At Google Cloud, our services are built with interoperability and openness in mind to enable customer choice and multicloud strategies. We pioneered a multicloud data warehouse, enabling workloads to run across clouds. We were the first company to provide digital…
Tag: Threat Intelligence
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)
Written by: Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, Choon Kiat Ng In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging sample machine keys that had been exposed in Sitecore deployment…
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Written by: Austin Larsen, Matt Lin, Tyler McLellan, Omar ElAhdan Introduction Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early…
Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats
Written by: Patrick Whitsell In March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the PRC-nexus threat actor UNC6384. The campaign targeted diplomats in Southeast Asia and other entities globally. GTIG assesses this was likely…
A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
Written by: Marco Galli Welcome to the Frontline Bulletin Series Straight from Mandiant Threat Defense, the “Frontline Bulletin” series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to…
From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944
Introduction In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with…
Beyond Convenience: Exposing the Risks of VMware vSphere Active Directory Integration
Written by: Stuart Carrera, Brian Meyer Executive Summary Broadcom’s VMware vSphere product remains a popular choice for private cloud virtualization, underpinning critical infrastructure. Far from fading, organizations continue to rely heavily on vSphere for stability and control. We’re also seeing…
Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience
Written by: Jaysn Rye Executive Summary As adversaries grow faster, stealthier, and more destructive, traditional recovery strategies are increasingly insufficient. Mandiant’s M-Trends 2025 report reinforces this shift, highlighting that ransomware operators now routinely target not just production systems but also…
Protecting the Core: Securing Protection Relays in Modern Substations
Written by: Seemant Bisht, Chris Sistrunk, Shishir Gupta, Anthony Candarini, Glen Chason, Camille Felx Leduc Introduction — Why Securing Protection Relays Matters More Than Ever Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its…
What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia
Written by: Gabby Roncone, Wesley Shields In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted…