{"text": "UNC6692 launched a mass email campaign to create urgency, followed by a phishing message via Microsoft Teams impersonating IT helpdesk staff. Victims were directed to click a link for an \"email spam patch.\" Users downloaded a renamed AutoHotKey binary and script from an AWS S3 bucket. AutoHotKey executed the script, establishing initial reconnaissance. The SNOWBELT malicious browser extension was then installed on victim machines.", "spans": {"THREAT_ACTOR: UNC6692": [[0, 7]], "SYSTEM: Microsoft Teams": [[93, 108]], "TOOL: AutoHotKey": [[234, 244], [286, 296]], "MALWARE: SNOWBELT": [[359, 367]], "SYSTEM: AWS S3": [[271, 277]]}, "info": {"id": "mandiant_00001", "source": "vendor_blogs"}}
{"text": "SNOWBELT is a JavaScript-based Chromium browser extension backdoor that intercepts commands and maintains persistence through Service Worker Alarms. It communicates with command-and-control servers via a time-based domain generation algorithm targeting AWS S3 buckets. The extension hijacks browser sessions and exfiltrates cookies and credentials.", "spans": {"MALWARE: SNOWBELT": [[0, 8]], "SYSTEM: Chromium": [[31, 39]], "SYSTEM: AWS S3": [[253, 259]]}, "info": {"id": "mandiant_00002", "source": "vendor_blogs"}}
{"text": "SNOWGLAZE is a Python tunneler that creates WebSocket connections to command-and-control infrastructure hosted on Heroku, enabling SOCKS proxy operations and masking traffic with JSON and Base64 encoding. The tunneler allows threat actors to route traffic through compromised endpoints.", "spans": {"MALWARE: SNOWGLAZE": [[0, 9]], "SYSTEM: Heroku": [[114, 120]]}, "info": {"id": "mandiant_00003", "source": "vendor_blogs"}}
{"text": "SNOWBASIN is a Python bindshell operating as a local HTTP server on port 8000, providing remote command execution, screenshot capture, and file exfiltration capabilities. After establishing the browser foothold, UNC6692 scanned internal networks for ports 135, 445, and 3389. The attackers used PsExec for lateral movement via the SNOWGLAZE tunnel.", "spans": {"MALWARE: SNOWBASIN": [[0, 9]], "THREAT_ACTOR: UNC6692": [[212, 219]], "TOOL: PsExec": [[295, 301]], "MALWARE: SNOWGLAZE": [[331, 340]]}, "info": {"id": "mandiant_00004", "source": "vendor_blogs"}}
{"text": "UNC6692 extracted LSASS memory for credential harvesting and employed Pass-The-Hash techniques to reach domain controllers. They used FTK Imager to extract the Active Directory database NTDS.dit and registry hives. Data was exfiltrated via LimeWire. The campaign abused legitimate cloud services including AWS S3 and Heroku for command-and-control and payload delivery.", "spans": {"THREAT_ACTOR: UNC6692": [[0, 7]], "TOOL: FTK Imager": [[134, 144]], "FILEPATH: NTDS.dit": [[186, 194]], "TOOL: LimeWire": [[240, 248]], "SYSTEM: AWS S3": [[306, 312]], "SYSTEM: Heroku": [[317, 323]], "SYSTEM: Active Directory": [[160, 176]]}, "info": {"id": "mandiant_00005", "source": "vendor_blogs"}}
{"text": "The BRICKSTORM campaign targets VMware vSphere infrastructure, specifically vCenter Server Appliance and ESXi hypervisors. By establishing persistence at the virtualization layer below guest operating systems, threat actors exploit weak security architecture, identity design gaps, and limited visibility within the virtualization layer. Custom in-memory malware like BRICKSTORM achieves dwell times near 400 days on compromised hosts.", "spans": {"MALWARE: BRICKSTORM": [[4, 14], [368, 378]], "SYSTEM: VMware vSphere": [[32, 46]], "SYSTEM: vCenter Server Appliance": [[76, 100]], "SYSTEM: ESXi": [[105, 109]]}, "info": {"id": "mandiant_00006", "source": "vendor_blogs"}}
{"text": "Mandiant recommends implementing VMware vSphere STIG standards and applying strict patching strategies. Key controls include MFA, role-based access control, and SSH restrictions. Organizations should mandate VM encryption for Tier-0 assets such as domain controllers and credential repositories. The Mandiant vCenter Hardening Script is available at https://github.com/mandiant/vcsa-hardening-tool for automating security configurations.", "spans": {"ORGANIZATION: Mandiant": [[0, 8], [300, 308]], "SYSTEM: VMware vSphere": [[33, 47]], "URL: https://github.com/mandiant/vcsa-hardening-tool": [[350, 397]]}, "info": {"id": "mandiant_00007", "source": "vendor_blogs"}}
{"text": "Defenders should disable shell access for the vpxuser account on ESXi 8.0 hosts using the command esxcli system account set. Implement VLAN segmentation isolating management infrastructure and deploy host-based firewalls on vCenter Server Appliance and ESXi with default-deny policies. Block SSH on port 22 and VAMI on port 5480 from unauthorized sources.", "spans": {"SYSTEM: ESXi": [[65, 69], [253, 257]], "SYSTEM: vCenter Server Appliance": [[224, 248]]}, "info": {"id": "mandiant_00008", "source": "vendor_blogs"}}
{"text": "Google Threat Intelligence Group disclosed a critical supply chain attack where North Korea-nexus threat actor UNC1069 compromised the popular Axios NPM package on March 31, 2026. The attack introduced a malicious dependency called plain-crypto-js into Axios versions 1.14.1 and 0.30.4, which are downloaded over 100 million times weekly.", "spans": {"ORGANIZATION: Google Threat Intelligence Group": [[0, 32]], "THREAT_ACTOR: UNC1069": [[111, 118]], "SYSTEM: Axios": [[143, 148], [253, 258]], "MALWARE: plain-crypto-js": [[232, 247]]}, "info": {"id": "mandiant_00009", "source": "vendor_blogs"}}
