ctipilot.ch

Google Threat Intelligence Group

report · report:gtig-europe-2025 single-source

Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)

Coverage timeline
7
first 2026-05-04 → last 2026-06-27
Entries
7
6 distinct days
Sources cited
39
11 hosts
Sections touched
5
active-threats, deep-dive, research
Co-occurring entities
6
see Related entities below

Story timeline

  1. 2026-06-27Turla's STOCKSTAY: a four-component .NET backdoor for diplomatic intelligence collection
    deep-diveTurla's STOCKSTAY: a four-component .NET backdoor for diplomatic intelligence collection
  2. 2026-06-26Cisco Catalyst SD-WAN Manager CVE-2026-20245
    deep-diveCisco Catalyst SD-WAN Manager CVE-2026-20245
  3. 2026-05-26Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage
    researchGoogle's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage
  4. 2026-05-26CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET machineKey enables ViewState deserialization RCE, exploited as a zero-day
    trending-vulnerabilitiesCVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET machineKey enables ViewState deserialization RCE, exploited as a zero-day
  5. 2026-05-16GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand
    active-threatsGTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand
  6. 2026-05-12GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware
    deep-diveGTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware
  7. 2026-05-04Google Threat Intelligence Group — Europe data-leak landscape 2025
    weekly-annual-reportsGoogle Threat Intelligence Group — Europe data-leak landscape 2025

Where this entity is cited

  • deep-dive3
  • weekly-annual-reports1
  • active-threats1
  • trending-vulnerabilities1
  • research1

Source distribution

  • attack.mitre.org21 (54%)
  • cloud.google.com8 (21%)
  • thehackernews.com2 (5%)
  • cert.pl1 (3%)
  • cert.ssi.gouv.fr1 (3%)
  • github.com1 (3%)
  • helpnetsecurity.com1 (3%)
  • sec.cloudapps.cisco.com1 (3%)
  • other3 (8%)

Related entities

All cited sources (39)

Entries about Google Threat Intelligence Group (7)

2026-06-27 · view entry permalink →

Turla's STOCKSTAY: a four-component .NET backdoor for diplomatic intelligence collection

notable vulnerability discovered 2026-06-27 05:17 UTC deep dive

Background. Google Threat Intelligence Group (GTIG, formerly Mandiant) published a full technical analysis of STOCKSTAY on 2026-06-25, a modular .NET backdoor it attributes with high confidence to Turla — also tracked as Secret Blizzard, SUMMIT and FSB Center 16 — with activity dating to December 2022 (Google Cloud / GTIG, 2026-06-25). GTIG ties STOCKSTAY to Turla's long-running Kazuar implant lineage through shared code: the K1MORPHER Squirrel3-based string obfuscator Turla introduced in April 2025, identical environmental-keying logic, and the same component-separation design pattern — placing this tool in the same toolset GTIG and others have tracked across European diplomatic targeting for years (The Record, 2026-06-26). Primary targets are Ukrainian government and military organisations and European entities with Italian foreign-policy interests.

Architecture and mechanics. STOCKSTAY is partitioned into four .NET assemblies that communicate over Windows WM_COPYDATA inter-process messages, deliberately decoupling the network layer from command execution. MARKETMAKER is the downloader/installer that establishes Registry Run-key persistence masquerading as MicrosoftUpdateOneDrive (T1547.001); STOCKMARKET ("cor") is the orchestrator that generates a 4096-bit RSA key pair on first run; STOCKBROKER ("net") is a proxy-aware WebSocket tunneller built on the open-source websocket-sharp library; and STOCKTRADER ("sys") is the backdoor executor supporting 13 commands (directory listing, file get/put, process execution, registry read/write/delete, screenshot capture, WMI-based system reconnaissance, archive unpacking, and self-destruct). Configuration is AES-encrypted using hostname/domain-name environmental keying (T1480) once past the reconnaissance phase, so the payload will not decrypt or execute off-target — a standard Turla anti-analysis measure.

Command-and-control. C2 responses are wrapped in an RSA-4096-encrypted "CryptoContainer" JSON structure and tunnelled over encrypted WebSocket sessions hosted on legitimate PaaS platforms (Render.com, Glitch) (T1071.001). The controller — a Python Tornado WebSocket server storing victim data in a SQLite database — was found in a public GitHub repository, and the use of third-party PaaS prevents the platform operator from introspecting the encrypted traffic. The implant enforces working hours (09:00–18:00, Mon–Fri) to blend with normal activity.

