Mandiant (part of Google Cloud)

What does it take to disrupt cyber adversaries at scale? In the latest episode of The Defender’s Advantage Podcast, Luke McNamara is joined by Charley Snyder to unpack how Google is building a coordinated approach to disrupting cyber adversaries. Learn about this new effort, how it’s executed across various teams, and details on recent operations such as IPIDEA and GRIDTIDE. Listen to the full episode: https://goo.gle/4n2LMxE

A newly tracked threat group, UNC6692, is bypassing defenses by impersonating IT on Microsoft Teams to deploy the custom SNOW malware ecosystem. Google Threat Intelligence Group has identified a highly coordinated intrusion campaign. UNC6692 initiates contact by overwhelming a target's email with messages to create a sense of distraction. They then offer assistance via a Teams message, posing as helpdesk personnel providing a local patch. Victims are directed to a malicious "Mailbox Repair Utility" landing page that pushes them into a specific Microsoft Edge environment. Once there, UNC6692 employs a psychological "double-entry" credential harvesting trick. The prompt intentionally rejects the first two password attempts. This serves to reinforce the user's belief that the system is legitimately validating their login, while ensuring the attacker captures typo-free credentials. The data is then uploaded directly to an attacker-controlled Amazon S3 bucket. This initial access enables the deployment of their modular malware pipeline: 🔹 SNOWBELT: A malicious Chromium browser extension that acts as the initial foothold and persistent backdoor, relaying commands without requiring constant re-authentication. 🔹 SNOWGLAZE: A Python-based tunneler that establishes a secure WebSocket connection to command-and-control infrastructure, masking malicious activity as encrypted web traffic. 🔹 SNOWBASIN: A Python bindshell that operates as a local HTTP server, providing the functional interactive control for remote command execution, screenshot capture, and data staging. Armed with elevated access, UNC6692 moves laterally to domain controllers using Pass-The-Hash techniques. They systematically extract LSASS process memory, the Active Directory database, and registry hives, eventually exfiltrating the data out of the network via LimeWire. This campaign highlights a dangerous "living off the cloud" strategy. By hosting malicious components on trusted cloud platforms, attackers can bypass traditional network reputation filters and blend into a high volume of legitimate traffic. To detect these modern methodologies, defenders must expand visibility beyond traditional process monitoring and focus on correlating disparate events across browser activity and unauthorized cloud egress points. Read the full analysis and get indicators of compromise. ➡️ https://goo.gle/425HxYm

🕵️♂️ Script-based malware like PowerShell and VBS often slip past legacy signatures through heavy obfuscation. In this week's #GoogleTIMondays, we dive into how Google Threat Intelligence helps you unmask hidden scripts using: ✅ Advanced modifiers (behavior, tag, sigma_rule) ✅ Code Insights for intent-based searching ✅ Custom YARA rule detections 🚀 Learn how to automate your deobfuscation and scale your hunting. All featured queries can be located within saved searches using the modifier: tag:GoogleTIMondays #ThreatIntelligence #CyberSecurity #GoogleCloud #InfoSec #MalwareAnalysis

Only 72 hours remain before the session. ⏳ Join Google Threat Intelligence Group Chief Analyst John Hultquist and Mandiant Principal Consultant Omar E. to discuss how security teams are adapting to faster exploitation timelines and the growing use of AI by threat actors. Register now: https://bit.ly/4cMJ4rj