{"text": "The Axios maintainer account was compromised, with the email changed to ifstap@proton.me. A malicious postinstall hook was added to automatically execute code when the package is installed. The setup.js file uses XOR and Base64 obfuscation to conceal command-and-control URLs. The malware, tracked as SILKBELL, detects the operating system and delivers platform-specific payloads.", "spans": {"EMAIL: ifstap@proton.me": [[72, 88]], "MALWARE: SILKBELL": [[301, 309]], "SYSTEM: Axios": [[4, 9]]}, "info": {"id": "mandiant_00010", "source": "vendor_blogs"}}
{"text": "On Windows, SILKBELL copies powershell.exe to %PROGRAMDATA%\\wt.exe and downloads a PowerShell script via curl to the temp directory. On macOS, it downloads a Mach-O binary to /Library/Caches/com.apple.act.mond and launches via zsh. On Linux, it downloads a Python backdoor to /tmp/ld.py.", "spans": {"MALWARE: SILKBELL": [[12, 20]], "SYSTEM: Windows": [[3, 10]], "FILEPATH: %PROGRAMDATA%\\wt.exe": [[46, 66]], "FILEPATH: /Library/Caches/com.apple.act.mond": [[175, 209]], "FILEPATH: /tmp/ld.py": [[276, 286]], "SYSTEM: macOS": [[136, 141]], "SYSTEM: Linux": [[235, 240]]}, "info": {"id": "mandiant_00011", "source": "vendor_blogs"}}
{"text": "The deployed WAVESHAPER.V2 backdoor supports reconnaissance, command execution, PE injection, shell commands, and file enumeration. It extracts hostname, username, OS version, and running processes. On Windows, it creates hidden batch files and registry entries for persistence. Backdoor commands include kill, rundir, runscript, and peinject.", "spans": {"MALWARE: WAVESHAPER.V2": [[13, 26]], "SYSTEM: Windows": [[202, 209]]}, "info": {"id": "mandiant_00012", "source": "vendor_blogs"}}
{"text": "The command-and-control infrastructure for the Axios compromise uses the domain sfrclak.com, which resolves to 142.11.206.73 on port 8000. The affected packages are plain-crypto-js versions 4.2.0 and 4.2.1. Organizations should pin Axios to known-safe versions in package-lock.json, audit projects for the plain-crypto-js package, and block traffic to the C2 domains and IPs.", "spans": {"DOMAIN: sfrclak.com": [[80, 91]], "IP_ADDRESS: 142.11.206.73": [[111, 124]], "MALWARE: plain-crypto-js": [[165, 180], [306, 321]], "SYSTEM: Axios": [[47, 52], [232, 237]]}, "info": {"id": "mandiant_00013", "source": "vendor_blogs"}}
{"text": "The Mandiant ransomware report documented a record high number of data leak site posts in 2025, representing approximately a 50% increase from 2024. Overall ransomware profitability is declining due to improved security and lower payment rates. Threat actors are shifting from large to smaller organizations. The average ransom demand dropped to $1.34 million from $2 million in 2024.", "spans": {"ORGANIZATION: Mandiant": [[4, 12]]}, "info": {"id": "mandiant_00014", "source": "vendor_blogs"}}
{"text": "Initial access vectors for ransomware in 2025 included exploitation of vulnerabilities at 33%, primarily targeting VPNs and firewalls from Fortinet, SonicWall, Palo Alto, and Citrix. Stolen credentials accounted for 21% of intrusions. REDBIKE ransomware appeared in 30% of analyzed incidents, the highest ever for a single family. 77% of incidents involved suspected data theft, up from 57% in 2024.", "spans": {"SYSTEM: Fortinet": [[139, 147]], "SYSTEM: SonicWall": [[149, 158]], "SYSTEM: Palo Alto": [[160, 169]], "SYSTEM: Citrix": [[175, 181]], "MALWARE: REDBIKE": [[235, 242]]}, "info": {"id": "mandiant_00015", "source": "vendor_blogs"}}
{"text": "Ransomware operators increasingly relied on tunnelers including PYSOXY, CHISEL, and CLOUDFLARED to establish footholds. BEACON usage declined to 2% from 11% in 2024. MIMIKATZ was used in approximately 18% of incidents for credential harvesting. Data exfiltration tools included Rclone in 28% of data theft incidents and FTP clients like FileZilla and WinSCP in 26% of incidents.", "spans": {"TOOL: PYSOXY": [[64, 70]], "TOOL: CHISEL": [[72, 78]], "TOOL: CLOUDFLARED": [[84, 95]], "MALWARE: BEACON": [[120, 126]], "TOOL: MIMIKATZ": [[166, 174]], "TOOL: Rclone": [[278, 284]], "TOOL: FileZilla": [[337, 346]], "TOOL: WinSCP": [[351, 357]]}, "info": {"id": "mandiant_00016", "source": "vendor_blogs"}}
{"text": "Notable ransomware families observed in 2025 included REDBIKE, AGENDA, INC, INTERLOCK, and MEDUSALOCKER.V2. Ransomware was deployed via batch scripts, GPOs, and scheduled tasks. ESXi targeting increased with automation attempts. BitLocker abuse was also observed. Anti-detection tactics included Windows Defender disabling via registry modifications and Set-MpPreference commands.", "spans": {"MALWARE: REDBIKE": [[54, 61]], "MALWARE: AGENDA": [[63, 69]], "MALWARE: INC": [[71, 74]], "MALWARE: INTERLOCK": [[76, 85]], "MALWARE: MEDUSALOCKER.V2": [[91, 106]], "SYSTEM: ESXi": [[178, 182]], "TOOL: BitLocker": [[229, 238]], "SYSTEM: Windows Defender": [[296, 312]]}, "info": {"id": "mandiant_00017", "source": "vendor_blogs"}}
