We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Conti's Trails
Though the Conti ransomware group shut down in May 2022, its influence remains evident in the operations of Quantum, Black Basta, and Royal ransomware. These groups share tactics, techniques, and infrastructure linked to Conti, as highlighted by @BushidoToken. Conti's legacy endures in the evolving ransomware ecosystem.
Russian Hacktivists Create New Somnia Ransomware
CERT-UA reports that Russian hacktivists 'From Russia with Love' have created the Somnia ransomware, targeting Ukrainian organizations without demanding ransom. The ransomware acts as a data wiper, with no decryptor available. The group uses compromised credentials and mimics legitimate software for access, employing tools like AnyDesk and Cobalt Strike.
New Campaigns from Chinese Cyberespionage Group Lotus Blossom
Symantec researchers discover new campaigns by the Chinese cyberespionage group Lotus Blossom, targeting Asian certificate authorities, government, and defense sectors. Operating since 2009, the group uses custom backdoors Hannotog and Sagerunex, along with common tools for stealthy operations. Data collection and exfiltration remain their primary objectives.
Iranian-backed Threat Actor Exploits Log4Shell Vulnerability
A joint advisory from CISA and the FBI attributes an attack on a Federal Civilian Executive Branch organization to an Iranian-backed threat actor exploiting the Log4Shell vulnerability. The attackers deployed XMRig malware, used Mimikatz for credential theft, modified Windows Defender settings, and established persistence with Ngrok.
The Latest Hive Ransomware News
CISA's #StopRansomware update highlights Hive ransomware's impact, victimizing over 1,300 companies and demanding $100 million in ransoms. Active since June 2021, Hive targets various sectors using phishing, exploiting public-facing applications, and compromised credentials. Post-exploitation activities include tampering with defenses, data exfiltration, and reinfecting networks.
Emotet Storms Back
Proofpoint researchers report a resurgence of Emotet malware, with a significant increase in infected emails since November 2022. Emotet uses hijacked email threads and invoice-themed lures, deploying IcedID and Bumblebee loaders. To bypass security controls, victims are tricked into moving malicious Excel files into trusted system locations.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
