All news with #google threat intelligence tag

🛡️ Google Threat Intelligence Group analyzed a growing Chinese‑language phishing‑as‑a‑service (PhaaS) ecosystem, finding mature, professional offerings that facilitate real‑time credential and OTP interception and the tokenization of payment data. These services use encrypted channels like RCS and iMessage, provide extensive localization tools and ancillary criminal services, and often operate openly on Telegram. GTIG highlights the shift from simple password harvesting to financial account takeover and recommends stronger technical defenses such as FIDO2/WebAuthn and risk‑based verification.

🔒 In the March 2026 edition Tony Anscombe reviews several high-impact incidents and trends that should shape organizational defenses. He summarizes the reported Stryker intrusion claimed by the Iran-linked Handala group, new research from the Google Threat Intelligence Group showing a rise in data theft tied to ransomware, Instagram's plan to stop encrypting private messages in May, and a Europol-led takedown of the Tycoon 2FA phishing platform. Watch the video for practical lessons and related coverage.

🔒 Google researchers disclosed a previously undocumented iOS exploit kit named Coruna, comprising 23 exploits and five full exploit chains that target iOS 13.0 through 17.2.1. Observed by the Google Threat Intelligence Group in 2025, the framework fingerprints devices, avoids targets in Lockdown Mode or private browsing, and delivers a stager loader called PlasmaLoader that injects into the iOS root daemon. Post-exploitation modules specifically target cryptocurrency wallets to extract BIP39 recovery phrases and other sensitive text, encrypting stolen data and using a DGA seeded with "lazarus" for resilience.

🛡️ Google Threat Intelligence Group (GTIG) details persistent, multi-vector cyber threats to the defense industrial base. State-sponsored and hacktivist actors target UAVs and battlefield systems, exploit personnel and hiring processes, and increasingly compromise edge devices and appliances to bypass EDR. The report documents campaigns against messaging apps, Android and Windows malware, and recruitment-themed lures. It also highlights ransomware and supply‑chain risks that can disrupt production and surge capacity.

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.

🔍 The new Saved Searches feature is now live in Google Threat Intelligence (GTI) and VirusTotal, enabling analysts to store complex queries for reuse. Users can save multi-clause, tuned searches and share them with colleagues across their organization to preserve investigative logic and ensure consistency. The release includes public campaign searches from the #monthofgoogletisearch to help teams get started quickly.

🤖 Google Threat Intelligence Group (GTIG) attributes a rapid malware retooling to the Russia-aligned COLDRIVER group after the May 2025 LOSTKEYS disclosure. The campaign uses a COLDCOPY “ClickFix” lure that coerces users to run a malicious DLL via rundll32; the DLL family is tracked as NOROBOT. Early NOROBOT variants fetched a noisy Python backdoor named YESROBOT, which was quickly replaced by a lighter, extensible PowerShell backdoor called MAYBEROBOT. GTIG published IOCs, YARA rules, and protective measures including Safe Browsing coverage and targeted alerts.

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

🛡️ In March 2025, Google Threat Intelligence Group identified a complex espionage campaign attributed to the PRC‑nexus actor UNC6384 that targeted diplomats in Southeast Asia and other global entities. The attackers hijacked web traffic via a captive‑portal and AitM redirect to deliver a digitally signed downloader tracked as STATICPLUGIN, which retrieved a disguised MSI and staged an in‑memory deployment of the SOGU.SEC backdoor (PlugX). The operation abused valid code‑signing certificates, DLL side‑loading via a novel launcher CANONSTAGER, and indirect execution techniques to evade detection. Google issued alerts, added IOCs to Safe Browsing, and recommends enabling Enhanced Safe Browsing, applying updates, and enforcing 2‑Step Verification.