Sarah Yoder (Manager, Mandiant Consulting) and Ashley Pearson (Senior Analyst, Advanced Practices on Google Threat Intelligence Group) join host Luke McNamara to discuss UNC5221 and their operations involving BRICKSTORM backdoor. This highly sophisticated, suspected China-nexus cyber-espionage threat group is known for aggressively targeting internet-facing network appliances (like VPNs and firewalls) to establish long-term, stealthy access for espionage.

Read our blog post for more: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

Stuart Carrera (Senior Consultant, Mandiant Consulting) joins host Luke McNamara to discuss how threat actors are increasingly targeting the VMware vSphere estate, and leveraging in this environment to conduct extortion and data theft. Stuart details why this has become an attractive target, and ways organizations can better engineer detections to respond to this activity. 

https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944

https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks

Michelle Cantos (Senior Analyst, Google Threat Intelligence Group) joins host Luke McNamara to discuss some of the recent trends in underground marketplaces around the selling of illicit AI tools and services. Michelle discusses GTIG's research into this space, how threat actors are seeking to leverage these models, use cases being discussed, and more. 

Host Luke McNamara is joined by members of Mandiant Consulting's Operational Technology team (Chris Sistrunk, Seemant Bisht, and Anthony Candarini) to discuss their latest blog on securing assets in the energy grid.

https://cloud.google.com/blog/topics/threat-intelligence/securing-protection-relays-modern-substations

Dima Lenz (Security Engineer, Google Threat Intelligence Group) joins host Luke McNamara to discuss how threat actors have been using ClickFix to socially engineer users. Dima recounts the growth of this technique in 2024, some of the campaigns and actors that have leveraged it, and where it may be headed next. 

Nick Guttilla and Emily Astranova, from Mandiant Consulting's Offensive Security team, join host Luke McNamara for an episode on voice-based phishing, or "vishing." Nick and Emily cover their respective blogs and experiences, diving into how they employ vishing techniques to social engineer organizations--both organically and using AI-powered voice cloning to mimic specific employees--during red team engagements.  

https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats?e=48754805

https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks?e=48754805.

JP Glab (Mandiant Consulting) joins host Luke to discuss responding to activity from North Korean IT workers. He walks through what initially triggered the investigation at this organization, how it progressed in parallel with an HR investigation, and ultimately what was discovered. For more on the DPRK IT workers and trends in incident response, check out Mandiant's 2025 M-Trends report. 

https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025

Matt Lin (Senior Incident Response Consultant, Mandiant) and Daniel Spicer (Chief Security Officer, Ivanti) dive into the research and response of UNC5221's campaigns against Ivanti. They cover how this threat actor has evolved from earlier campaigns, the continued focus of edge infrastructure by APT actors, and the shared responsibility of security in mitigating threats like this. 

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

https://www.ivanti.com/blog/an-update-on-ivantis-ongoing-commitment-to-enhanced-product-security

https://www.ivanti.com/resources/secure-by-design/2024

https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends?e=48754805

Host Luke McNamara is joined by GTIG Senior Security Researcher Rohit Nambiar to discuss Rohit's recent blog on some interesting usage of RDP by UNC5837. Rohit covers the discovery of the campaign, and the novel functionalities they were using to likely support cyber espionage goals. He delves into these findings and the usage of RemoteApps and victim file mapping via RDP, and closes with some of the mysteries that remain about this activity. 

https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol

Imran Ahmad (Senior Partner, Canadian Head of Technology and Canadian Co-Head of Cybersecurity and Data Privacy at Norton Rose Fulbright) joins host Luke McNamara to discuss how executives are thinking about cyber risk in a changing and evolving landscape. He touches on the importance of training before a breach, how ransomware has changed security conversations with boards, and the promise and risk of emerging technologies like AI play for enterprises.