Written by: Wesley Shields Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files…
Category: Threat Intelligence
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
< div class=”block-paragraph_advanced”> Background UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to…
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov < div class=”block-paragraph_advanced”> Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98…
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov < div class=”block-paragraph_advanced”> Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98…
M-Trends 2025: Data, Insights, and Recommendations From the Frontlines
< div class=”block-paragraph_advanced”> One of the ways threat actors keep up with the constantly evolving cyber defense landscape is by raising the level of sophistication of their attacks. This trend can be seen across many of our engagements, particularly when…
M-Trends 2025: Data, Insights, and Recommendations From the Frontlines
< div class=”block-paragraph_advanced”> One of the ways threat actors keep up with the constantly evolving cyber defense landscape is by raising the level of sophistication of their attacks. This trend can be seen across many of our engagements, particularly when…
Windows Remote Desktop Protocol: Remote to Rogue
Written by: Rohit Nambiar Executive Summary In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign…
Windows Remote Desktop Protocol: Remote to Rogue
Written by: Rohit Nambiar Executive Summary In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign…
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow…
DPRK IT Workers Expanding in Scope and Scale
Written by: Jamie Collier Since our September 2024 report outlining the Democratic People’s Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate…