We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Scattered Spider Shifts Focus to U.S. Insurance Sector, Google Warns
Scattered Spider has turned its attention to the U.S. insurance industry, according to Google. Recent incidents at major providers suggest the group is using social engineering to bypass defenses, particularly targeting help desks and call centers. Organizations are urged to enhance identity verification and access control procedures immediately.
North Korean Group Deploys Python-Based PylangGhost RAT in Job Scam Campaigns
Cisco Talos identified North Korean group Famous Chollima using the Python-based PylangGhost RAT in fake job recruitment scams. Masquerading as firms like Coinbase, the actor targets marketing and tech professionals. Victims unknowingly install the RAT, which enables file theft, persistence, and remote control across compromised systems.
Water Curse Targets Devs and Red Teamers via Weaponized GitHub Repos
Trend Micro uncovered Water Curse, a threat actor weaponizing GitHub repositories to target developers, gamers, and red teamers. The campaign deploys multi-stage malware hidden in project files, enabling privilege escalation, data exfiltration, and persistent access. It leverages GitHub’s reach and legitimate services like Telegram and Gofile for command and control.
INTERPOL’s Operation Secure Leads to 32 Arrests, 41 Server Seizures in Cybercrime Crackdown
INTERPOL’s Operation Secure dismantled major infostealer operations across 26 countries, arresting 32 individuals and seizing 41 servers. With backing from Group-IB, Kaspersky, and Trend Micro, the effort disrupted Lumma, META, and RisePro networks and notified over 216,000 victims, marking a major win in global cybercrime enforcement.
Stealth Falcon Exploits CVE-2025-33053 in Targeted Espionage Across Middle East
APT group Stealth Falcon exploited CVE-2025-33053 in a new espionage campaign targeting defense and government entities in the Middle East. Using WebDAV-hosted malware, Horus Loader, and a customized Mythic-based implant, the group maintained stealth with LOLBins, obfuscation, and advanced evasion tactics, continuing its long-standing regional targeting strategy.
Rare Tools and Post-Ransom Persistence Mark Unusual Fog Campaign
Symantec identified a Fog ransomware campaign targeting a financial institution in Asia using rare tools like Syteca, GC2, and Adaptix. Attackers maintained network access even after deploying ransomware, suggesting espionage or hybrid motives. Lateral movement, data exfiltration, and service-based persistence marked this unusually complex operation.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