{"text": "Cloud services used for data exfiltration by ransomware actors included Azure, AWS, Google Drive, MEGA, and OneDrive. The ransomware ecosystem saw diversification after major groups were disrupted. Web3 and blockchain integration for resilience emerged, with actors using Internet Computer Protocol and Polygon networks. AI-assisted negotiation systems and cross-platform ransomware saw significant growth.", "spans": {"SYSTEM: Azure": [[72, 77]], "SYSTEM: AWS": [[79, 82]], "SYSTEM: Google Drive": [[84, 96]], "SYSTEM: MEGA": [[98, 102]], "SYSTEM: OneDrive": [[108, 116]]}, "info": {"id": "mandiant_00018", "source": "vendor_blogs"}}
{"text": "Google Threat Intelligence Group published a detailed analysis of DarkSword, a sophisticated iOS exploit chain that leverages six zero-day vulnerabilities to fully compromise iOS devices running versions 18.4 through 18.7. Since November 2025, multiple threat actors including commercial surveillance vendors and suspected state-sponsored groups have adopted this exploit chain.", "spans": {"ORGANIZATION: Google Threat Intelligence Group": [[0, 32]], "MALWARE: DarkSword": [[66, 75]], "SYSTEM: iOS": [[93, 96], [175, 178]]}, "info": {"id": "mandiant_00019", "source": "vendor_blogs"}}
{"text": "UNC6748 targeted Saudi Arabia via a Snapchat-themed phishing site. PARS Defense, a Turkish commercial surveillance vendor, targeted Turkey and Malaysia. UNC6353, a Russian espionage group, targeted Ukraine through watering hole attacks. Three distinct malware families were deployed post-compromise: GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE.", "spans": {"THREAT_ACTOR: UNC6748": [[0, 7]], "THREAT_ACTOR: PARS Defense": [[67, 79]], "THREAT_ACTOR: UNC6353": [[153, 160]], "MALWARE: GHOSTKNIFE": [[300, 310]], "MALWARE: GHOSTSABER": [[312, 322]], "MALWARE: GHOSTBLADE": [[328, 338]], "SYSTEM: Snapchat": [[36, 44]]}, "info": {"id": "mandiant_00020", "source": "vendor_blogs"}}
{"text": "The DarkSword exploit chain uses six vulnerabilities: CVE-2025-31277 and CVE-2025-43529 for JavaScriptCore remote code execution via memory corruption, CVE-2026-20700 for user-mode PAC bypass, CVE-2025-14174 for WebContent sandbox escape via an ANGLE vulnerability, CVE-2025-43510 for GPU process exploitation via XNU memory management, and CVE-2025-43520 for kernel privilege escalation via a VFS race condition.", "spans": {"MALWARE: DarkSword": [[4, 13]], "CVE_ID: CVE-2025-31277": [[54, 68]], "CVE_ID: CVE-2025-43529": [[73, 87]], "CVE_ID: CVE-2026-20700": [[152, 166]], "CVE_ID: CVE-2025-14174": [[193, 207]], "CVE_ID: CVE-2025-43510": [[266, 280]], "CVE_ID: CVE-2025-43520": [[341, 355]]}, "info": {"id": "mandiant_00021", "source": "vendor_blogs"}}
{"text": "GHOSTKNIFE is a JavaScript backdoor with data exfiltration and surveillance capabilities. GHOSTSABER is a JavaScript backdoor supporting commands like device enumeration and file exfiltration. GHOSTBLADE is a JavaScript dataminer that collects personal data including iMessage, WhatsApp, and Telegram messages, location history, WiFi passwords, photos, notes, Safari history, and cryptocurrency wallet data.", "spans": {"MALWARE: GHOSTKNIFE": [[0, 10]], "MALWARE: GHOSTSABER": [[90, 100]], "MALWARE: GHOSTBLADE": [[193, 203]], "SYSTEM: iMessage": [[268, 276]], "SYSTEM: WhatsApp": [[278, 286]], "SYSTEM: Telegram": [[292, 300]], "SYSTEM: Safari": [[360, 366]]}, "info": {"id": "mandiant_00022", "source": "vendor_blogs"}}
{"text": "PARS Defense used ECDH and AES encryption for their DarkSword deployment. Delivery techniques included session storage checks to prevent re-infection, anti-debugging, obfuscation, and redirection to legitimate sites for masquerading. Apple patched all six vulnerabilities in iOS 26.3. Users should enable Apple Lockdown Mode for additional security against sophisticated exploit chains.", "spans": {"THREAT_ACTOR: PARS Defense": [[0, 12]], "MALWARE: DarkSword": [[52, 61]], "ORGANIZATION: Apple": [[234, 239], [305, 310]], "SYSTEM: iOS": [[275, 278]]}, "info": {"id": "mandiant_00023", "source": "vendor_blogs"}}
{"text": "CrowdStrike attributes the Axios npm package compromise to STARDUST CHOLLIMA with moderate confidence, based on deployment of updated ZshBucket malware variants uniquely attributed to this adversary and infrastructure overlaps with known STARDUST CHOLLIMA operations. Some infrastructure also connects to FAMOUS CHOLLIMA, preventing higher confidence attribution.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: STARDUST CHOLLIMA": [[59, 76], [238, 255]], "MALWARE: ZshBucket": [[134, 143]], "THREAT_ACTOR: FAMOUS CHOLLIMA": [[305, 320]]}, "info": {"id": "crowdstrike_00001", "source": "vendor_blogs"}}
{"text": "The ZshBucket variants showed significant enhancements including new cross-platform support for Linux, macOS, and Windows. The malware implemented a JSON-based messaging protocol across all variants with enhanced command capabilities including binary payload injection, script execution, filesystem enumeration, and remote termination. CrowdStrike assesses the adversary's objectives likely involve currency generation.", "spans": {"MALWARE: ZshBucket": [[4, 13]], "SYSTEM: Linux": [[96, 101]], "SYSTEM: macOS": [[103, 108]], "SYSTEM: Windows": [[114, 121]], "ORGANIZATION: CrowdStrike": [[336, 347]]}, "info": {"id": "crowdstrike_00002", "source": "vendor_blogs"}}
