// as featured in
// latest
Blog
KnowledgeDeliver Zero-Day: When Hard-Coded Keys Break Every Deployment
GTIG and Mandiant detail active exploitation of CVE-2026-5426, an unauthenticated RCE in the KnowledgeDeliver LMS. Identical hard-coded ASP.NET machineKey values let attackers forge ViewState payloads against any internet-facing instance, deploying the BLUEBEAM web shell and Cobalt Strike BEACON.
Inside BlackFile: Vishing, AiTM, and the Cybercrime Brand Game
GTIG's new research on UNC6671, operating under the BlackFile brand, exposes one of the most prolific and underreported vishing extortion crews of 2026. AiTM passkey lures, SSO compromise, and quiet log evasion tactics across Microsoft 365, Okta, Salesforce, and Zendesk.
Adversaries Are Industrializing AI Across the Attack Lifecycle
GTIG's Q2 2026 AI Threat Tracker documents the first observed cybercrime threat actor using a zero-day developed with AI assistance, plus PROMPTSPY, CANFAIL, LONGSTREAM, and supply chain attacks on AI integration libraries.
Open Source Supply Chain Attacks Are Not Slowing Down
A single day of supply chain activity across PyPI, npm, and Docker Hub — Xinference, Namastex.ai, Checkmarx KICS, and BitWarden all hit.
// threat intelligence
Research
Welcome to BlackFile: Inside a Vishing Extortion Operation
UNC6671, operating under the BlackFile brand, runs a high-cadence vishing and SSO compromise campaign using AiTM techniques to bypass MFA and exfiltrate data from Microsoft 365 and Okta environments for extortion.
Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
How defenders should rebuild vulnerability management programs as AI models surface exploitable bugs faster than most organizations can triage them.
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
DPRK-nexus actor UNC1069 compromised the widely used Axios npm package to stage payloads against downstream developers in a targeted supply chain attack.
Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Tracking the expansion of ShinyHunters-branded vishing operations targeting SaaS platforms for data theft and downstream extortion.
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Multiple threat clusters rapidly weaponized CVE-2025-55182 in React-based applications for initial access and command execution.
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
CL0P-linked actors exploited an Oracle E-Business Suite zero-day at scale to steal customer data and run a widespread extortion campaign.
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Attackers abused compromised Salesloft Drift OAuth tokens to pivot into hundreds of Salesforce instances and exfiltrate customer data at scale.
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
UNC5537 leveraged stolen credentials to compromise Snowflake customer instances, stealing data from roughly 165 organizations in one of 2024 largest extortion campaigns.
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
Post-exploitation case studies from Ivanti Connect Secure intrusions showing how attackers pivoted from the VPN into full domain compromise.
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
Initial access brokers chained CVE-2023-46747 in F5 BIG-IP and ScreenConnect vulnerabilities to establish footholds later handed off to ransomware operators.
Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
China-nexus UNC5325 abused Ivanti Connect Secure zero-days to deploy novel malware and maintain persistence through factory resets and upgrades.
Assessed Cyber Structure and Alignments of North Korea in 2023
Assessed reorganization and alignments of North Korean cyber units in 2023, tying operations back to RGB, MSS, and MoD reporting structures.
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
Deep dive into UNC4841 operations following CVE-2023-2868 remediation, including new malware families and attempts to maintain access on patched appliances.
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
DPRK actor compromised JumpCloud to reach a narrow set of downstream cryptocurrency customers, marking a deliberate and targeted supply chain operation.
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
Suspected China-nexus actor exploited CVE-2023-2868 in Barracuda ESG appliances globally for espionage, with activity dating back months before public disclosure.
SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
A threat actor combined SIM swapping with abuse of the Azure Serial Console to gain privileged access to cloud-hosted virtual machines.
// press & coverage
Media
북한 사이버 공격, AI로 더 똑똑해졌다 — 구글이 경고한 3가지는?
CyberScoop50 Award
Canadian Man Arrested in Snowflake Data Extortions
How the FBI and Mandiant caught a serial hacker who tried to fake his own death
The Walls Are Closing In on the Snowflake Hacker
2023 Annual Report to Congress
JumpCloud Blames North Korean Hackers for Breach
China hacking claims: Google Mandiant
- BankInfoSecurity Flurry of Supply-Chain Software Library Attacks Investigate for any exposure and rotate any potentially compromised credentials.
