GTIG and Mandiant detail active exploitation of CVE-2026-5426, an unauthenticated RCE in the KnowledgeDeliver LMS. Identical hard-coded ASP.NET machineKey values let attackers forge ViewState payloads against any internet-facing instance, deploying the BLUEBEAM web shell and Cobalt Strike BEACON.
GTIG's new research on UNC6671, operating under the BlackFile brand, exposes one of the most prolific and underreported vishing extortion crews of 2026. AiTM passkey lures, SSO compromise, and quiet log evasion tactics across Microsoft 365, Okta, Salesforce, and Zendesk.
GTIG's Q2 2026 AI Threat Tracker documents the first observed cybercrime threat actor using a zero-day developed with AI assistance, plus PROMPTSPY, CANFAIL, LONGSTREAM, and supply chain attacks on AI integration libraries.
A single day of supply chain activity across PyPI, npm, and Docker Hub — Xinference, Namastex.ai, Checkmarx KICS, and BitWarden all hit.
Vercel disclosed unauthorized access to certain internal systems. Here are immediate steps to secure your environments if your organization relies on their infrastructure.
General-purpose AI is lowering the barrier for threat actors to find and exploit vulnerabilities, shrinking the window between disclosure and mass exploitation.
GTIG is tracking UNC6783, a financially motivated threat cluster potentially tied to the 'Raccoon' persona, targeting BPOs and helpdesk staff via spoofed Okta login pages and fake software updates.
The axios maintainer's post-mortem confirms a compromise strikingly consistent with what we documented on UNC1069 months ago. The target has changed. The tradecraft hasn't.
Mandiant published a comprehensive defender's guide on securing VMware vSphere environments against BRICKSTORM, including a new hardening script and scanner tool that enforces security configurations directly at the Photon Linux layer.
Launching my new personal site, built with Astro and deployed on Cloudflare Pages.
Our team at GTIG is releasing more details on the recent supply chain campaign targeting the popular NPM package axios, now attributed to North Korea-nexus UNC1069.
GTIG uncovered DarkSword, a sophisticated iOS exploit chain chaining six zero-day vulnerabilities to fully compromise devices running iOS 18.4 through 18.7, leveraged by both commercial surveillance vendors and suspected state-sponsored actors in distinct campaigns.
GTIG and Mandiant are publicly releasing a comprehensive Net-NTLMv1 rainbow table dataset, lowering the bar for defenders to demonstrate that NTLMv1 credentials can be cracked in under 12 hours with less than $600 in hardware.
Mandiant released AuraInspector, an open-source tool for identifying access control misconfigurations in the Salesforce Aura framework, after GTIG observed active exploitation of GraphQL-based data export bypasses in the wild.
CISA, NSA, and the Canadian Centre for Cyber Security released a joint Malware Analysis Report on BRICKSTORM, aligning with our earlier GTIG findings on this PRC-linked backdoor.
Google filed civil litigation against Darcula, the phishing-as-a-service provider behind 80 percent of all phishing texts during peak activity, responsible for stealing nearly 900,000 credit card numbers globally including 40,000 from US victims.
Since exploitation of CVE-2025-55182 began, GTIG has tracked China-nexus espionage actors, Iran-linked clusters, and financially motivated actors deploying distinct tooling against unpatched React and Next.js workloads globally.
Google filed litigation under RICO, the Lanham Act, and the CFAA to dismantle Lighthouse, a PhaaS platform responsible for over 1 million victims and between 12.7 and 115 million stolen credit cards in the US alone.
GTIG's AI Threat Tracker report documents the first observed use of large language models mid-execution in live malware operations, including APT28's PROMPTSTEAL and experimental malware using the Gemini API for self-modification.
Just four days after GTIG publicly detailed COLDRIVER's LOSTKEYS malware, the Russian state-backed actor deployed an entirely new malware framework, demonstrating the resilience and high operational tempo of a well-resourced adversary.
GTIG is tracking a new extortion campaign from an actor claiming affiliation with CLOP, targeting executives with claims of Oracle E-Business Suite breaches.
GTIG is tracking active exploitation of two Cisco zero-days by a suspected China-nexus actor using a firmware-level bootkit with advanced anti-forensic capabilities on ASA and Firepower devices.
GTIG published research on BRICKSTORM, a backdoor used by PRC-linked UNC5221 to maintain persistent access in VMware environments with an average dwell time of 393 days.
Our team at GTIG published new research on UNC6395, behind a widespread data theft campaign targeting Salesforce customer instances via compromised Salesloft Drift OAuth tokens.
GTIG tracked active exploitation of CVE-2025-53770, a critical SharePoint zero-day used to steal MachineKey secrets that grant persistent access surviving future patches. A subsequent update confirmed China-nexus attribution and public PoC availability driving expanded exploitation.
When KrebsOnSecurity was hit with one of the largest DDoS attacks ever recorded, Google's Project Shield kept it online without interruption.
GTIG discovered APT41 exploiting a government website to deliver TOUGHPROGRESS, a novel malware family that uses Google Calendar events for command and control and data exfiltration, demonstrating the group's continued evolution in cloud service abuse.
GTIG published new findings on COLDRIVER, a Russian government-backed group that evolved beyond credential phishing to deploy LOSTKEYS malware for direct document exfiltration from advisors to Western governments, military personnel, journalists, and NGOs.
Mandiant identified China-nexus UNC5221 exploiting a critical Ivanti Connect Secure buffer overflow (CVE-2025-22457) dating back to mid-March, deploying two new malware families alongside their existing SPAWN ecosystem.
Mandiant published details on UNC3886, a China-nexus espionage actor that deployed a custom malware ecosystem with six distinct TINYSHELL variants on end-of-life Juniper MX devices, using novel process injection and logging suppression techniques.
Newly released court documents in the Cameron Wagenius case reveal a 20-year-old US Army communications specialist's alleged involvement in Snowflake-related extortion, web searches for 'can hacking be treason,' and inquiries about defecting to Russia.