{"text": "On March 4, 2026, Europol announced the disruption of Tycoon2FA, a subscription-based phishing platform that enabled criminals to bypass multifactor authentication. Law enforcement from six countries seized 330 domains supporting the operation. CrowdStrike observed that despite the disruption, the platform quickly recovered to pre-disruption activity levels.", "spans": {"ORGANIZATION: Europol": [[18, 25]], "MALWARE: Tycoon2FA": [[54, 63]], "ORGANIZATION: CrowdStrike": [[245, 256]]}, "info": {"id": "crowdstrike_00003", "source": "vendor_blogs"}}
{"text": "The Tycoon2FA threat actors demonstrated adaptive capabilities by registering new domains using AI-generated phishing pages, acquiring additional IPv6 infrastructure from Romania-based ISP M247 Europe SRL, and continuing credential harvesting and session cookie theft at pre-disruption rates. Diverse phishing techniques included business email compromise and thread hijacking.", "spans": {"MALWARE: Tycoon2FA": [[4, 13]], "ORGANIZATION: M247 Europe SRL": [[189, 204]]}, "info": {"id": "crowdstrike_00004", "source": "vendor_blogs"}}
{"text": "CrowdStrike's engineering team discovered that 76 of 77 release tags for aquasecurity/trivy-action, a popular GitHub Action vulnerability scanner, were retroactively poisoned through git tag repointing. The legitimate entry point was replaced with malicious code that steals credentials before running the real scanner, making workflows appear normal.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "TOOL: trivy-action": [[86, 98]], "SYSTEM: GitHub": [[110, 116]]}, "info": {"id": "crowdstrike_00005", "source": "vendor_blogs"}}
{"text": "The malicious entrypoint.sh performed a five-stage credential theft operation. On hosted runners, it scraped process memory for secrets. On self-hosted runners, it collected SSH keys, cloud credentials, Kubernetes configs, Docker registry credentials, database credentials, TLS keys, and wallet keypairs. Data was encrypted using AES-256-CBC with RSA key wrapping.", "spans": {"SYSTEM: Kubernetes": [[203, 213]], "SYSTEM: Docker": [[223, 229]]}, "info": {"id": "crowdstrike_00006", "source": "vendor_blogs"}}
{"text": "The exfiltration used a primary channel to the typosquatted domain scan.aquasecurtiy.org with a fallback using GitHub release assets. Additionally, Trivy scanner version 0.69.4 dropped a stage-1 loader script that contacted a command-and-control server on the Internet Computer blockchain, allowing adversaries to rotate payloads at will.", "spans": {"DOMAIN: scan.aquasecurtiy.org": [[67, 88]], "TOOL: Trivy": [[148, 153]], "SYSTEM: GitHub": [[111, 117]]}, "info": {"id": "crowdstrike_00007", "source": "vendor_blogs"}}
{"text": "SentinelOne's incident response team documented multiple 2026 breaches involving compromised FortiGate firewalls. The attackers exploited critical vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 to gain admin access and extract encrypted service account credentials from device configurations.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "SYSTEM: FortiGate": [[93, 102]], "CVE_ID: CVE-2025-59718": [[163, 177]], "CVE_ID: CVE-2025-59719": [[179, 193]], "CVE_ID: CVE-2026-24858": [[199, 213]]}, "info": {"id": "sentinelone_00001", "source": "vendor_blogs"}}
{"text": "In the first incident, the attacker created a backdoor admin account named support on the FortiGate device, extracted LDAP credentials, and used them to join rogue workstations to Active Directory. Network scanning triggered security alerts. In the second incident, the attacker created an ssl-admin account and authenticated as Domain Administrator within 10 minutes.", "spans": {"SYSTEM: FortiGate": [[90, 99]], "SYSTEM: Active Directory": [[180, 196]]}, "info": {"id": "sentinelone_00002", "source": "vendor_blogs"}}
{"text": "The attackers deployed legitimate remote management tools including Pulseway and MeshAgent via compromised cloud storage. They extracted the NTDS.dit database from the domain controller via shadow copy. SentinelOne recommends retaining 14 to 90 days of FortiGate logs forwarded to a SIEM and implementing User and Entity Behavior Analytics.", "spans": {"TOOL: Pulseway": [[68, 76]], "TOOL: MeshAgent": [[81, 90]], "FILEPATH: NTDS.dit": [[141, 149]], "ORGANIZATION: SentinelOne": [[203, 214]], "SYSTEM: FortiGate": [[253, 262]]}, "info": {"id": "sentinelone_00003", "source": "vendor_blogs"}}
{"text": "Germany moved to the forefront of European data leak targets in 2025, with German data leaks growing 92%, tripling the European average. The disruption of major ransomware groups like LockBit created a vacuum filled by mid-tier data leak site brands. Groups like SAFEPAY and Qilin gained prominence, with SAFEPAY claiming 76 German breaches representing 25% of all German victims in 2025.", "spans": {"MALWARE: LockBit": [[184, 191]], "THREAT_ACTOR: SAFEPAY": [[263, 270], [305, 312]], "THREAT_ACTOR: Qilin": [[275, 280]]}, "info": {"id": "mandiant_00024", "source": "vendor_blogs"}}
{"text": "AI-driven localization is eroding language barriers, enabling threat actors to shift from English-speaking nations to non-English markets. Manufacturing accounted for 23% of ransomware leaks, legal and professional services for 14%, construction and engineering for 11%, and retail for 10%. 96% of ransomware leaks affected organizations with fewer than 5,000 employees, making the German Mittelstand particularly attractive.", "spans": {}, "info": {"id": "mandiant_00025", "source": "vendor_blogs"}}