- Let's Data Science Vercel Got Breached Through an AI Tool. The AI Tool Got Breached Through Roblox Cheats. Austin Larsen, with Google's Threat Intelligence Group, later assessed the ShinyHunters attribution as likely coming from 'an imposter attempting to use an established name.'
- CyberScoop Vercel's security breach started with malware disguised as Roblox cheats A group claiming to be ShinyHunters has taken responsibility for the attack. However, it is likely this is an imposter attempting to use an established name to inflate their notoriety. Regardless of the threat actor involved, the exposure risk is real.
- GovInfoSecurity Vercel Traces Customer Data Theft to Agentic AI Tool Breach If your organization relies on their infrastructure, I strongly recommend you start looking into this immediately. A group claiming to be ShinyHunters has taken responsibility for this breach. However, it is likely this is an imposter attempting to use an established name to inflate their notoriety.
- Cyber Magazine Axios Breach Fallout: OpenAI's MacOS App Updates Explained UNC1069 isn't the only threat actor that has launched successful open-source supply chain attacks in recent weeks. Other groups, such as TeamPCP (UNC6780), have recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.
- Hackread UNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign This group might be linked to an individual using the name Raccoon.
- SC Magazine Actor tied to Raccoon targets 'several dozen' companies by exploiting BPOs and helpdesks UNC6783 primarily focuses on compromising business process outsourcers...
- The Register 'Several dozen' orgs targeted by a new extortion crew UNC6783 primarily focuses on compromising business process outsourcers...
- BleepingComputer Google: New UNC6783 hackers steal corporate Zendesk support tickets The phishing kit deployed in these attacks can steal clipboard contents to bypass multi-factor authentication (MFA) protection, enabling the attacker to register their device with the organization.
- Cybersecurity Dive Threat cluster launches extortion campaign using social engineering The hackers have used a live chat to direct employees to malicious Okta login pages.
- DevOps.com North Korean Hackers Suspected in Supply Chain Attack on Popular Axios Project GTIG attributed the axios npm supply chain attack to UNC1069, a financially motivated North Korean threat actor tracked since 2018.
- Dataconomy The Axios Breach Shows How Fragile The Npm Supply Chain Remains Austin Larsen, principal threat analyst at GTIG, cautioned that users who downloaded axios versions 1.14.1 and 1.30.4 may have inadvertently introduced malicious code into their environments.
- Cyber Magazine GTIG: How Did North Korean Hackers Compromise Axios? The impact of this attack is broad and has significant ripple effects, as countless other popular packages rely on axios as a dependency. 2026 is quickly shaping up to be the year of the supply chain.
- Cybersecurity Dive Axios open-source library targeted in sophisticated supply chain attack Anyone that pulled axios@1.14.1 or axios@1.30.4 could have unwittingly executed a backdoor payload using the malicious dependency.
- Infosecurity Magazine Hackers Hijack Axios NPM Package Austin urged security teams to check lockfiles, hunt for IOCs across developer machines and CI/CD infrastructure, and rotate credentials. GTIG attributed the activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018.
- CyberScoop Chinese Hackers Exploited a Dell Zero-Day for 18 Months Before Anyone Noticed Austin Larsen, principal analyst at GTIG, told CyberScoop about the scope of the long-running intrusion campaign targeting VMware and Dell infrastructure.
- Cybersecurity Dive Hackers Exploit Zero-Day Flaw in Dell RecoverPoint for Virtual Machines Larsen said they are aware of less than a dozen impacted organizations, but warned that the true number of victims is likely far higher.
- Cyber Magazine DarkSword Spyware: Is Your iPhone Watching You? Since November 2025, commercial surveillance vendors and suspected state-sponsored actors have leveraged DarkSword in distinct campaigns. GTIG has uncovered an exploit chain that can exfiltrate data, take screenshots, and record voice from infected devices.
- CyberScoop Officials Warn About Expansive, Ongoing China Espionage Threat Riding on Brickstorm Malware We believe dozens of organizations in the United States are currently compromised and don't know it.
- Cybersecurity Dive China-Nexus Actor Targets Multiple US Entities with Brickstorm Malware The goal of this long-running campaign is to steal sensitive data from high-value targets in the technology and legal sectors.
- The Register Gainsight CEO Downplays Breach, Says Only a 'Handful' of Customers Had Data Stolen GTIG is aware of more than 200 Salesforce instances that were compromised as a result of this campaign.
- CSO Online OAuth token compromise hits Salesforce ecosystem again, Gainsight impacted Austin identified the Gainsight OAuth compromise as likely related to UNC6240 (ShinyHunters), with the earlier Salesloft Drift breach exposing approximately 760 companies.
