We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Europol-Led Operation Eastwood Disrupts NoName057(16) DDoS Infrastructure
Operation Eastwood, led by Europol and Eurojust, disrupted the pro-Russian DDoS group NoName057(16), seizing over 100 servers and arresting multiple suspects across Europe. The takedown follows widespread attacks on Ukraine and NATO nations, marking a significant international step against ideologically driven cyber threats.
Salt Typhoon Breach Exposes U.S. Army National Guard Networks in 9-Month Espionage Campaign
Chinese state-backed actor Salt Typhoon infiltrated U.S. Army National Guard networks for nine months in 2024, stealing credentials, network diagrams, and PII. The breach, confirmed by DHS in 2025, highlights systemic cyber exposure and risks of follow-on attacks across military and civilian infrastructure.
Mass Exploitation of Microsoft SharePoint Zero-Days
Microsoft confirms active exploitation of CVE-2025-53770 and CVE-2025-53771 in SharePoint Server. Attackers achieve unauthenticated remote code execution by exploiting deserialization and path traversal flaws. Emergency patches are available for most versions. Organizations must patch immediately, rotate keys, and review IIS logs for signs of compromise such as "spinstall0.aspx."
FileFix Pushes Interlock RAT with Browser-Triggered PowerShell Execution Chain
DFIR Report and Proofpoint observed a May–June 2025 spike in Interlock RAT activity via FileFix—a new infection technique abusing browser-based file explorers to run hidden PowerShell scripts. The PHP variant of Interlock RAT enables stealthy reconnaissance, lateral movement, and persistence using Cloudflare tunneling and targeted domain enumeration.
MuddyWater, APT33 Lead Wave of Iranian Cyberattacks Against Industrial Sectors
Nozomi Networks reports a 133% surge in Iranian state-linked cyberattacks during May–June 2025, primarily targeting U.S. manufacturing and transportation. MuddyWater and APT33 led the wave, with OilRig, Fox Kitten, and others also active. These attacks reflect escalating geopolitical tensions and growing threats to critical infrastructure sectors.
ClickFix Pervasive in 2025, Fueling NetSupport, Latrodectus, and Lumma Stealer Infections Across Key Sectors
Unit 42 reports a surge in ClickFix malware campaigns in 2025, using user-executed commands to deliver NetSupport RAT, Latrodectus, and Lumma Stealer. Sectors hit hardest include technology, financial services, and manufacturing, with infections tied to ClearFake lures and clipboard manipulation. The trend highlights growing social engineering risks.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
