We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
MuddyWater, APT33 Lead Wave of Iranian Cyberattacks Against Industrial Sectors
Nozomi Networks reports a 133% surge in Iranian state-linked cyberattacks during May–June 2025, primarily targeting U.S. manufacturing and transportation. MuddyWater and APT33 led the wave, with OilRig, Fox Kitten, and others also active. These attacks reflect escalating geopolitical tensions and growing threats to critical infrastructure sectors.
ClickFix Pervasive in 2025, Fueling NetSupport, Latrodectus, and Lumma Stealer Infections Across Key Sectors
Unit 42 reports a surge in ClickFix malware campaigns in 2025, using user-executed commands to deliver NetSupport RAT, Latrodectus, and Lumma Stealer. Sectors hit hardest include technology, financial services, and manufacturing, with infections tied to ClearFake lures and clipboard manipulation. The trend highlights growing social engineering risks.
Justice Department Disrupts North Korean IT Worker Scheme Targeting U.S. Firms
The Justice Department dismantled a large-scale North Korean IT worker scheme targeting over 100 U.S. companies. Using stolen identities and U.S.-based enablers, operatives gained unauthorized access to sensitive systems and laundered millions. The crackdown included searches of 29 laptop farms, indictments, and asset seizures across multiple states and countries.
CISA Warns U.S. Infrastructure at Risk from Iranian-Linked Cyber Activity
CISA and U.S. agencies warn that Iranian-affiliated cyber actors may target critical infrastructure, especially organizations tied to defense or Israeli research. These threats exploit outdated systems, default credentials, and OT vulnerabilities. CISA urges proactive hardening, strong authentication, and updated incident response plans to mitigate the risk of ideological cyberattacks.
Microsoft Entra Gap Lets Guest Users Inject Subscriptions into Target Tenants
A flaw in Microsoft Entra allows guest users to inject subscriptions into external tenants while retaining full control. This bypasses standard auditing and access controls, enabling privilege escalation and persistence. Organizations must tighten subscription policies, audit guest activity, and monitor dynamic access to mitigate this under-recognized cloud risk.
Scattered Spider’s 2025 Strategy Centers on Voice Phishing and Help Desk Abuse
CrowdStrike highlights Scattered Spider’s 2025 escalation in targeting insurance, retail, and aviation sectors using voice phishing and help desk abuse. The group exploits Entra ID, VMware, and AWS environments, deploying ransomware variants like Akira and Play. CrowdStrike urges stronger MFA, access controls, and help desk protections to reduce impact.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
