We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
New MikuBot Malware Available for Purchase in Cyber-Crime Forums
Cyble researchers discovered MikuBot, a new malware available for $1300 for 1.5 months. It targets Windows systems from Vista to 11, stealing data and enabling remote access via hidden VNC sessions. MikuBot spreads through USB, modifies Windows Defender settings, and provides a user interface for attackers.
Bumblebee Loader Not Losing Steam
Cybereason's research highlights Bumblebee loader infections initiated via LNK files in phishing emails. The campaign involved extensive reconnaissance, exploitation of Zerologon, and lateral movement using Cobalt Strike. Bumblebee replaces older loaders like BazarLoader, indicating evolving capabilities and ongoing development among threat actors.
The Price and Value of Stolen Data
SpiderLabs research reveals the value of stolen data, with cybercriminals selling PII for $0.20 to $50, credit cards for $8 to $1500, and bank account access for $100 to $3000. Organization access credentials fetch the highest prices, emphasizing the profitability of data theft for cybercriminals.
BazarCall Phishing Attacks Trending from Conti Affiliates
AdvIntel researchers report a resurgence of BazarCall phishing attacks since March 2022, driven by Conti affiliates. The scheme involves urgent emails prompting recipients to call a number, leading to remote access sessions. Key targets include manufacturing, technology, and finance sectors. Notable groups using this method are Silent Ransom, Quantum, and Roy/Zeon.
PoCs Released For Recently Patched VMware Vulnerabilities
Security researcher Petrus Viet released PoCs for VMware vulnerabilities CVE-2022-31656 (authentication bypass) and CVE-2022-31659 (remote code execution). These critical flaws affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation. VMware advises immediate patching or applying temporary workarounds. No exploits in the wild are currently known.
Use of windows Shortcut/LNK Files has Risen Significantly with Threat Actors
SentinelOne research reveals a significant rise in malicious LNK file usage following Microsoft's macro disablement. Analyzing 27,510 LNK files, they found Windows Explorer and PowerShell as primary executables. Tools like mLNK and QuantumBuilder aid in crafting these files, used by malware families like Qakbot and Emotet in phishing campaigns.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
