Post by Mandiant (part of Google Cloud)

Tracking dark web threat actors is a big challenge as seized forums rapidly re-emerge under new names. The history of the underground economy is littered with examples of brand reincarnation, ranging from the emergence of BreachForums to the persistence of XSS through pre-established mirrors over a decade after its original launch as DaMaGeLaB. For intelligence analysts, tracking actors across these ever-shifting platforms is both complex and laborious. To address this, agentic threat intelligence (TI) in Google Threat Intelligence and the recently launched dark web monitoring module allow analysts to hunt and pivot across forums using natural language or specific modifiers. Analysts can now streamline investigations to map operations from infrastructure acquisition to monetization. Recent internal investigations highlight the platform's capability to scale attribution: 👹 Unmasking multi-alias actors: By pivoting on unique Tox and Session IDs, agentic TI definitively linked an infrastructure buyer persona ("pepela") to a dangerous data broker ("Spirigatito"), immediately mapping connections to massive global exfiltrations. 🏹 Proactive threat hunting: Using direct natural language queries, analysts identified multiple actors targeting the Banco Santander Group, automated the verification of leaked standardized financial account strings, and structured intelligence into specific HUMINT requests. 🌐 Exposing global broker networks: Agentic TI connected seemingly disparate threat aliases, such as "Grubder" and "TelephoneHooliganism," into a single coordinated operation by identifying shared verbatim marketing templates and technical fingerprints like Salesforce custom field suffixes. By bridging identities and automatically generating relationship graphs that visualize technical infrastructure and victims, agentic TI transforms raw dark web intelligence into an actionable, strategic understanding of the threat landscape. https://goo.gle/4cSqzl5