Loading AttackTrace...
AttackTrace knowledge platform
AttackTrace connects adversary behavior, telemetry, detections, investigations, and mitigations into a single cybersecurity knowledge platform.
Latest reviewed activity
NewGoogle Threat Intelligence Group reported that UNC6508, a PRC-nexus espionage cluster, compromised North American medical, academic, and military research organizations by exploiting externally facing REDCap servers, deploying INFINITERED malware, harvesting credentials, and exfiltrating selected email through Google Workspace compliance rules.
First visit
Follow one reviewed brief into mapped behaviors, telemetry, and framework pivots.
Open a source-backed brief with the important behavior already mapped.
Open latest briefMove from the case into ATT&CK tactics, techniques, telemetry, and mitigations.
Browse ATT&CKUse ATLAS and search when the behavior crosses into adversarial AI systems.
Explore ATLASWhat AttackTrace Provides
Understand adversary techniques, telemetry, detections, investigations, and mitigations.
Explore ATT&CKCurated real-world threat activity mapped to ATT&CK techniques and attack patterns.
View top activityCoverage for adversarial AI and machine-learning attack techniques alongside ATT&CK.
Explore ATLASReviewed intelligence
Human-curated entries only. Mappings are evidence-backed and documented before they appear here.
Google Threat Intelligence Group reported that UNC6508, a PRC-nexus espionage cluster, compromised North American medical, academic, and military research organizations by exploiting externally facing REDCap servers, deploying INFINITERED malware, harvesting credentials, and exfiltrating selected email through Google Workspace compliance rules.
Operation Digital Eye highlighted intrusion activity against technology and business services, combining infrastructure preparation, command execution, credential access, and data movement.
The APT28 Nearest Neighbor campaign demonstrated creative access through nearby networks, emphasizing wireless discovery, credential use, remote access, and stealthy movement into target environments.
ArcaneDoor activity focused attention on network perimeter devices, showing how exploitation and tooling on appliances can support stealthy access to sensitive environments.
Volt Typhoon activity highlights long-term access to critical infrastructure using legitimate accounts, built-in administration tools, network discovery, and operational stealth rather than heavy malware deployment.
Cutting Edge activity against Ivanti Connect Secure and Policy Secure appliances showed how edge-device exploitation can lead to web shell persistence, credential theft, and log or artifact manipulation.