Delivery / kill chain. Initial access is via spearphishing (T1566.001/.002) using diplomatic-themed lures (drone content, military logistics, diplomatic-education platforms), with malicious RDP configuration files and RAR archives exploiting WinRAR path traversal CVE-2025-8088 for code drop, followed by MSI/HTA execution. STOCKSTAY is then installed, keys to its environment, establishes Run-key persistence, and beacons out over PaaS-hosted WebSockets — staging the operator's interactive command set (T1059) for collection (T1005) and exfiltration over the C2 channel (T1041). GTIG notes deployment alongside other confirmed Turla tools (WILDDAY, DIAMONDBACK).

Detection concepts (no IOCs). Alert on outbound WebSocket connections to *.onrender.com / *.glitch.me from non-browser processes; WM_COPYDATA messages between unrelated processes in EDR telemetry (Sysmon EID 8/10 process-injection/access correlation); Registry Run-key creation pointing at user-space paths masquerading as Microsoft/OneDrive updaters (Sysmon EID 13 / Windows EID 4657); LNK or RDP-config writes into staging directories (Sysmon EID 11); and the WinRAR CVE-2025-8088 exploitation pattern (archive extraction writing files outside the target directory). GTIG published YARA and Google SecOps detection rules with the report.

Hardening / mitigation. Patch WinRAR to 7.11+ to close CVE-2025-8088; enable AMSI and ETW for .NET assemblies and block the AppDomainManager-hijack DLL-placement path; apply GPO to restrict RDP-config auto-connection; and where not operationally required, block Render/Glitch WebSocket egress at the perimeter for diplomat and ministry workstations. For Swiss federal and cantonal foreign-affairs, defence and diplomatic environments, the named Italian-foreign-policy targeting puts this squarely in scope.

“Background.” — ctipilot v2 brief (migrated)

nation-state espionage russia-nexus europe switzerland global CVE-2025-8088

2026-06-26 · view entry permalink →

Cisco Catalyst SD-WAN Manager CVE-2026-20245

notable vulnerability discovered 2026-06-26 04:54 UTC deep dive

Mandiant's Google Threat Intelligence Group published a forensic reconstruction of an intrusion in which Cisco Catalyst SD-WAN Manager (formerly vManage) was compromised through CVE-2026-20245 as a zero-day — exploited at a communications service provider from late 2025 through March 2026, months before Cisco's advisory (Mandiant/GTIG, 2026-06-24). Mandiant attributes the activity to no named actor. The reason this matters beyond one victim: SD-WAN Manager is the control plane for an entire WAN fabric — root on the controller is push-access to every managed edge device — so it warrants the same monitoring tier as a VPN concentrator or firewall, and it is now one of several Cisco SD-WAN flaws confirmed exploited during 2026.

The vulnerability. CVE-2026-20245 (CVSS 7.8, no workaround) is a command-injection weakness in the SD-WAN Manager CLI tenant-upload handler: the feature that ingests a tenant-list CSV fails to sanitise file content before it reaches a shell context, so an authenticated operator can embed OS commands inside a crafted CSV and have them execute as root on the underlying Linux host (Cisco PSIRT, cisco-sa-sdwan-privesc-4uxFrdzx). The injected commands appended a new UID-0 account (troot) to the host's local account databases, giving the actor a persistent root login independent of the vManage application's own user model.

Kill chain (as Mandiant documents it):

  • Initial access — the actor reached an authenticated position by abusing peering-authentication-bypass flaws CVE-2026-20127 / CVE-2026-20182 to enrol unauthorised peering and obtain SSH as the vmanage-admin account, or alternatively by using certificate material stolen in a previous compromise (T1190, T1078.004).
  • Privilege escalation — exploitation of CVE-2026-20245 via the crafted tenant CSV, executing as root (T1068).
  • Persistence — creation of the troot UID-0 account in the host account databases, reachable via su (T1136.001).
  • Defense evasion / anti-forensics — the actor changed the legitimate admin password and then reverted it to its original value to reduce detection probability, and deleted command history, syslog entries, and the uploaded files after use (T1070.003).

Hunt and detection concepts. The decisive gap is that vManage's own health dashboards do not surface OS-level account creation — detection has to happen on the underlying host. Baseline and monitor /etc/passwd and /etc/shadow for accounts added since a known-good snapshot (a UID-0 account other than root is the high-fidelity signal here). Review SD-WAN Manager audit logs for tenant-upload CLI/API invocations and correlate them with subsequent privileged shell activity; alert on child processes spawned by the tenant-upload service, and on shell-history truncation or gaps on the controller host. Because the actor reverted the admin password, an unexplained password-change-then-revert pair in admin account auditing is itself worth investigating.

