
Mandiant
Google Cloud threat intelligence and IR firm; authors M-Trends; tracks state-sponsored APTs.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How did Mandiant track an attack that hid for 393 days inside enterprise servers?
Timeline for Mandiant
Mentioned in: One operator ran both ransomware brands
Cybersecurity: Threats and DefencesMentioned in: Splunk lands its first-ever KEV entry
Cybersecurity: Threats and DefencesMentioned in: 200 fixes, six zero-days, late Exchange
Cybersecurity: Threats and DefencesPublished attribution naming UNC6780 as the Cisco repository breach operator
Cybersecurity: Threats and Defences: UNC6780 takes Cisco AI Defense source codeConfirmed @shadanai/openclaw and @qqbrowser/openclaw-qbot as additional WAVESHAPER.V2 distribution vectors
Cybersecurity: Threats and Defences: UNC1069 expands the npm WAVESHAPER supply chainWho is UNC1069 and what did they do to Axios?
What did Mandiant find in its 2026 security report?
How does Mandiant attribute cyberattacks to nation states?
Background
Mandiant is one of the most-cited threat intelligence and Incident Response firms globally, with a reputation built on attribution of advanced persistent threat groups and large-scale breach investigations. Its M-Trends annual report is the largest single synthesis of real-world incident-response data in the public domain, drawing on hundreds of thousands of IR engagement hours. Google acquired Mandiant in 2022 for $5.4 billion, integrating it into Google Cloud's Chronicle security platform. Mandiant continues to publish independent threat intelligence under its own brand within the Google Threat Intelligence Group (GTIG).
Mandiant's M-Trends 2026, based on over 500,000 Incident Response hours, documented the BRICKSTORM campaign by UNC5221: a 393-day average dwell time in UK and US legal services, BPOs and tech firms, achieved through ESXi and vCenter implants relayed via legitimate cloud platforms. Mandiant's original CitrixBleed 2023 investigation is also the authoritative technical account of the exploit PATH that CitrixBleed 3 reproduces.
In May 2026, Google Threat Intelligence Group and Mandiant jointly disclosed that North Korea-nexus actor UNC1069 phished an Axios npm package maintainer to introduce malicious dependency plain-crypto-js into two widely-distributed Axios versions, each with 80–100 million weekly downloads. The backdoor, WAVESHAPER.V2, was cross-platform and live for under three hours before detection. The attribution reflects Mandiant's continuing strength in nation-state supply-chain tracking within the GTIG umbrella. For the wider security market, Mandiant's reporting sets the detection and response benchmark: the 393-day BRICKSTORM dwell metric is now the reference figure for any enterprise lacking ESXi telemetry coverage.