{"text": "Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025, compared to 78 in 2024 and 100 in 2023. Enterprise exploitation accounted for 48% of the total, with security and networking appliances targeted by 21 zero-days. Edge devices remain high-value targets due to limited endpoint detection and response coverage.", "spans": {"ORGANIZATION: Google Threat Intelligence Group": [[0, 32]]}, "info": {"id": "mandiant_00026", "source": "vendor_blogs"}}
{"text": "Commercial Surveillance Vendors now account for more zero-day exploits than traditional state-sponsored groups. PRC-nexus groups remain the most prolific with more than 10 zero-days in 2025. North Korean actors had zero attributed zero-days compared to 5 in 2024. Financially motivated groups exploited 9 zero-days, near the 2023 high. Common vulnerability types include memory corruption at 35%, particularly use-after-free.", "spans": {}, "info": {"id": "mandiant_00027", "source": "vendor_blogs"}}
{"text": "The CrowdStrike 2026 Global Threat Report identifies 2025 as the year of the evasive adversary. Average breakout time decreased to 29 minutes, 65% faster than 2024, with the fastest observed breakout at 27 seconds. There was an 89% increase in attacks by AI-enabled threat actors. 82% of detections involved no malware, with attackers using valid credentials and trusted identity flows.", "spans": {"ORGANIZATION: CrowdStrike": [[4, 15]]}, "info": {"id": "crowdstrike_00008", "source": "vendor_blogs"}}
{"text": "The report documented a 38% increase in China-nexus intrusions and a 130% increase in North Korea-nexus incidents. Cloud-conscious intrusions rose 37% overall and 266% among state actors. Fake CAPTCHA lure incidents surged 563%. CrowdStrike named 24 new adversaries, bringing the total tracked to over 281. One notable case involved $1.46 billion in cryptocurrency theft through trojanized software.", "spans": {"ORGANIZATION: CrowdStrike": [[229, 240]]}, "info": {"id": "crowdstrike_00009", "source": "vendor_blogs"}}
{"text": "The Google Threat Intelligence Group report documents how threat actors are integrating AI into their operations. Over 100,000 prompts were identified attempting to extract Gemini's reasoning capabilities through distillation attacks. Notable actors include APT42 from Iran, UNC2970 from North Korea, APT31 and UNC795 from China, and APT41, all using Gemini for reconnaissance, phishing, coding, and information operations.", "spans": {"ORGANIZATION: Google Threat Intelligence Group": [[4, 36]], "SYSTEM: Gemini": [[173, 179], [351, 357]], "THREAT_ACTOR: APT42": [[258, 263]], "THREAT_ACTOR: UNC2970": [[275, 282]], "THREAT_ACTOR: APT31": [[301, 306]], "THREAT_ACTOR: UNC795": [[311, 317]], "THREAT_ACTOR: APT41": [[334, 339]]}, "info": {"id": "mandiant_00028", "source": "vendor_blogs"}}
{"text": "HONESTCUE is a downloader that calls Gemini's API to generate C# code for executing second-stage malware. It uses .NET's CSharpCodeProvider to compile and execute payloads in memory, leaving no disk artifacts. COINBAIT is a phishing kit built using the Lovable AI platform, disguised as a cryptocurrency exchange, featuring complex React architecture.", "spans": {"MALWARE: HONESTCUE": [[0, 9]], "SYSTEM: Gemini": [[37, 43]], "MALWARE: COINBAIT": [[210, 218]]}, "info": {"id": "mandiant_00029", "source": "vendor_blogs"}}
{"text": "Xanthorox is marketed as a custom self-hosted AI for malware generation, but actually relies on jailbroken commercial APIs and open-source MCP servers. There is a growing black market for stolen AI API keys from vulnerable platforms. Tools like One API and New API are exploited for unauthorized API resale by threat actors.", "spans": {"TOOL: Xanthorox": [[0, 9]]}, "info": {"id": "mandiant_00030", "source": "vendor_blogs"}}
{"text": "Threat actors abuse AI sharing features to host malicious instructions on Gemini, ChatGPT, DeepSeek, CoPilot, and Grok. They create shareable links to infected chat transcripts in ClickFix campaigns. The campaigns distribute ATOMIC malware targeting macOS and Windows users, leveraging social engineering to trick users into executing terminal commands.", "spans": {"SYSTEM: Gemini": [[74, 80]], "SYSTEM: ChatGPT": [[82, 89]], "SYSTEM: DeepSeek": [[91, 99]], "SYSTEM: CoPilot": [[101, 108]], "SYSTEM: Grok": [[114, 118]], "MALWARE: ATOMIC": [[225, 231]], "SYSTEM: macOS": [[250, 255]], "SYSTEM: Windows": [[260, 267]]}, "info": {"id": "mandiant_00031", "source": "vendor_blogs"}}
{"text": "The M-Trends 2026 report from Mandiant is based on over 500,000 hours of frontline incident investigations conducted globally in 2025. Global median dwell time increased from 11 to 14 days. Cyber espionage and North Korean IT worker incidents averaged 122 days. Exploits remain the dominant initial infection vector at 32%, while voice phishing surged to 11% as the second most common vector.", "spans": {"ORGANIZATION: Mandiant": [[30, 38]]}, "info": {"id": "mandiant_00032", "source": "vendor_blogs"}}