- TechCrunch Google says hackers stole data from 200 companies following Gainsight breach GTIG is aware of more than 200 potentially affected Salesforce instances following the Gainsight breach, with Scattered Lapsus$ / ShinyHunters claiming responsibility.
- TechRadar Google security experts say Gainsight hacks may have left hundreds of companies affected Austin's team at GTIG identified more than 200 potentially affected Salesforce instances following the Gainsight breach, attributing the activity to UNC6240 (ShinyHunters).
- CyberScoop Hundreds of Salesforce customers hit by yet another third-party vendor breach Austin's team at GTIG tracked the expanding Salesforce ecosystem breaches from Salesloft Drift through Gainsight, attributing the campaign to UNC6240.
- Help Net Security Salesforce investigates new incident echoing Salesloft Drift compromise Salesforce and Mandiant actively notified potentially affected organizations regarding the Gainsight OAuth token compromise echoing the earlier Salesloft Drift breach.
- The Register Salesforce flags another third-party security incident Austin told The Register the Gainsight activity is 'likely related to UNC6240 (aka ShinyHunters),' connecting it to the broader Salesforce ecosystem targeting campaign.
- Cybersecurity Dive Hackers claiming ties to Clop launch wide extortion campaign targeting corporate executives Austin's investigation revealed a widespread extortion campaign exploiting an Oracle E-Business Suite zero-day, with hackers claiming ties to Clop targeting over 100 organizations.
- Krebs on Security ShinyHunters Wage Broad Corporate Extortion Spree Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using an encrypted channel.
- IT Pro Google warns executives are being targeted for extortion with leaked Oracle data Austin warned that threat actors were using stolen Oracle E-Business Suite data to target corporate executives in extortion campaigns.
- Reuters Google says dozens of organizations affected by Oracle-linked hacking campaign Austin's team at GTIG tracked the Oracle E-Business Suite zero-day exploitation campaign, identifying dozens of victim organizations across multiple sectors and attributing the extortion operation to a financially motivated threat actor.
- U.S. News Google Says 'Dozens of Organizations' Affected by Oracle-Linked Hacking Campaign Austin told Reuters that Google was 'aware of dozens of victims, but we expect there are many more. Based on the scale of previous CLOP campaigns, it is likely there are over a hundred.'
- Bloomberg 'Most Prevalent' Chinese Hacking Group Targets Tech, Law Firms We believe many organizations are compromised right now and don't know it.
- CyberScoop Brickstorm malware powering 'next-level' Chinese cyberespionage campaign Austin said 'We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims.'
- BankInfoSecurity Salesloft Drift Attacks Exposed Zscaler Customer Data Austin's GTIG analysis revealed the Salesloft Drift supply chain attack exposed data from major enterprises including Zscaler through compromised OAuth tokens.
- The Record Salesloft: Hacker Broke into Systems in March Through GitHub Account They are aware of at least 700 victims, with that number expected to grow significantly as the investigation continues.
- SC Media Cyber Group Demands Google Fire Two Staff The ultimatum specifically named Austin Larsen and Mandiant CTO Charles Carmakal, demanding Google terminate both or face a major data leak.
- Krebs on Security The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft Austin Larsen, a principal threat analyst at Google's Threat Intelligence Group, detailed the scope of downstream customer exposure from the Salesloft breach.
- Newsweek Hackers Issue Ultimatum in Data Breach Hackers threatened to leak Google databases unless the company fired two employees and suspended Google Threat Intelligence Group investigations.
- CyberScoop Salesloft Drift Compromised en Masse, Impacting All Third-Party Integrations This just really blows wide open the scope here.
- The Hacker News Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data In these attacks, the threat actors have been observed exporting large volumes of data from Salesforce instances belonging to Salesloft customers.
- BleepingComputer Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks Austin's GTIG research revealed threat actors stole OAuth tokens from Salesloft's Drift AI chat integration, gaining direct API access to customers' Salesforce data across hundreds of organizations.
- The Register Here's what we know about the Snowflake data theft suspects Austin told The Register that whoever was behind the Snowflake thefts 'has proven to be one of the most consequential threat actors of 2024.'
- Infosecurity Magazine Snowflake Hacking Suspect Arrested in Canada Mandiant's investigation led by Austin tracked UNC5537's campaign that systematically compromised over 100 Snowflake customer instances for data theft and extortion.