For years, the FLARE team has been committed to "open-sourcing" the specialized knowledge required to defend against the world's most sophisticated threats. Today, we’re taking that a step further. There has long been a gap in cybersecurity education. We have plenty of courses that teach you how to navigate a disassembler or interpret decompiler output, but almost none that teach you to master the compiler-level primitives required to both build and break modern obfuscation. We’re debuting a first-of-its-kind training at @BlackHatEvents: "Syntactical Supremacy: Defeating and Designing Nation-State Obfuscation." This is an immersive deep dive into LLVM, Intermediate Representation (IR)s and creating transformation passes. We’re moving past the "black box" of the decompiler to show you how to: - Day 1 (Defense): Use the ScatterBrain obfuscating-compiler to learn how to recover scattered control flow logic and opaque predicates, and programmatically rewrite binaries. - Day 2 (Offense): Write custom C++ LLVM passes to architect the very same transformations used by Scatterbrain to truly understand them inside and out. In an age where LLMs are scaling code complexity, understanding the "source of truth" in the compiler pipeline is the ultimate advantage. Join us in Las Vegas to turn the "black box" of compiler-based obfuscation into a tool in your own arsenal. 🔗 Register by May 22: https://bit.ly/3P2L8U5 #BHUSA #ReverseEngineering #Mandiant #FLARE #GoogleCloudSecurity #LLVM

Take learnings from last year's breaches and build stronger defenses today. In the latest episode of The Defender’s Advantage Podcast, host Luke McNamara sits down with Chris Linklater, Practice Leader at Mandiant, to break down the 2026 M-Trends report. They'll cover key patterns from 2025 breaches and what they mean for today's threat landscape. Tune in for expert insights on where to focus next and how to apply them: https://bit.ly/4sTyiFF

Stop guessing who the next target is. 🎯 The new Hacktivist DDoS Activity Dashboard (https://bit.ly/4mGh4Kd) in #GoogleThreatIntelligence is live! We’re combining botnet C2 telemetry with corroborated Telegram claims to give you a clear view of the threat landscape. 🛡️ ✅ Track industry-specific targeting ✅ Corroborate claims via check-host links ✅ Monitor active hacktivist infrastructure Access it via Dashboards > Hacktivist DDoS Activity in Google TI. #GoogleTIMondays #CyberSecurity #DDoS #ThreatIntel #GoogleCloud

Attending #GoogleCloudNext? Curious about agentic AI? Interested in reducing toil, upleveling talent, and reimagining security for an AI-first world? If you answered yes, join experts from Mandiant, Google Cloud Security, Morgan Stanley, Wiz, and Target for a deep dive into the agentic enterprise from infrastructure to AI agents. Stop by on day 2 from 11:45 AM - 12:30 PM ⏱️ https://bit.ly/4mIA0ID

AI unlocks unprecedented innovation, but it also creates a complex new attack surface. To provide security teams and architects with a technical approach to securing AI systems, we’ve synthesized findings from our recent Mandiant AI Red Team engagements into a practical roadmap. Our latest whitepaper, Secure development of generative AI applications: A proactive approach, moves past the theory to provide specific guidance on hardening AI systems. Inside the report, we break down how to: • Map the AI Attack Surface: Identify and mitigate vulnerabilities specific to LLMs, including prompt injection, data poisoning, and insecure output handling. • Apply Multi-Layer Controls: Implement a defense-in-depth strategy across the model, application, and infrastructure layers. • Incorporate Red Team Findings: Use observations from real-world Mandiant AI Red Team assessments to inform your threat modeling and security architecture. 📖 Equip your team to harness the power of AI, securely. Read the full whitepaper here: https://bit.ly/492ndLa

Join technology and security leader Richard Crowther from Google Cloud & leading expert speakers for the ‘Engineering Resilience Panel’ at CyberUK 2026! Explore to what extent it is possible to architect systems to be more resilient in the event of compromise? The NCSC will share it’s latest thinking on best practice and the panel will discuss where they have seen this done well, the extent to which the chosen technical patterns matter, and how generalisable approaches are. 📅 23 April 📍Alsh Room, SEC Glasgow ⏰ 11:00 🚀 Richard Crowther, UK Sovereign Operations, Google Cloud 🚀 Carolyn Ainsworth, Deputy Director Engineering, NCSC 🚀 David I, Security Architect, NCSC 🚀 David Brown, Principal Security Consultant, NCC Group 🚀 Harry G, Deputy Director, NCSC #GoogleCloud #CyberUK26