Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » Mandiant (part of Google Cloud) » MAN1772447486

Incident Score: Analysis & Impact (MAN1772447486)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-19
Company Score Before Incident752 / 1000
Company Score After Incident733 / 1000
Company LinkView Mandiant (part of Google Cloud) Profile
INCIDENT NUMBERMAN1772447486
Type of Cyber IncidentCyber Attack
ATTACK VECTORMalicious LNK file, Removable media (USB drives), Cloud-based C2 (Zoho WorkDrive)
DATA EXPOSEDSensitive surveillance data (keylogging, screenshots,...
INCIDENT DATE30/11/2025
STATUSpublished

Key Highlights From The Incident Analysis

  • Timeline of Mandiant (part of Google Cloud)'s Cyber Attack and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts Mandiant (part of Google Cloud) Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the Mandiant (part of Google Cloud) breach identified under incident ID MAN1772447486.

The analysis begins with a detailed overview of Mandiant (part of Google Cloud)'s information like the linkedin page: https://www.linkedin.com/company/mandiant, the number of followers: 210052, the industry type: Computer and Network Security and the number of employees: 1393 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 752 and after the incident was 733 with a difference of -19 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Mandiant (part of Google Cloud) and their customers.

A newly reported cybersecurity incident, "APT37’s 'Ruby Jumper' Campaign Targets Air-Gapped Networks with Novel Malware Toolkit", has drawn attention.

In December 2025, cybersecurity researchers uncovered a sophisticated cyber-espionage campaign by APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima).

The disruption is felt across the environment, affecting Air-gapped networks and Windows systems with removable media, and exposing Sensitive surveillance data (keylogging, screenshots, audio/video capture), remote shell access.

Formal response steps have not been shared publicly yet.

The case underscores how teams are taking away lessons such as The campaign highlights the growing sophistication of state-aligned threat actors in targeting high-security environments, including air-gapped networks. The use of legitimate platforms (Zoho WorkDrive, Ruby runtime) and minimal forensic artifacts complicates detection. Organizations should monitor for unusual Ruby installations, hidden directories on USB drives, and suspicious scheduled tasks, and recommending next steps like Enhance monitoring for unusual Ruby runtime installations and scheduled tasks, Implement strict controls on removable media usage in air-gapped environments and Monitor for hidden directories (e.g., $RECYCLE.BIN) on USB drives.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (80%), supported by evidence indicating malicious Windows shortcut (LNK) file and Replication Through Removable Media (T1091) with high confidence (90%), supported by evidence indicating infiltrate air-gapped environments via removable media. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating lNK file launches PowerShell, extracting embedded payloads, Command and Scripting Interpreter: PowerShell (T1059.001) with high confidence (90%), supported by evidence indicating lNK file launches PowerShell, and Reflective Code Loading (T1620) with moderate to high confidence (80%), supported by evidence indicating additional malware components are executed reflectively. Under the Persistence tactic, the analysis identified Scheduled Task/Job: Scheduled Task (T1053.005) with high confidence (90%), supported by evidence indicating ensuring persistence through a scheduled task and Event Triggered Execution: Installer Packages (T1546.016) with moderate to high confidence (70%), supported by evidence indicating disguised as a legitimate executable (usbspeed.exe). Under the Privilege Escalation tactic, the analysis identified Process Injection (T1055) with moderate to high confidence (70%), supported by evidence indicating in-memory payload deployment, minimizing forensic traces. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with high confidence (90%), supported by evidence indicating encrypted shellcode and RESTLEAF implant, Process Injection (T1055) with moderate to high confidence (80%), supported by evidence indicating in-memory payload deployment, minimizing forensic traces, Hide Artifacts: Hidden Files and Directories (T1564.001) with high confidence (90%), supported by evidence indicating hidden folders ($RECYCLE.BIN) to transfer encrypted commands, and Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating disguised as a legitimate executable (usbspeed.exe). Under the Credential Access tactic, the analysis identified Input Capture: Keylogging (T1056.001) with high confidence (90%), supported by evidence indicating fOOTWINE...with capabilities for keylogging. Under the Discovery tactic, the analysis identified Process Discovery (T1057) with moderate to high confidence (70%), supported by evidence indicating surveillance backdoor (FOOTWINE) with...screenshots, Audio Capture (T1123) with moderate to high confidence (80%), supported by evidence indicating fOOTWINE...audio/video capture, and Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating fOOTWINE...screenshots. Under the Lateral Movement tactic, the analysis identified Replication Through Removable Media (T1091) with high confidence (90%), supported by evidence indicating uSB-driven lateral movement into isolated networks. Under the Collection tactic, the analysis identified Input Capture: Keylogging (T1056.001) with high confidence (90%), supported by evidence indicating fOOTWINE...keylogging, Screen Capture (T1113) with high confidence (90%), supported by evidence indicating fOOTWINE...screenshots, Audio Capture (T1123) with high confidence (90%), supported by evidence indicating fOOTWINE...audio/video capture, and Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating remote shell access logs. Under the Command and Control tactic, the analysis identified Web Service (T1102) with high confidence (90%), supported by evidence indicating rESTLEAF communicates with attackers via Zoho WorkDrive, Non-Application Layer Protocol (T1095) with moderate to high confidence (70%), supported by evidence indicating uSB drives as covert C2 channels, and Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating tHUMBSBD uses USB drives to transfer encrypted commands. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration via USB drives and cloud-based C2 and Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) with high confidence (90%), supported by evidence indicating tHUMBSBD...exfiltrate data via USB drives. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Phishing: Spearphishing Link (80%)
Replication Through Removable Media (90%)
Execution
User Execution: Malicious File (90%)
Command and Scripting Interpreter: PowerShell (90%)
Reflective Code Loading (80%)
Persistence
Scheduled Task/Job: Scheduled Task (90%)
Event Triggered Execution: Installer Packages (70%)
Privilege Escalation
Process Injection (70%)
Defense Evasion
Obfuscated Files or Information (90%)
Process Injection (80%)
Hide Artifacts: Hidden Files and Directories (90%)
Masquerading: Match Legitimate Name or Location (80%)
Credential Access
Input Capture: Keylogging (90%)
Discovery
Process Discovery (70%)
Audio Capture (80%)
Screen Capture (80%)
Lateral Movement
Replication Through Removable Media (90%)
Collection
Input Capture: Keylogging (90%)
Screen Capture (90%)
Audio Capture (90%)
Data from Local System (80%)
Command and Control
Web Service (90%)
Non-Application Layer Protocol (70%)
Ingress Tool Transfer (80%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Exfiltration Over Physical Medium: Exfiltration over USB (90%)

Sources & References