Cyber Threat Intelligence

Introducing the Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework

05.23.2022 | 4 min read

To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions

06.02.2022 | 16 min read

Assembling the Russian Nesting Doll: UNC2452 Merged into APT29

04.27.2022 | 9 min read

INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems

04.13.2022 | 13 min read

Webinar

NEW

Ukraine Crisis Resource Center

Follow the latest insights, reports, and news from the Mandiant team regarding the ongoing conflict in Ukraine.

Female with Security Validation and Threat Intelligence Dual Monitor

Iran-Linked UNC3313 APT Employed Two Custom Backdoors Against a Middle East Gov Entity

Mandiant Threat Intelligence has been tracking and providing extensive coverage of UNC3313 activity, assessed with moderate confidence to be associated with TEMP.Zagros, to include the group’s malware development of GramDoor and StarWhale payloads. We believe that UNC3313...

Cyber Threat Actors Announce Threats and Attacks Against Critical Infrastructure in Response to Russia/Ukraine Conflict

In response to the Russia/Ukraine conflict, various cyber threat actor groups have been announcing sides and possible threats of action against various parties. Mandiant Threat Intelligence observed some activity with implications for critical infrastructure and operational…

Open in Advantage (Paid Subscription)

EMOTET Distributes New Payment Card Theft Module and Atera Agent Installers

Mandiant observed UNC3443 EMOTET activity distributing a new payment card stealing module targeting Chrome users.

APT41

APT41 is a Chinese state-sponsored espionage group that also conducts financially motivated activity for personal gain. The group has executed multiple supply chain compromises, gaining access to software companies to inject malicious code into legitimate files before distributing updates.

FIN11

FIN11 is a financially motivated threat group that has conducted some of the largest and longest running malware distribution campaigns observed amongst our FIN groups to date. Mandiant has observed FIN11 attempt to monetize their operations at least once using named point-of-sale (POS) malware and more frequently using CLOP ransomware combined with traditional extortion.

UNC1543

UNC1543 is a financially motivated cluster of activity that distributes FAKEUPDATES, a multi-stage JavaScript dropper that typically masquerades as a browser update. In at least some cases, UNC1543 appears to partner with clients or affiliates who use access obtained by the group to deploy additional malware.

Male with Phone and Threat Intelligence on Monitor

Why Mandiant Threat Intelligence?

Get critical insights into the latest relevant threats as Mandiant blends open-source data with proprietary frontline observations.

Proactive Preparation and Hardening to Prevent Against Destructive Attacks

Includes hardening and detection guidance to protect against a destructive attack or other security incident within your environment.

Distributed Denial of Services (DDoS) Protection Recommendations

This guide outlines the different types of DDoS events and the protection recommendations.

Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks

This paper provides recommendations to protect Linux endpoints from adversarial abuse.

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

In December 2020, Mandiant uncovered and publicly disclosed a widespread campaign conducted by the threat group we track as UNC2452.

Ransomware Protection and Containment Strategies Practical Guidance for Endpoint Protection, Hardening and Containment

Ransomware is a common method of cyber extortion or disruption for financial gain.