Austin Larsen
Threat Intelligence
Leading rapid response and investigations into major global cyber events. Previously Mandiant incident response. Nation-state threats, zero-days, and data extortion campaigns.
upcoming ShinyHunters SaaS Data Theft — Apr 16 Register → $
// latest
Recent Posts
The Axios Maintainer Post-Mortem Confirms UNC1069's Playbook
The axios maintainer's post-mortem confirms a compromise strikingly consistent with what we documented on UNC1069 months ago. The target has changed. The tradecraft hasn't.
Hardening VMware vSphere Against BRICKSTORM: A Defender's Guide
Mandiant published a comprehensive defender's guide on securing VMware vSphere environments against BRICKSTORM, including a new hardening script and scanner tool that enforces security configurations directly at the Photon Linux layer.
New Site, Who Dis
Launching my new personal site, built with Astro and deployed on Cloudflare Pages.
UNC1069 and the Axios Supply Chain Attack
Our team at GTIG is releasing more details on the recent supply chain campaign targeting the popular NPM package axios, now attributed to North Korea-nexus UNC1069.
// publications
Research & Publications
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
Assessed Cyber Structure and Alignments of North Korea in 2023
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
// press & coverage
Media
- Dataconomy The Axios Breach Shows How Fragile The Npm Supply Chain Remains Austin Larsen, principal threat analyst at GTIG, cautioned that users who downloaded axios versions 1.14.1 and 1.30.4 may have inadvertently introduced malicious code into their environments.
- Cyber Magazine GTIG: How Did North Korean Hackers Compromise Axios? The impact of this attack is broad and has significant ripple effects, as countless other popular packages rely on axios as a dependency. 2026 is quickly shaping up to be the year of the supply chain.
- CyberSecurity Dive Axios open-source library targeted in sophisticated supply chain attack Anyone that pulled axios@1.14.1 or axios@1.30.4 could have unwittingly executed a backdoor payload using the malicious dependency.
- Infosecurity Magazine Hackers Hijack Axios NPM Package Austin urged security teams to check lockfiles, hunt for IOCs across developer machines and CI/CD infrastructure, and rotate credentials. GTIG attributed the activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018.
- CyberScoop Chinese Hackers Exploited a Dell Zero-Day for 18 Months Before Anyone Noticed Austin Larsen, principal analyst at GTIG, told CyberScoop about the scope of the long-running intrusion campaign targeting VMware and Dell infrastructure.
- Cybersecurity Dive Hackers Exploit Zero-Day Flaw in Dell RecoverPoint for Virtual Machines Larsen said they are aware of less than a dozen impacted organizations, but warned that the true number of victims is likely far higher.
- Cyber Magazine DarkSword Spyware: Is Your iPhone Watching You? Since November 2025, commercial surveillance vendors and suspected state-sponsored actors have leveraged DarkSword in distinct campaigns. GTIG has uncovered an exploit chain that can exfiltrate data, take screenshots, and record voice from infected devices.
- CyberScoop Officials Warn About Expansive, Ongoing China Espionage Threat Riding on Brickstorm Malware We believe dozens of organizations in the United States are currently compromised and don't know it.
- Cybersecurity Dive China-Nexus Actor Targets Multiple US Entities with Brickstorm Malware The goal of this long-running campaign is to steal sensitive data from high-value targets in the technology and legal sectors.
- The Register Gainsight CEO Downplays Breach, Says Only a 'Handful' of Customers Had Data Stolen GTIG is aware of more than 200 Salesforce instances that were compromised as a result of this campaign.
- TechCrunch Google says hackers stole data from 200 companies following Gainsight breach GTIG is aware of more than 200 potentially affected Salesforce instances following the Gainsight breach, with Scattered Lapsus$ / ShinyHunters claiming responsibility.
- Krebs on Security ShinyHunters Wage Broad Corporate Extortion Spree Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using an encrypted channel.
- Reuters Google says dozens of organizations affected by Oracle-linked hacking campaign Austin's team at GTIG tracked the Oracle E-Business Suite zero-day exploitation campaign, identifying dozens of victim organizations across multiple sectors and attributing the extortion operation to a financially motivated threat actor.
- Bloomberg 'Most Prevalent' Chinese Hacking Group Targets Tech, Law Firms We believe many organizations are compromised right now and don't know it.
- The Record Salesloft: Hacker Broke into Systems in March Through GitHub Account They are aware of at least 700 victims, with that number expected to grow significantly as the investigation continues.
- SC Media Cyber Group Demands Google Fire Two Staff The ultimatum specifically named Austin Larsen and Mandiant CTO Charles Carmakal, demanding Google terminate both or face a major data leak.
- Krebs on Security The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft Austin Larsen, a principal threat analyst at Google's Threat Intelligence Group, detailed the scope of downstream customer exposure from the Salesloft breach.
- CyberScoop Salesloft Drift Compromised en Masse, Impacting All Third-Party Integrations This just really blows wide open the scope here.
- The Hacker News Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data In these attacks, the threat actors have been observed exporting large volumes of data from Salesforce instances belonging to Salesloft customers.
- 404 Media Suspected Snowflake Hacker Arrested in Canada Austin's investigation into UNC5537's sprawling Snowflake breach campaign helped build the evidence trail that culminated in the arrest of the suspected hacker in Canada.
- The Record CISA adds Chrome, open-source bugs Austin's Mandiant research into active exploitation of Ivanti and open-source vulnerabilities was cited as intelligence underpinning CISA's urgent advisory, which added the bugs to the Known Exploited Vulnerabilities catalog.
- SC Magazine Barracuda ESG hacks focused on China's high-priority targets Austin's investigation into UNC4841 revealed the campaign was laser-focused on China's highest-priority espionage targets, with intrusions at government and defense organizations across more than a dozen countries.
- BleepingComputer JumpCloud breach traced back to North Korean state hackers Austin assessed with high confidence that the JumpCloud intrusion was the work of a cryptocurrency-focused element within North Korea's Reconnaissance General Bureau, targeting companies with crypto verticals to steal credentials and conduct reconnaissance.
- TechTarget Chinese nation-state actor behind Barracuda ESG attacks Austin's research established UNC4841 as a China-nexus actor conducting government-directed espionage through the Barracuda ESG zero-day, one of the most aggressive email appliance campaigns Mandiant had ever tracked.