- SecurityWeek Canadian Authorities Arrest Suspected Snowflake Hacker Austin told SecurityWeek the Snowflake operation 'highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools.'
- 404 Media Suspected Snowflake Hacker Arrested in Canada Austin's investigation into UNC5537's sprawling Snowflake breach campaign helped build the evidence trail that culminated in the arrest of the suspected hacker in Canada.
- CyberScoop Hacker behind Snowflake customer data breaches remains active Austin said during his LABScon presentation that the Snowflake hacker 'continues to target software-as-a-service providers and other entities as recently as today.'
- The Register Over 165 Snowflake customers didn't use MFA, says Mandiant Austin investigated the possibility that UNC5537 collaborated with UNC3944 on at least one past intrusion, highlighting the expanding scope of the Snowflake campaign.
- The Record CISA adds Chrome, open-source bugs Austin's Mandiant research into active exploitation of Ivanti and open-source vulnerabilities was cited as intelligence underpinning CISA's urgent advisory, which added the bugs to the Known Exploited Vulnerabilities catalog.
- Computer Weekly China's UNC4841 pivots to new Barracuda ESG zero-day Austin identified UNC4841 deploying new variants of SEASPY and SALTWATER backdoor malware on impacted Barracuda ESG devices as part of ongoing espionage operations.
- Cybersecurity Dive Barracuda patch bypassed by novel malware from China-linked threat group Austin's team found UNC4841 deployed novel malware to bypass Barracuda's patches, with nearly a third of compromised appliances belonging to government agencies.
- SC Magazine Barracuda ESG hacks focused on China's high-priority targets Austin's investigation into UNC4841 revealed the campaign was laser-focused on China's highest-priority espionage targets, with intrusions at government and defense organizations across more than a dozen countries.
- The Register Almost a third of compromised Barracuda ESGs were government owned Austin's investigation revealed that nearly a third of organizations compromised via the Barracuda ESG zero-day were government agencies, underscoring the espionage focus of UNC4841's campaign.
- Computer Weekly Zero-day that forced Barracuda users to bin kit was exploited by China Austin's investigation attributed UNC4841's Barracuda ESG zero-day campaign to a China-nexus espionage actor conducting the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021.
- The Register FBI fingers China for attacks on Barracuda email appliances Austin's Mandiant research on UNC4841 underpinned the FBI's public attribution of the Barracuda ESG campaign to Chinese state-sponsored hackers.
- Dark Reading North Korean Attackers Targeted Crypto Companies in JumpCloud Breach Austin's investigation revealed the JumpCloud attackers were a cryptocurrency-focused element within North Korea's RGB, targeting companies with crypto verticals for credential theft and reconnaissance.
- BleepingComputer JumpCloud breach traced back to North Korean state hackers Austin assessed with high confidence that the JumpCloud intrusion was the work of a cryptocurrency-focused element within North Korea's Reconnaissance General Bureau, targeting companies with crypto verticals to steal credentials and conduct reconnaissance.
- SC Media North Korean-linked Lazarus Group tied to supply chain attack on JumpCloud Mandiant tracked the JumpCloud breach to UNC4899, a cryptocurrency-focused element within DPRK's Reconnaissance General Bureau.
- TechCrunch North Korea-backed hackers breached JumpCloud to target cryptocurrency clients Austin's team at Mandiant linked the JumpCloud supply chain attack to North Korean state hackers targeting downstream cryptocurrency companies.
- SecurityWeek JumpCloud Cyberattack Linked to North Korean Hackers Austin attributed the JumpCloud breach to a cryptocurrency-focused element within North Korea's Reconnaissance General Bureau targeting companies with crypto verticals.
- Cybersecurity Dive Barracuda ESG zero-day exploit still under way after patches fail Mandiant's investigation revealed the Barracuda ESG zero-day exploit was ongoing even after patches, with UNC4841 adapting malware specifically for the ESG appliance campaign.
- Dark Reading Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT Mandiant's investigation led by Austin attributed the Barracuda ESG zero-day to UNC4841, a novel Chinese APT conducting government-directed espionage targeting high-priority organizations globally.
- InformationWeek Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors Austin's team at Mandiant attributed the Barracuda ESG zero-day exploitation to a suspected China-nexus actor conducting espionage in support of the People's Republic of China.
- TechTarget Chinese nation-state actor behind Barracuda ESG attacks Austin's research established UNC4841 as a China-nexus actor conducting government-directed espionage through the Barracuda ESG zero-day, one of the most aggressive email appliance campaigns Mandiant had ever tracked.