{"text": "The time between initial access and secondary group handoff collapsed from over 8 hours in 2022 to just 22 seconds in 2025. Initial access partners now pre-stage malware for immediate operations. Email phishing dropped to 6% as organizations improved defenses. Voice phishing targets IT help desks to bypass MFA, compromising SaaS environments through stolen OAuth tokens and session cookies.", "spans": {}, "info": {"id": "mandiant_00033", "source": "vendor_blogs"}}
{"text": "Modern ransomware actively destroys recovery capabilities by targeting backup infrastructure, identity services, and virtualization management planes. Espionage groups target unmonitored edge devices including VPNs and routers with zero-day exploits. Custom in-memory malware like BRICKSTORM achieves dwell times near 400 days on compromised systems. Mandiant recommends treating low-impact alerts as critical indicators of imminent secondary intrusions.", "spans": {"MALWARE: BRICKSTORM": [[281, 291]], "ORGANIZATION: Mandiant": [[351, 359]]}, "info": {"id": "mandiant_00034", "source": "vendor_blogs"}}
{"text": "SentinelOne issued a threat assessment following United States and Israeli military strikes against Iranian targets. The organization evaluated potential cyber response patterns based on Iran's historical operations. At the time of publication, SentinelOne had not attributed significant malicious cyber activity directly to these recent events.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11], [245, 256]]}, "info": {"id": "sentinelone_00004", "source": "vendor_blogs"}}
{"text": "SentinelOne identified four primary Iranian cyber response vectors: espionage operations targeting defense, government, and intelligence networks through spearphishing and credential harvesting; disruptive tactics including deployment of wiper malware and DDoS attacks against critical infrastructure; disinformation campaigns across social platforms; and probing attacks against industrial control systems in the United States and Israel.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]]}, "info": {"id": "sentinelone_00005", "source": "vendor_blogs"}}
{"text": "Mandiant observed APT29, also known as Cozy Bear, conducting phishing campaigns using Microsoft 365 tokens stolen from compromised organizations. The group deployed a new variant of SUNSHUTTLE malware communicating over HTTPS with domains hosted on Cloudflare infrastructure. Indicators included connections to the domain solartrackingsystem.net and IP address 185.220.101.34.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT29": [[18, 23]], "THREAT_ACTOR: Cozy Bear": [[39, 48]], "SYSTEM: Microsoft 365": [[86, 99]], "MALWARE: SUNSHUTTLE": [[182, 192]], "SYSTEM: Cloudflare": [[249, 259]], "DOMAIN: solartrackingsystem.net": [[322, 345]], "IP_ADDRESS: 185.220.101.34": [[361, 375]]}, "info": {"id": "mandiant_00035", "source": "vendor_blogs"}}
{"text": "CrowdStrike tracks the financially motivated threat actor SCATTERED SPIDER, known for targeting Okta single sign-on environments and deploying ALPHV ransomware, also known as BlackCat. The group has been observed using social engineering to bypass MFA, gaining access to Citrix and VMware Horizon environments. Lateral movement relies on Cobalt Strike and Brute Ratel.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: SCATTERED SPIDER": [[58, 74]], "SYSTEM: Okta": [[96, 100]], "MALWARE: ALPHV": [[143, 148]], "MALWARE: BlackCat": [[175, 183]], "SYSTEM: Citrix": [[271, 277]], "SYSTEM: VMware Horizon": [[282, 296]], "TOOL: Cobalt Strike": [[338, 351]], "TOOL: Brute Ratel": [[356, 367]]}, "info": {"id": "crowdstrike_00010", "source": "vendor_blogs"}}
{"text": "The Lazarus Group, tracked by CrowdStrike as LABYRINTH CHOLLIMA, deployed a trojanized version of PuTTY containing the AIRDRY.V2 backdoor. The malware was distributed via fake job interviews on LinkedIn. Once executed, AIRDRY.V2 contacted the domain amazonhealthcarejobs.com on port 443 and established a reverse shell using the Windows API function CreateProcessW.", "spans": {"THREAT_ACTOR: Lazarus Group": [[4, 17]], "ORGANIZATION: CrowdStrike": [[30, 41]], "THREAT_ACTOR: LABYRINTH CHOLLIMA": [[45, 63]], "TOOL: PuTTY": [[98, 103]], "MALWARE: AIRDRY.V2": [[119, 128], [219, 228]], "SYSTEM: LinkedIn": [[194, 202]], "DOMAIN: amazonhealthcarejobs.com": [[250, 274]], "SYSTEM: Windows": [[329, 336]]}, "info": {"id": "crowdstrike_00011", "source": "vendor_blogs"}}
{"text": "Mandiant investigated an intrusion by APT28, also known as Fancy Bear and FOREST BLIZZARD, exploiting CVE-2025-23397 in Microsoft Exchange Server. The attackers deployed a web shell at C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\update.aspx and used Impacket for lateral movement. The hash 3b4a6f7c8d2e1a9b5c0d7e8f2a4b6c9d was associated with the deployed backdoor.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT28": [[38, 43]], "THREAT_ACTOR: Fancy Bear": [[59, 69]], "THREAT_ACTOR: FOREST BLIZZARD": [[74, 89]], "CVE_ID: CVE-2025-23397": [[102, 116]], "SYSTEM: Microsoft Exchange Server": [[120, 145]], "FILEPATH: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\update.aspx": [[185, 240]], "TOOL: Impacket": [[250, 258]], "HASH: 3b4a6f7c8d2e1a9b5c0d7e8f2a4b6c9d": [[290, 322]]}, "info": {"id": "crowdstrike_00012", "source": "vendor_blogs"}}
