In 2014, John Hultquist named a Russian hacking group "Sandworm". Today, Mandiant graduates it to APT44 & reveals the online persona they created, CyberArmyofRussia, disrupted U.S. and Polish water utilities, as well as a dam in France. Full report: services.google.com/fh/files/misc/…

Great report from our brothers and sisters in arms at Mandiant (part of Google Cloud). I can deeply, DEEPLY corroborate the opening line. Attackers are investing in evasion and we're seeing that (and, sometimes, NOT seeing it) in GreyNoise.

Uncharmed: Untangling Iran's APT42 Operations | APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. cloud.google.com/blog/topics/th… Mandiant (part of Google Cloud)

Iranian hackers from APT42 are impersonating journalists in social engineering campaign. Build rapport -> steal credentials -> bypass MFA -> access the victims’ cloud environments and steal data from OneDrive and Outlook emails.

I’m so proud we got here. Google Threat Intelligence is a powerful Combo of Google tech and scale, Mandiant Intelligence, Virus Total and so much more. There’s nothing else like it…enjoy. Google Cloud Mandiant (part of Google Cloud) VirusTotal cloud.google.com/blog/products/…

Ryan Naraine This is a particular offering. Note that TAG is very much an important part of Google, as is its mission to counter threats to Alphabet and its billions of users.

Hunt APTs by their images & artifacts! New blog on tracking adversaries using delivery-stage intel by Joseliyo: blog.virustotal.com/2024/05/tracki…

Great progress from the Chrome team imposing cost on infostealers. With the recent #UNC5537 campaign targeting Snowflake customers, this is a timely addition to Chrome. Enhanced protection and detection will likely force infostealer devs to rewrite their malware.

Security Advisory: Ivanti Connect Secure, Policy Secure & ZTA Gateways 1️⃣ CVE-2025-0282 CVSS 9.0 (Critical) ⚠️ Exploited in-the-wild A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons

#Ivanti released security updates to address CVE-2025-0282—being actively exploited—and CVE-2025-0283, affecting Connect Secure, Policy Secure, and ZTA Gateways. See our Alert for mitigation guidance to help reduce your exposure: bit.ly/4fYrMqQ

New Year New Blog Same Threat Actors 👀 cloud.google.com/blog/topics/th… cc: John with more Ivanti-related shenanigans

🚨 New: Zero-day vulnerability CVE-2025-0282 in Ivanti Connect Secure VPN is being actively exploited, including by suspected 🇨🇳 China-nexus cyber espionage groups. Our team at Mandiant (part of Google Cloud) in partnership with Ivanti just published our initial findings. 🧵 cloud.google.com/blog/topics/th…

🔥new blog detailing 0day exploitation of Ivanti appliances as well as newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN malware ecosystem tied to China nexus cluster UNC5337. cloud.google.com/blog/topics/th…

We have great candidates for the #UnprotectProject Linux edition Jean-Pierre LESUEUR 🧐 Great writeup on the latest Ivanti zero-day 👇 cloud.google.com/blog/topics/th…

The Mandiant blog for CVE-2025-0282 (Ivanti Connect Secure, aka pulse vpn) has some pretty spicy tidbits. The anti forensics are 🔥🔥🔥

🚨 #IvantiConnectSecure VPN Zero-Day (CVE-2025-0282) actively exploited since Dec. 2024! Learn about our initial investigations: bit.ly/4gOYzja #Cybersecurity #ZeroDay #ThreatIntel

For the benefit of the whole industry we are sharing this report: Summary: Only very few machines had access. Initial compromise happened trough a supply chain attack via a privileged docker image doing "yaml load" from disguised but malicious sources. From there privileges were

🚨 Following a months-long investigation stemming back to mid-2024, Mandiant (part of Google Cloud) just published details on a campaign by China-nexus actor UNC3886 targeting Juniper routers. Our investigation uncovered a custom malware ecosystem on end-of-life Juniper MX devices.

🚨 Ivanti Vulnerability (CVE-2025-22457) Actively Exploited Mandiant & Ivanti discovered active exploitation of a critical buffer overflow vulnerability in Ivanti Connect Secure VPN, leading to remote code execution. Patch now to secure your systems: bit.ly/4iTpKdD

Our team at Mandiant (part of Google Cloud) just published urgent research on an espionage campaign by China-nexus actors using the BRICKSTORM backdoor. They’ve been in victim networks undetected for over a year, targeting tech & legal sectors for IP theft and intel on US trade and national security.