Hardening. Upgrade to a fixed train — 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2 — as there is no workaround. Restrict which operators hold privileged CLI roles, place the management/northbound interfaces behind a source-IP ACL rather than exposing them broadly, enforce MFA on all administrator accounts, and rotate SD-WAN admin credentials (including the default vmanage-admin) on any controller that may have been exposed before patching. Cisco's Catalyst SD-WAN Hardening Guide carries the vendor's own configuration baseline.

“Mandiant's Google Threat Intelligence Group published a forensic reconstruction of an intrusion in which Cisco Catalyst SD-WAN Manager (formerly vManage) was compromised through CVE-2026-20245 as a zero-day — exploited at a communications service provider from late 2025 through March 2026, months …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited priv-esc rce patch-available global CVE-2026-20245

2026-05-26 · view entry permalink →

Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage

high research discovered 2026-05-26 05:00 UTC single-source

Google Threat Intelligence Group published a teardown of around a dozen current Chinese-language phishing-as-a-service (PhaaS) offerings — case-studied through "YY Lai Yu" (YY来鱼) — whose shared headline capability is real-time OTP relay: a live operator admin panel captures the one-time code the victim types into a spoofed page and re-submits it on the genuine portal inside its validity window, completing the login and defeating TOTP- and SMS-based MFA without a classic reverse-proxy AiTM stack (Google Threat Intelligence Group, 2026-05-25). [SINGLE-SOURCE] — GTIG primary research at time of writing. Two delivery and evasion properties make it operationally distinct: lures ride RCS and iMessage, whose end-to-end encryption blocks carrier-level SMS content filtering (T1566.002); and the kits use Puppeteer-driven AI page cloning to emit per-campaign-unique HTML/JS that frustrates signature-based phishing detection. Captured card-plus-OTP material is immediately provisioned into contactless wallet tokens for high-value transactions (T1111 MFA interception). GTIG names Europe among explicitly targeted regions (alongside the Americas, Australia and the Middle East), notes targeting across 119 countries, and links UNC5814 to the Darcula PhaaS component; the infrastructure is rented, so victimology is buyer-driven rather than fixed to the Japan-heavy template library.

Why it matters to us: any CH/EU financial institution, e-government SSO portal or public-service login that relies on TOTP or SMS as its second factor is in scope — OTP relay neutralises both. FIDO2/WebAuthn (hardware keys or synced passkeys) removes the exposure entirely because the cryptographic assertion is bound to the legitimate origin and cannot be relayed; where FIDO2 cannot yet be deployed, bind the MFA validation to the original login session (IP/device) so a relayed OTP from a different ASN fails. Detection concept: correlate the IP/ASN seen at OTP issuance against the IP/ASN that consumes it within the SSO/IdP logs — an AiTM relay shows the victim's address on the phishing page and the operator's address on the real portal; alert on OTPs consumed seconds after issuance from a different ASN, and on contactless-wallet provisioning immediately following a credential submission from an unrecognised device.

phishing identity organized-crime ai-abuse china-nexus global europe

2026-05-26 · view entry permalink →

CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET machineKey enables ViewState deserialization RCE, exploited as a zero-day

notable vulnerability discovered 2026-05-26 05:00 UTC

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education environments (Google Threat Intelligence Group, 2026-05-25; Mandiant Vulnerability Disclosures MNDT-2026-0009). The root cause (CVE-2026-5426) is identical pre-shared ASP.NET machineKey values shipped across all customer installations by default: any party who recovers the hardcoded key from one instance can forge a valid signed/encrypted ViewState payload and replay it against any other deployment. Because ASP.NET ViewState is deserialized through ObjectStateFormatterBinaryFormatter, a forged payload yields arbitrary .NET object-graph deserialization and remote code execution (T1190). Mandiant states the flaw was exploited as a zero-day prior to the 2026-02-24 patch.