{"text": "SentinelOne researchers analyzed the FIN7 threat group's latest campaign deploying Carbanak malware through malicious Google Ads impersonating legitimate software downloads. The group used PowerShell scripts to disable Windows Defender and installed AnyDesk for persistent remote access. Exfiltrated data was uploaded to a Mega.nz account via the MEGAcmd command-line tool.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: FIN7": [[37, 41]], "MALWARE: Carbanak": [[83, 91]], "SYSTEM: Windows Defender": [[219, 235]], "TOOL: AnyDesk": [[250, 257]], "TOOL: MEGAcmd": [[347, 354]], "SYSTEM: PowerShell": [[189, 199]]}, "info": {"id": "sentinelone_00006", "source": "vendor_blogs"}}
{"text": "The Volt Typhoon threat actor, attributed to the People's Republic of China, maintained persistent access to United States critical infrastructure by living off the land. The group used built-in Windows tools including netsh, wmic, and ntdsutil to avoid detection. They exploited CVE-2024-21887 in Ivanti Connect Secure VPN appliances to gain initial access.", "spans": {"THREAT_ACTOR: Volt Typhoon": [[4, 16]], "SYSTEM: Windows": [[195, 202]], "TOOL: netsh": [[219, 224]], "TOOL: wmic": [[226, 230]], "TOOL: ntdsutil": [[236, 244]], "CVE_ID: CVE-2024-21887": [[280, 294]], "SYSTEM: Ivanti Connect Secure": [[298, 319]]}, "info": {"id": "mandiant_00036", "source": "vendor_blogs"}}
{"text": "Trend Micro researchers discovered that the Akira ransomware group exploited CVE-2025-40711 in SonicWall SMA 100 devices for initial access. After establishing a foothold, the attackers disabled endpoint protection and deployed Akira ransomware using a batch script that invoked wmic to propagate across the network. The ransom note directed victims to a Tor-based payment portal.", "spans": {"MALWARE: Akira": [[44, 49], [228, 233]], "ORGANIZATION: Trend Micro": [[0, 11]], "CVE_ID: CVE-2025-40711": [[77, 91]], "SYSTEM: SonicWall SMA 100": [[95, 112]], "TOOL: wmic": [[279, 283]]}, "info": {"id": "trendmicro_00001", "source": "vendor_blogs"}}
{"text": "CrowdStrike identified AQUATIC PANDA conducting espionage operations against telecommunications providers in Southeast Asia. The group exploited vulnerable Apache Log4j instances using CVE-2021-44228 to deploy ShadowPad malware. Post-exploitation activities included dumping credentials with Mimikatz, establishing persistence through scheduled tasks, and exfiltrating data via DNS tunneling using the tool dnscat2.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: AQUATIC PANDA": [[23, 36]], "SYSTEM: Apache Log4j": [[156, 168]], "CVE_ID: CVE-2021-44228": [[185, 199]], "MALWARE: ShadowPad": [[210, 219]], "TOOL: Mimikatz": [[292, 300]], "TOOL: dnscat2": [[407, 414]]}, "info": {"id": "crowdstrike_00013", "source": "vendor_blogs"}}
{"text": "Google TAG observed the Sandworm group, also tracked as FROZENBARENTS, deploying CaddyWiper against Ukrainian energy infrastructure. The group exploited compromised VPN credentials to access industrial control systems running Siemens SIMATIC S7 PLCs. The attackers used SSH tunnels through compromised Linux servers and deployed custom scripts targeting OPC UA protocol endpoints.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Sandworm": [[24, 32]], "THREAT_ACTOR: FROZENBARENTS": [[56, 69]], "MALWARE: CaddyWiper": [[81, 91]], "SYSTEM: Siemens SIMATIC S7": [[226, 244]], "SYSTEM: Linux": [[302, 307]]}, "info": {"id": "mandiant_00037", "source": "vendor_blogs"}}
{"text": "The Cl0p ransomware group exploited a zero-day vulnerability CVE-2025-34362 in MOVEit Transfer to steal data from hundreds of organizations. Affected organizations included Shell, British Airways, the BBC, and Ernst & Young. The stolen data was posted on the Cl0p leak site accessible via Tor. Mandiant attributed the activity to FIN11, a financially motivated group with ties to the TA505 threat cluster.", "spans": {"MALWARE: Cl0p": [[4, 8], [259, 263]], "CVE_ID: CVE-2025-34362": [[61, 75]], "SYSTEM: MOVEit Transfer": [[79, 94]], "ORGANIZATION: Shell": [[173, 178]], "ORGANIZATION: British Airways": [[180, 195]], "ORGANIZATION: BBC": [[201, 204]], "ORGANIZATION: Ernst & Young": [[210, 223]], "ORGANIZATION: Mandiant": [[294, 302]], "THREAT_ACTOR: FIN11": [[330, 335]], "THREAT_ACTOR: TA505": [[384, 389]]}, "info": {"id": "mandiant_00038", "source": "vendor_blogs"}}
{"text": "Recorded Future's Insikt Group reported that the Kimsuky threat actor, also known as VELVET CHOLLIMA, used spearphishing emails with weaponized HWP documents targeting South Korean government officials. The malware dropper connected to the domain login.daum-protect.pe.hu and downloaded a second-stage payload to C:\\Users\\Public\\Documents\\update.exe. Persistence was achieved via a registry run key.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Kimsuky": [[49, 56]], "THREAT_ACTOR: VELVET CHOLLIMA": [[85, 100]], "DOMAIN: login.daum-protect.pe.hu": [[247, 271]], "FILEPATH: C:\\Users\\Public\\Documents\\update.exe": [[313, 349]]}, "info": {"id": "recordedfuture_00001", "source": "vendor_blogs"}}
{"text": "Trend Micro documented a campaign by the Mustang Panda threat group deploying PlugX malware via USB propagation. The malware used DLL side-loading through a legitimate Adobe Reader executable to load a malicious DLL from the path %APPDATA%\\Adobe\\AcroRd32.dll. Command-and-control communications were sent to the domain update.microsoftdata.net over port 443.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Mustang Panda": [[41, 54]], "MALWARE: PlugX": [[78, 83]], "SYSTEM: Adobe Reader": [[168, 180]], "FILEPATH: %APPDATA%\\Adobe\\AcroRd32.dll": [[230, 258]], "DOMAIN: update.microsoftdata.net": [[319, 343]]}, "info": {"id": "trendmicro_00002", "source": "vendor_blogs"}}
