Austin Larsen

APT folks... is UNC3886 becoming a top-tier actor?

www.trendmicro.com/en_us/resear...

www.sygnia.co/blog/fire-an...

supportportal.juniper.net/s/article/20...

cloud.google.com/blog/topics/...

Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog Cybercriminals are using fake AI-themed ads and websites to deliver malware such as infostealers and backdoors.

This campaign deploys malware like STARKVEIL, XWORM & FROSTRIFT. Our report covers their TTPs including the use of Unicode Braille patterns to obfuscate executable file names and their continuous rotation of domains to evade detection.

cloud.google.com/blog/topics/...

New @mandiant.com research: UNC6032 (Vietnam-nexus actor 🇻🇳) is exploiting interest in AI tools, using fake AI video generator sites & malicious ads to spread malware.

The campaign, active since mid-2024, aims to steal credentials, cookies & financial data.

🚨 Heads up! 🚨 APT41 is using Google Calendar 🗓️ as their latest C2 trick. GTIG just pulled back the curtain 🎭 on the TOUGHPROGRESS malware campaign and how we shut it down 💪. Dive into the details here: 🚀https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

Google’s M-Trends 2025 report is out - data from Mandiant’s incident response engagements. Direct PDF link to avoid the sales pitch wall:

https://services.google.com/fh/files/misc/m-trends-2025-en.pdf

Thread about my main observations:

- Firstly, no mention of generative AI or GenAI again […]

Confirming that CISA has stopped using VirusTotal and Censys.

"Makes their jobs a lot harder," a person familiar with the matter told me, adding, "There's a possibility that more services might be limited or cut due to budget."

Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.

Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)

The Trump Administration Accidentally Texted Me Its War Plans U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.

In 25 years of covering national security, I’ve never seen a story like this: Senior Trump officials discussed planning for the U.S. attack on Yemen in a Signal group--and inadvertently added the editor-in-chief of The Atlantic. www.theatlantic.com/politics/arc...

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers.

🚨 Following a months-long investigation stemming back to mid-2024, Mandiant just published details on a campaign by China-nexus actor UNC3886 targeting Juniper routers. Our investigation uncovered a custom malware ecosystem on end-of-life Juniper MX devices.
cloud.google.com/blog/topics/...

Hundreds protested at the national labs today in Boulder, Colorado. #SaveOurServices #resist #NOAA #NIST #NCAR #ScienceSavesLives

It Was an Ambush Today marked one of the grimmest days in the history of American diplomacy.

Today was a grim, terrible day for the United States and the cause of democracy. Putin, along with other dictators around the world, can finally look at Trump with confidence and think: one of us.

www.theatlantic.com/ideas/archiv...

Army soldier linked to Snowflake attack spree allegedly tried to sell data to foreign spies Federal prosecutors accuse Cameron Wagenius of searching how to defect to Russia days after he tried to sell stolen data to a foreign intelligence service.

A 21-year-old U.S. Army soldier linked to last year's Snowflake attack spree allegedly tried to sell stolen data to a foreign intelligence service after searching for information about how to defect to Russia. Hat tip to @nixonnixoff.bsky.social @austinlarsen.me cyberscoop.com/army-soldier...

The no-opsec Army guy who was part of the group that leaked Trump's call logs (and worse, threatened me) google searched how to defect to Russia and "can hacking be treason" 💀💀💀💀

He was never going to get away.

US joins Russia to vote against UN resolution condemning Russia’s war against Ukraine | CNN Politics The United States joined Russia to vote against a UN General Assembly resolution condemning Russia’s war against Ukraine Monday in a stunning shift from years of US policy.

For the US to side with Russia and North Korea to oppose a UN resolution condemning the illegal invasion of Ukraine defies all common sense and adds insult to the countless injuries suffered by the brave Ukrainian people. edition.cnn.com/2025/02/24/p...

Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.

cloud.google.com/blog/topics/...

DHS has terminated the memberships of everyone on its advisory committees.

This includes several cyber committees, like CISA's advisory panel and the Cyber Safety Review Board, which was investigating Salt Typhoon.

That review is "dead," person familiar says.

www.documentcloud.org/documents/25...

Cloudflare Issue Can Leak Chat App Users' Broad Location A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user mi...

A bug in Cloudflare (and just the nature of how CDNs work) let an attacker learn the broad location of Discord, Signal, Twitter users by just sending them an image, according to a security researcher. It works because check which data center cached the image www.404media.co/cloudflare-i...

FBI Has Warned Agents It Believes Hackers Stole Their Call Logs FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the ...

"FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants."
www.bloomberg.com/news/article...

Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.

🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.

cloud.google.com/blog/topics/...

Patch immediately, run the Ivanti external ICT checker, read our latest research for a detailed breakdown of the threat, and checkout Ivanti's advisory for the latest guidance:
forums.ivanti.com/s/article/Se...

🛡️ Persistence: Threat actors are installing persistent backdoors on compromised appliances that can survive across system reboots and upgrades. Mandiant identified the actors using backdoors including SPAWN, SPAWNANT, SPAWNMOLE, SPAWNSNAIL, SPAWNSLOTH, DRYHOOK, and PHASEJAM.

🛡️ ICT Evasion: Threat actors are manipulating the Ivanti Integrity Checker Tool (ICT) manifest to include their own malicious files, effectively bypassing this detection mechanism.

🛡️ Fake Upgrade: Threat actors are deploying PHASEJAM malware to block legitimate system upgrades while simultaneously displaying a fake upgrade progress bar. This creates a convincing facade of a successful update, when in reality, the malware silently prevents the actual upgrade from taking place.

This threat showcases how China-nexus cyber espionage actors continue to evolve, becoming more agile, stealthy, and difficult for defenders to detect. They employed several interesting techniques to maintain access to compromised Ivanti appliances and evade defenders. Here's what you need to know:

Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.

🚨 New: Zero-day vulnerability #CVE-2025-0282 in Ivanti Connect Secure VPN is being actively exploited, including by suspected China-nexus cyber espionage groups. Our team at Mandiant in partnership with Ivanti just published our initial findings. 🧵
cloud.google.com/blog/topics/...

How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons Massive “Typhoon” cyberattacks on U.S. infrastructure and telecoms sought to lay the groundwork for potential conflict with Beijing, as intruders gathered data and got in position to impede response a...

Probably the most comprehensive narrative to date about the Volt and Salt Typhoon campaigns.

>IQ levels when you are a cybercriminal that tries to extort the president, but you are government property and Krebs is calling your mom :(

Something completely underappreciated in how Google Chrome revolutionized the web and security and software in general — was the silent background auto-update + and non-admin user-level installs. It set a bar that changed everything on ability to make progress & address threats. Broke IT paradigms.

Who wants to be next?

(Waifu arrest footage released by WSJ)

www.wsj.com/tech/cyberse...