniques of modern adversaries. This…

Read more →

Written by: Thibault Van Geluwe de Berlaere Executive Summary Browser isolation is a security technology where web browsing activity is separated from the user’s local device by running the browser in a secure environment, such as a cloud server or…

Read more →

Matthijs Gielen, Jay Christiansen < div class=”block-paragraph_advanced”> Background New solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and…

Read more →

Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.…

Read more →

Written by: Nick Harbour The eleventh Flare-On challenge is now over! This year proved to be a tough challenge for the over 5,300 players, with only 275 completing all 10 stages. We had a blast making this contest and are…

Read more →

Written by: Thibault Van Geluwe de Berlaere, Karl Madden, Corné de Jong < div class=”block-paragraph_advanced”>The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved…

Read more →

In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named “Civil Defense”. “Civil Defense”…

Read more →

Written by: Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, Jared Wilson < div class=”block-paragraph_advanced”> Summary In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in…

Read more →

Written by: Casey Charrier, Robert Weiner < div class=”block-paragraph_advanced”>Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days…

Read more →

Written by: Soufiane Fariss, Willi Ballenthin, Mike Hunhoff, Genwei Jiang, Tina Johnson, Moritz Raabe capa, developed by Mandiant’s FLARE team, is a reverse engineering tool that automates the identification of program capabilities. In this blog post we introduce capa Explorer…

Read more →

Written by: Nino Isakovic, Chuong Dong Overview This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the…

Read more →

Written by: Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli Strategic Overview of IT Workers Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People’s Republic of North Korea…

Read more →

Written by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik < div class=”block-paragraph_advanced”> Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature…

Read more →

Written by: Marco Galli, Diana Ion, Yash Gupta, Adrian Hernandez, Ana Martinez Gomez, Jon Daniels, Christopher Gardner < div class=”block-paragraph_advanced”> Introduction In June 2024, Mandiant Managed Defense identified a cyber espionage group suspected to have a North Korea nexus, tracked…

Read more →

Written by: Nick Harbour When it’s pumpkin spice season, that means it’s also Flare-On Challenge season. The Flare-On Challenge is a reverse engineering contest held every year by the FLARE team, and this marks its eleventh year running. It draws…

Read more →

Written by: Rupa Mukherjee, Jon Sabberton In the era of multi-cloud adoption, where organizations leverage diverse cloud platforms to optimize their operations, a new wave of security challenges have emerged. The expansion of attack surfaces beyond traditional on-premises environments, coupled…

Read more →

Written by: Aurora Blum, Kelli Vanderlee Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of…

Read more →

Written by: Robert Wallace, Blas Kojusner, Joseph Dobson Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything…

Read more →

Adrian McCabe, Ryan Tomcik, Stephen Clement < div class=”block-paragraph_advanced”> Introduction Digital analytics tools are vital components of the vast domain that is modern cyberspace. From system administrators managing traffic load balancers to marketers and advertisers working to deliver relevant content…

Read more →

Written by: Ofir Rozmann, Asli Koksal, Sarah Bock Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in…

Read more →

Written by: Aaron Lee, Praveeth DSouza TL;DR Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. Overview Mandiant Managed Defense…

Read more →

Written by: Nick McClendon, Daniel McNamara, Jacob Paullus   < div class=”block-paragraph_advanced”> Executive Summary Mandiant disclosed this vulnerability to Microsoft via the Microsoft Security Response Center (MSRC) vulnerability disclosure program, and Microsoft has fixed the underlying issue. An attacker with…

Read more →

Written by: Idan Ron   < div class=”block-paragraph_advanced”> Background My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates…

Read more →

Written by: Idan Ron   < div class=”block-paragraph_advanced”> Background My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates…

Read more →

Written by: Josh Murchie, Ashley Pearson,  Joseph Pisano,  Jake Nicastro,  Joshua Shilko, Raymond Leong   Overview In mid-2022, Mandiant’s Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant’s…

Read more →

Written by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart   Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into…

Read more →

Written by: Emily Astranova, Pascal Issa   < div class=”block-paragraph_advanced”> Executive Summary AI-powered voice cloning can now mimic human speech with uncanny precision, creating for more realistic phishing schemes.  According to news reports, scammers have leveraged voice cloning and deepfakes…

Read more →

Written by: Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore   < div class=”block-paragraph_advanced”> Executive Summary In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent…

Read more →

Written by: Jake Liefer   < div class=”block-paragraph_advanced”> In the ever-evolving landscape of cybersecurity, staying ahead of threats demands continuous learning and skill development. The NIST NICE framework provides a roadmap, but mastering its extensive tasks, knowledge, and skills (TKSs)…

Read more →

Written by:Bernardo Quintero, Founder of VirusTotal and Security Director, Google Cloud SecurityAlex Berry, Security Manager of the Mandiant FLARE Team, Google Cloud SecurityIlfak Guilfanov, author of IDA Pro and CTO, Hex-RaysVijay Bolina, Chief Information Security Officer & Head of Cybersecurity Research,…

Read more →

Written by: John Hultquist   < div class=”block-paragraph_advanced”> As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges—the cyber threat. The Alliance faces…

Read more →

Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario   Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after…

Read more →

Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi   < div class=”block-paragraph_advanced”> Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected…

Read more →

< div class=”block-paragraph_advanced”> Introduction UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of “0ktapus,” “Octo Tempest,” “Scatter Swine,” and “Scattered Spider,” and has been observed adapting its tactics to include data theft from software-as-a-service…

Read more →

Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno   Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals,…

Read more →

Introduction Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used…

Read more →

Written by: Michelle Cantos, Jamie Collier   < div class=”block-paragraph_advanced”> Executive Summary  Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and…

Read more →

Written by: Bavi Sadayappan, Zach Riddle, Jordan Nuce, Joshua Shilko, Jeremy Kennelly   < div class=”block-paragraph_advanced”> A version of this blog post was published to the Mandiant Advantage portal on April 18, 2024. Executive Summary In 2023, Mandiant observed an…

Read more →

Written by: Michael Raggi   Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting…

Read more →

Written by: Mark Swindle   < div class=”block-paragraph_advanced”> While investigating recent exposures of Amazon Web Services (AWS) secrets, Mandiant identified a scenario in which client-specific secrets have been leaked from Atlassian’s code repository tool, Bitbucket, and leveraged by threat actors…

Read more →