{"text": "SentinelOne's SentinelLabs team analyzed a new variant of the BPFDoor backdoor targeting Linux servers in the telecommunications and financial sectors across the Middle East and Asia. The malware uses Berkeley Packet Filters to intercept network traffic at the kernel level, evading traditional detection. Indicators included the hash a4b3c2d1e0f9876543210fedcba98765 and connections to IP address 103.56.53.120.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "MALWARE: BPFDoor": [[62, 69]], "SYSTEM: Linux": [[89, 94]], "HASH: a4b3c2d1e0f9876543210fedcba98765": [[335, 367]], "IP_ADDRESS: 103.56.53.120": [[398, 411]]}, "info": {"id": "sentinelone_00007", "source": "vendor_blogs"}}
{"text": "The MuddyWater threat group, attributed to Iran's Ministry of Intelligence and Security, deployed a new backdoor called PhonyC2 against Israeli organizations. The malware was delivered via phishing emails containing malicious Excel macros. PhonyC2 communicates with the domain connect.civilstream.com using HTTPS POST requests. The backdoor supports file upload, download, and arbitrary command execution on compromised Windows hosts.", "spans": {"THREAT_ACTOR: MuddyWater": [[4, 14]], "MALWARE: PhonyC2": [[120, 127], [240, 247]], "DOMAIN: connect.civilstream.com": [[277, 300]], "SYSTEM: Windows": [[420, 427]]}, "info": {"id": "mandiant_00039", "source": "vendor_blogs"}}
{"text": "CrowdStrike's Falcon OverWatch team observed WICKED PANDA deploying the KEYPLUG backdoor on compromised Linux servers running VMware vCenter. The malware used the WebSocket protocol for command-and-control communication with infrastructure hosted on Alibaba Cloud. The group also deployed a custom rootkit to hide network connections and process listings from system administrators.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: WICKED PANDA": [[45, 57]], "MALWARE: KEYPLUG": [[72, 79]], "SYSTEM: Linux": [[104, 109]], "SYSTEM: VMware vCenter": [[126, 140]], "SYSTEM: Alibaba Cloud": [[250, 263]]}, "info": {"id": "crowdstrike_00014", "source": "vendor_blogs"}}
{"text": "Mandiant investigated a supply chain compromise attributed to UNC4736, a North Korean threat actor. The attackers trojanized the 3CX Desktop App installer, embedding the TAXHAUL malware loader and COLDCAT backdoor. The compromised application was signed with a valid 3CX certificate. Downstream payload was fetched from the domain raw.githubusercontent.com masquerading as legitimate GitHub content delivery.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: UNC4736": [[62, 69]], "SYSTEM: 3CX Desktop App": [[129, 144]], "MALWARE: TAXHAUL": [[170, 177]], "MALWARE: COLDCAT": [[197, 204]], "DOMAIN: raw.githubusercontent.com": [[331, 356]], "SYSTEM: GitHub": [[384, 390]]}, "info": {"id": "mandiant_00040", "source": "vendor_blogs"}}
{"text": "Trend Micro identified a new campaign by the Earth Lusca threat group targeting government entities in Asia using the SprySOCKS Linux backdoor. Initial access was achieved through exploitation of CVE-2024-36401 in GeoServer. The malware communicates with command-and-control servers using a custom protocol over TLS, with connections observed to 45.32.101.191 on port 8443.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Earth Lusca": [[45, 56]], "MALWARE: SprySOCKS": [[118, 127]], "SYSTEM: Linux": [[128, 133]], "CVE_ID: CVE-2024-36401": [[196, 210]], "SYSTEM: GeoServer": [[214, 223]], "IP_ADDRESS: 45.32.101.191": [[346, 359]]}, "info": {"id": "trendmicro_00003", "source": "vendor_blogs"}}
{"text": "Recorded Future observed Turla, the Russian cyber espionage group also tracked as VENOMOUS BEAR, using compromised Starlink terminals as command-and-control relay points in Ukraine. The group deployed an updated version of the Snake implant that uses named pipes for inter-process communication and encrypts all traffic with ChaCha20. Network indicators included the domain cdn-analytics.cloud-delivery.net.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Turla": [[25, 30]], "THREAT_ACTOR: VENOMOUS BEAR": [[82, 95]], "SYSTEM: Starlink": [[115, 123]], "MALWARE: Snake": [[227, 232]], "DOMAIN: cdn-analytics.cloud-delivery.net": [[374, 406]]}, "info": {"id": "recordedfuture_00002", "source": "vendor_blogs"}}
{"text": "Google Threat Analysis Group disrupted a campaign by COLDRIVER, a Russian threat actor also known as Star Blizzard, that targeted NGOs and former intelligence officials with credential phishing. The group used Proton Mail accounts to deliver PDF lures containing encrypted content, directing victims to a phishing domain mimicking Proton Drive at proton-docs.services to capture credentials.", "spans": {"ORGANIZATION: Google Threat Analysis Group": [[0, 28]], "THREAT_ACTOR: COLDRIVER": [[53, 62]], "THREAT_ACTOR: Star Blizzard": [[101, 114]], "SYSTEM: Proton Mail": [[210, 221]], "DOMAIN: proton-docs.services": [[347, 367]]}, "info": {"id": "mandiant_00041", "source": "vendor_blogs"}}