We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
New Threat Actor Metador is Brought into the Spotlight
SentinelOne researchers uncovered Metador, a threat actor targeting academia, ISPs, and telecoms in Africa and the Middle East. Using in-memory implants like metaMai and Mafalda, Metador conducts long-term intrusions with sophisticated countermeasures. The operators are highly aware of operations security and speak both English and Spanish.
Military Contractors Targeted in STEEP#MAVERICK Campaign
Securonix's research team discovered STEEP#MAVERICK, a campaign targeting military and weapons contractors, including a supplier for the F-35 aircraft. Attackers used spearphishing with ZIP and LNK files, deploying obfuscated PowerShell scripts and advanced evasion tactics. The campaign's C2 infrastructure was registered on DigitalOcean in July 2022.
Job Postings for Government and Unions Lead to Cobalt Strike
In August 2022, Cisco Talos researchers uncovered a campaign using government and union job postings to deliver Cobalt Strike beacons. Attackers used phishing emails with malicious Word documents exploiting CVE-2017-0199 for remote code execution. The campaign targeted the US and New Zealand, employing sophisticated methodologies involving Visual Basic and PowerShell scripts.
Agent Tesla Campaign with LNK Files Built from Quantum Builder
Zscaler ThreatLabz researchers identify a campaign spreading Agent Tesla malware using LNK files created with Quantum Builder. The attack begins with a spearphishing email containing a ZIP file with an LNK file. Upon execution, PowerShell scripts and LOLBins are used to deliver Agent Tesla, bypassing user access control and establishing FTP communication for C2.
APT28 Abuses PowerPoint Mouse Movement to Avoid Macros
Cluster25 researchers reveal APT28's new infection method using PowerPoint's mouse movement feature to bypass macros and execute malicious PowerShell scripts. The attack delivers Graphite malware, using OneDrive for payload storage and Microsoft Graph API for C&C communication.
New Microsoft Exchange Zero-Days CVE-2022-41040 & CVE-2022-41082
GTSC reports new zero-day vulnerabilities in Microsoft Exchange Server (versions 2013, 2016, and 2019): CVE-2022-41040 (SSRF) and CVE-2022-41082 (RCE). These vulnerabilities require authenticated access and allow remote code execution via PowerShell. Microsoft provides detection and mitigation guidelines as fixes are being developed.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
