Mandiant (part of Google Cloud)

Threat hunters and security analysts: are you getting the complete picture during your investigations? When correlating events in Google SecOps, inner joins are highly effective for filtering down to specific matches—but they require data to exist on both sides, which can sometimes filter out surrounding context. To maintain a holistic view of your environment, analysts should leverage outer joins. By utilizing left or right joins, you can return all events on one side of your dataset while appending matching entity graph data—such as STIX indicators, MISP, GCTI feeds, or Mandiant Fusion IOCs—only where it exists. For example, you can surface all network connection events in a given timeframe while specifically flagging the connections communicating with TOR exit nodes. Learn more about using outer joins in Google SecOps in this blog post by John Stoner: https://bit.ly/4v3kY3Q

Expose the underground with Google Threat Intelligence! 🕵️♂️ Scale your visibility into forums, markets, and chat platforms to hunt for leaks and exploits before they hit. 🛡️ Check the guide: https://goo.gle/4uTTihD API documentation: https://goo.gle/4cdNd8m #GoogleTIMondays #ThreatIntel #CyberSecurity #Darkweb

Cybercrime is no longer just about individual actors—it’s about highly coordinated, specialized partnerships. The M-Trends 2026 Report details how these shifts have significantly shortened the intervention window for defenders. From the targeting of Tier-0 assets to the rise of high-velocity access handoffs, our latest findings provide a roadmap for navigating today's most complex security challenges. Read the full report for actionable insights from our frontline experts. https://bit.ly/40OHShu

Threat intelligence teams are not struggling with a lack of data—they are struggling with a lack of relevance. To solve this, we are introducing a new dark web intelligence capability in Google Threat Intelligence. Powered by Gemini, this new capability shifts the advantage back to defenders by autonomously building and evolving a specific organizational profile based on your business operations. Instead of relying on manual keyword updates that frequently miss obscured threats, the system uses deep business context to identify risks based on threat actor behavior. If an initial access broker attempts to sell access to your infrastructure on an underground forum—even without naming your brand—our intelligence connects the dots. By cross-referencing details like revenue brackets, geography, and specific portal types, the system alerts you to the compromised entry point before a buyer is ever found. Backed by the deep expertise of our Google Threat Intelligence Group analysts and Google’s vertical integration of compute and foundational models, internal tests show Google Threat Intelligence can analyze millions of daily external events with 98% accuracy. We are filtering the noise so you can transition from reacting to a fire to putting it out before the match is struck. If you are attending the RSA Conference, visit Booth N6062 for a live demonstration to see how we are turning dark web noise into active defense. Learn more: https://bit.ly/4lMk7jL

⏰ Only 48 hours to go! Join Google Cloud Security and AmagisTech for our exclusive webinar on the future of Autonomous Defense. We look forward to seeing you there! ✍️ Register here to reserve your spot: https://bit.ly/3Po1x5u #CyberSecurity #GoogleCloud #AmagisTech #AI #SecOps #GoogleCloudSecurity

Google Threat Intelligence Group has uncovered DarkSword, a new iOS full-chain exploit utilizing multiple zero-day vulnerabilities to fully compromise devices. Since November 2025, our analysts have observed commercial surveillance vendors, such as PARS Defense, and suspected state-sponsored actors, including the Russian espionage group UNC6353 and threat cluster UNC6748, deploying DarkSword in distinct campaigns. These threat actors have actively targeted users across Saudi Arabia, Turkey, Malaysia, and Ukraine through watering hole attacks and tailored decoy websites. Key findings: • DarkSword supports iOS versions 18.4 through 18.7. • The exploit chain leverages six different vulnerabilities to break out of Safari's WebContent sandbox, escalate privileges, and execute arbitrary code. • DarkSword relies entirely on pure JavaScript for all stages of the exploit chain and final payloads. • Following a successful compromise, attackers deploy one of three distinct malware families designed for extensive data exfiltration: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. The proliferation of a single exploit chain across such disparate threat actors mirrors the previous distribution of the Coruna iOS exploit kit, underscoring the ongoing risk of exploit sharing among actors with varying motivations and geographies. All vulnerabilities leveraged by DarkSword were reported to Apple and have been fully patched. We strongly advise users to update their devices to the latest version of iOS. In situations where an immediate update is not possible, enabling Lockdown Mode is recommended for enhanced security. Read more on how DarkSword operates, and get IOCs and YARA Rules: https://bit.ly/4siDVO5

⏰ Only one week left until our exclusive webinar on Autonomous Security! Join Google Cloud Security and AmagisTech for an exclusive session on the future of Autonomous Defense. Together, we are closing the skills gap by combining Google’s technological infrastructure with the expertise and Agentic SOC of @AmagisTech, our premier security partner. ✍️ Register here to reserve your spot: https://bit.ly/4sKA38j #CyberSecurity #GoogleCloud #AmagisTech #AI #SecOps #GoogleCloudSecurity

Ransomware operations continue to evolve. While improved organizational security and law enforcement disruptions have led to a decline in ransomware profitability and payment rates throughout 2025, threat actors are adapting their tactics, techniques, and procedures to achieve better success. Based on frontline incident response data from Mandiant and the Google Threat Intelligence Group, our latest analysis reveals shifts in attacker behavior and the broader extortion ecosystem. Key findings from our 2025 investigations: - Surging Data Theft: 77% of ransomware intrusions included confirmed or suspected data theft, up from 57% in 2024. - Virtualization Under Attack: Threat actors targeted virtualization infrastructure in 43% of incidents, a notable increase from 29% the previous year. - Shifting Targets: With enterprise security maturing, operators are increasingly focusing their efforts on smaller organizations with fewer than 200 employees. - Top Malware: REDBIKE emerged as the dominant ransomware family, accounting for 30% of analyzed incidents. - Initial Access: A third of all incidents began with vulnerability exploitation, heavily targeting common VPNs and firewalls. Despite an overall drop in average ransom demands—falling from $2 million in 2024 to $1.34 million in 2025—extortion ecosystems remain highly resilient. The debilitation of prolific groups like LockBit, ALPHV, and RansomHub was quickly offset by the rise of brands like Qilin and Akira, leading to a record number of victims posted to data leak sites. We are also observing threat actors actively incorporating cross-platform capabilities, Web3 technologies for infrastructure resilience, and AI features into their operations. The continuous evolution of attacker techniques requires a proactive defense strategy. Threat actors are changing the rules of multifaceted extortion, and organizations must ensure their containment, recovery, and endpoint protection strategies evolve to meet them. Get more insights, along with YARA Rules for the threats described in the post: https://bit.ly/4sUTOKK

Ready for Part 2 of our series on Hunting LLM-Enabled Malware? 🛡️ This week, we’re diving into Agentic Vulnerabilities. From poisoned OpenClaw skills to indirect prompt injections in Markdown files and silent OCR-based image exploits, the threat landscape is evolving fast. Learn how to leverage VirusTotal Code Insight and agentic AI to automate your defenses. All advanced searches mentioned in the slides can be found in Saved Searches within GoogleTI. 🔗 Full Technical Breakdown: https://bit.ly/47C2yNn Stay ahead of the curve! 🚀 #GoogleTIMondays #CyberSecurity #ThreatHunting #AI #MalwareAnalysis #GoogleTI