We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Earth Longzhi Another Subgroup to APT41
Trend Micro identifies Earth Longzhi, a new subgroup of APT41, targeting East and Southeast Asia since 2020. Earth Longzhi exploits RCE vulnerabilities and uses phishing emails to deploy Cobalt Strike and custom tools for privilege escalation and credential dumping, impacting sectors like academics, aviation, and healthcare.
IPFS A Web3 Technology Used to Host Phishing & Malware
Cisco Talos identifies threat actors exploiting IPFS, a Web3 protocol, to host phishing and malware campaigns. Leveraging IPFS's low-cost and resilient storage, attackers deliver payloads like Agent Tesla via phishing emails. The platform's resistance to content moderation complicates detection, posing an increasing threat in 2022.
IceXLoader Makes an Impact After the Latest Update
Minerva Labs reports a surge in IceXLoader infections after the update to version 3.3.3. The malware now uses advanced evasion techniques, including AMSI bypass and Windows Defender disabling. It gains persistence through the Run registry and collects host information, making it a significant threat globally.
Microsoft Attributes Prestige Ransomware to a Russian Threat Actor
Microsoft attributes the Prestige ransomware attacks on Ukraine and Poland to Russian threat actor IRIDIUM, linked to the GRU's Sandworm. Targeting humanitarian and military programs, IRIDIUM uses tools like RemoteExec and Impacket WMIexec in post-exploitation. The campaign highlights unique enterprise-wide ransomware deployment in Ukraine.
SocGholish Drops JavaScript File from Compromised News Sites
Proofpoint and BleepingComputer report SocGholish distributing malware through compromised news sites, injecting malicious JavaScript into assets accessed by over 250 regional and national outlets. The attack, tracked to TA569, uses fake browser updates to deliver its payload, impacting major markets like New York, Chicago, and Miami.
Unraveling the Yanluowang Ransomware Group from Chat Leaks
Leaked chat logs analyzed by KELA reveal the inner workings of the Yanluowang ransomware group, suggesting ties to former REvil members. Discussions show active development of an ESXi version of their malware. This marks the second significant ransomware group data leak of 2022, following the Conti leak.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