Post-exploitation, the actor deployed BLUEBEAM (a variant of the Godzilla web shell) that runs entirely inside the IIS worker process w3wp.exe — no shell file on disk — receiving commands over encrypted HTTP POST (T1505.003, T1071.001), then injected content into the LMS to mount a watering-hole attack against its users (T1189). Targeting is Japan-primary, but the transferable lesson is broad and urgent for CH/EU public-sector .NET estates: audit every ASP.NET application for shared or default machineKey values and rotate to unique, cryptographically strong per-deployment keys — there is no default-config toggle that removes the shared-key risk. Hunt for Windows Application-log Event ID 1316 (ViewState validation failure — Mandiant notes even successful exploitation generated these) on LMS-adjacent web servers, and for w3wp.exe spawning cmd.exe/powershell.exe/cscript.exe or making unexpected outbound connections (Sysmon EID 1 with a parent-image filter on w3wp.exe). Because BLUEBEAM is memory-resident with no on-disk shell file, live-memory collection on the IIS worker is the primary post-exploitation detection path.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-9058 Szafir SDK (KIR) qualified e-signature library 9.3 (CVSS 4.0) n/a No Not reported v463 CERT Polska
CVE-2026-5426 Digital Knowledge KnowledgeDeliver LMS (ASP.NET) n/a n/a No Yes (zero-day, pre-2026-02-24) 2026-02-24 release Mandiant GTIG

“Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce pre-auth zero-day apac global CVE-2026-5426

2026-05-16 · view entry permalink →

GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand

high incident discovered 2026-05-16 05:00 UTC single-source

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration (Google Threat Intelligence Group, 2026-05-15). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the <org>.enrollms[.]com and <org>.passkeyms[.]com namespaces); the operator captures credentials and TOTP / push approvals live and immediately registers a new attacker-controlled MFA device for persistent post-vishing access, mapping to T1556 Modify Authentication Process. Post-compromise, BlackFile uses Python requests and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's ClientAppId (d3590ed6-52b3-4102-aeff-aad2292ab01c) in the M365 audit log AppAccessContext field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present python-requests/2.28.1 or WindowsPowerShell/5.1 as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the FileAccessed audit event distinguishes the bulk-API extraction pattern from interactive FileDownloaded events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: T1566.004 Spearphishing Voice, T1557 Adversary-in-the-Middle, T1528 Steal Application Access Token. Detection priorities: alert on Okta system.multifactor.factor.setup events not preceded by a user-initiated session; flag M365 audit FileAccessed events with AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c AND a user-agent containing python-requests or PowerShell; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.

organized-crime phishing identity cloud data-breach global

2026-05-12 · view entry permalink →

GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware

high threat discovered 2026-05-12 05:00 UTC deep dive

ANNUAL REPORT — this is the dedicated treatment of the periodic Google Threat Intelligence Group AI Threat Tracker per PD-9: cherry-picked findings high-relevance to a Swiss / EU public-sector SOC; not a re-summary of the underlying daily-coverage items the GTIG report itself revisits.

Background. GTIG (Google's threat-intelligence merger of Mandiant and the historical Google TAG) has been publishing recurring AI-threat-landscape briefings since the original Adversarial Misuse of Generative AI report (January 2025); CERT-FR's CERTFR-2026-ACT-016 agentic-AI advisory (covered in this brief's 2026-05-10 daily) and the NCSC-CH BACS assessment on AI in vulnerability management (covered same day) lay the European policy floor for the same threat surface. Where the predecessors documented LLM abuse as augmentation of existing tradecraft (phishing-content generation, recon, social-engineering scripts), the May 2026 AI Threat Tracker is the first report to publicly attribute an AI-generated functional zero-day exploit observed in active criminal use (Google Cloud Threat Intelligence — AI vulnerability exploitation initial access, 2026-05-11).

The first AI-generated zero-day exploit observed in the wild

GTIG describes a criminal campaign that used an LLM-generated Python exploit script targeting an unnamed widely-deployed open-source web-based systems-administration tool. The underlying flaw is a 2FA-bypass arising from a semantic logic error: developers hardcoded a trust assumption in one code path that contradicts the authentication-enforcement logic in another. GTIG's editorial point is that this bug class is exactly where LLMs outperform classical static analysis and fuzzers — semantic intent mismatch is undetectable to a fuzzer because the program does not crash, and undetectable to a typical SAST rule because both code paths individually are syntactically defensible.

GTIG attributes the script to LLM generation with high confidence based on structural artefacts atypical of human exploit authors: abundant "educational" docstrings explaining each function's purpose to a hypothetical reader; a hallucinated CVSS score embedded in comments; ANSI-colour helper imports and a --help menu scaffold characteristic of LLM training-data formatting; consistent variable-naming patterns that read like a tutorial rather than an exploit. Mapped to T1190 Exploit Public-Facing Application at runtime, and notable as the first publicly attributed instance of an LLM operating as the exploit author rather than as a phishing-content generator. Responsible-disclosure coordination patched the underlying tool before mass exploitation took hold; GTIG explicitly believes the disclosure disrupted the campaign.

