1 malware family

google_threat_intelligence_group

Also known asgoogle_threat_intelligence_group

Google Threat Intelligence Group (GTIG) is Google’s threat intelligence team. In the provided content, GTIG tracked a 2025 intrusion in which a threat actor used stolen OAuth tokens from the Salesloft Drift app to access hundreds of Salesforce tenants and abused the Drift Email OAuth integration to access a small number of Google Workspace mailboxes that had explicitly connected Drift. GTIG tracked the activity through at least August 18, 2025, confirmed the Google Workspace mailbox access, identified attack patterns including large SOQL pulls, Salesforce Bulk API 2.0 jobs, and deletion of Bulk jobs to hide evidence, and advised organizations to treat any tokens stored in or connected to Drift as potentially compromised. No nation-state attribution, sub-groups, or additional aliases are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0002

Execution

1 technique

T1203

Exploitation for Client Execution

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DarkswordIn mid-March, when three cybersecurity firms — iVerify, Lookout, and Google’s Threat Intelligence Group — published coordinated findings about an exploit kit they named DarkSword. Researchers found it sitting openly on compromised Ukrainian websites... Any visitor on an unpatched iPhone running iOS 18.4 through 18.6.2 would have been silently compromised the moment the page loaded.1Jun 3, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cyata blogNews

Sep 5, 2025

The Drift breach was not about malware. It was about agentic identity.

GTIG tracked and analyzed a threat actor abusing stolen OAuth tokens from the Drift app to access Salesforce and Google Workspace data at scale, providing detection guidance and incident response recommendations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.