Mandiant
-
CISA details BRICKSTORM backdoor used by PRC-linked hackers against vSphere and Windows environments
CISA has published technical details of BRICKSTORM, a Golang backdoor used by PRC-linked threat actors to maintain stealthy, long-term access to VMware vSphere and Windows environments; CrowdStrike and other firms link the tool to UNC5221 and Warp Panda, while the Chinese embassy has denied the allegations.
-
Mandiant ties UNC1549 to long-running campaign using TWOSTROKE and DEEPROOT against aerospace and defence
Google-owned Mandiant linked a cluster it tracks as UNC1549 to a campaign from late 2023 through 2025 in which suspected Iranian espionage actors used backdoors including TWOSTROKE and DEEPROOT to target aerospace, aviation and defence organisations by exploiting third-party credentials, VDI breakouts and targeted phishing.
-
Researchers: Actors abused Triofox antivirus feature to execute code as SYSTEM
Researchers say the UNC6485 cluster exploited CVE-2025-12480 in Gladinet Triofox by spoofing a localhost host header to bypass authentication, then abused the product’s antivirus configuration to run a malicious payload as SYSTEM; vendors have released patches and investigators provided indicators of compromise.
-
Google and Mandiant: Zero-day in Oracle E-Business Suite likely impacted dozens of organisations
Google Threat Intelligence Group and Mandiant reported that the exploitation of a zero-day in Oracle E-Business Suite likely affected dozens of organisations, using multiple vulnerabilities and post-exploitation tooling linked to Cl0p-styled extortion campaigns; investigators said Oracle has released patches and some investigative details remain unclear.
-
Oracle issues emergency patch for critical E-Business Suite flaw tied to Cl0p attacks
Oracle issued an emergency update for a critical E-Business Suite vulnerability, CVE-2025-61882 (CVSS 9.8), which the article said has been exploited in recent Cl0p data thefts; Oracle and Mandiant have urged organisations to apply fixes and investigate possible prior compromise.
-
China-linked BRICKSTORM attackers conduct long-running espionage campaign against U.S. tech firms, Mandiant says
Mandiant identifies BRICKSTORM, a China-linked threat group running a long-running espionage campaign against U.S. tech firms, using a Go-based malware to target Linux and BSD systems, with a focus on SaaS providers and other high-value targets, and urges vendors to adopt zero-trust architectures.