AI-augmented malware families: CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE

The same GTIG release documents four malware families that integrate LLM calls into runtime behaviour rather than into development:

  • CANFAIL and LONGSTREAM (Russia-nexus) insert LLM-generated inert decoy code blocks and daylight-saving-time API calls at runtime to inflate benign-looking telemetry, polluting downstream behavioural-sequence detectors. Mapped to T1553 Subvert Trust Controls (as an EDR-evasion variant) and T1027 Obfuscated Files or Information (LLM-generated junk code as obfuscation).
  • PROMPTFLUX uses the Gemini API at runtime to generate just-in-time self-modifying code for EDR evasion — a logical extension of the polymorphism / packer class, but with the unique property that no two execution-instance signatures need ever match because the LLM is the polymorphism engine.
  • HONESTCUE requests VBScript-obfuscation stubs from Gemini at runtime, weaponising the cloud-API surface as the obfuscator's compiler.

State-actor abuse of Gemini: UNC2814 (PRC), APT45 (DPRK), APT27, UNC5673 (TEMP.Hex / PRC)

GTIG documents state-affiliated actor usage of Gemini for: ORB-fleet management (operating relay-network proxies), recursive-prompting validation of CVE / PoC quality at scale, and persona-driven jailbreaking attempts against embedded-device firmware analysis (TP-Link, the OFTP industrial protocol). UNC5673 (TEMP.Hex) is specifically called out for operating Claude-Relay-Service and CLI-Proxy-API tooling to pool illicit LLM access across Southeast Asian government-targeting operations — meaning the operational unit of compromise has shifted to include stolen LLM API keys as a primary objective, not a side-channel. This is the structural reason TeamPCP's SANDCLOCK stealer (§ 4 UPDATE) now explicitly enumerates LLM API keys alongside cloud credentials: there is a developed criminal market for stolen LLM access keys, driven by both volume billing arbitrage and access to higher-rate-limit / less-monitored model tiers.

Defender takeaway for Swiss / EU public-sector estates running AI workloads: treat LLM API keys as Tier-1 secrets equivalent to cloud-administrator credentials. Specifically: rotate at the same cadence; store in the same KMS / HSM-backed secret manager; enable usage-anomaly alerting at the LLM provider (rate-limit baselines per service principal, geographic / ASN anomalies, prompt-content categories outside business profile); audit any embedded-key check-ins to source control with the same gates as cloud-credential leak detection (T1552.001 Credentials In Files). The GTIG attribution that UNC5673 specifically targets government organisations means the threat profile applies directly to government developers and government-procured AI tooling.

Hardening / detection summary

Concrete posture changes a Swiss federal / cantonal / EU public-sector SOC can implement based on this report alone, in priority order:

  1. Egress allowlisting for LLM-API endpoints: only workloads where LLM access is justified should be permitted outbound to *.googleapis.com/v1beta/, api.openai.com/v1/, api.anthropic.com/, etc. — enforce at SWG and at host firewall on production servers. Catches PROMPTFLUX / HONESTCUE / CANFAIL-class runtime LLM calls from workloads that should not be making them.
  2. LLM-API-key secrets management: treat as Tier-1; rotate quarterly minimum; enable provider-side usage alerting on per-key baselines.
  3. Exploit-artefact LLM-output heuristics added to triage pipelines for PoC scripts pulled from public sources — docstring-density / hallucinated-metadata / ANSI-bootstrap pattern, used as a triage prior, not a verdict.
  4. CI/CD secrets hygiene at the runner level — directly applicable both to the AI-key theft trend and to the SANDCLOCK / TeamPCP Jenkins compromise carried as the § 4 UPDATE. OIDC-federated short-lived credentials where the platform supports it; no long-lived PATs in runner environment.
  5. Behavioural-sequence detector cross-validation: where ML-based EDR is in use, validate against API-call-sequence pollution by sampling current detection thresholds against synthetic LLM-generated benign sequences.
ai-abuse nation-state espionage supply-chain organized-crime china-nexus russia-nexus north-korea-nexus global

2026-05-04 · view entry permalink →

Google Threat Intelligence Group — Europe data-leak landscape 2025

notable annual-report discovered 2026-05-04 05:00 UTC single-source

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).

ransomware organized-crime data-breach europe dach