We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
FBI Warns of Ongoing SRG Campaigns Exploiting Remote Access Tools
The FBI reports Silent Ransom Group (SRG) is targeting U.S. law firms using phishing and IT impersonation to deploy remote access tools like WinSCP and Rclone. Once inside, attackers exfiltrate sensitive data and extort victims. SRG’s evolving tactics highlight the need for remote access monitoring and user training.
Finance Leaders Targeted in Global Phishing Operation Delivering NetBird
Trellix discovered a phishing campaign distributing NetBird malware to CFOs and finance executives across finance, energy, and insurance sectors. Victims received recruiter-themed emails linking to Firebase-hosted CAPTCHA pages delivering VBS scripts. The payload installs NetBird and OpenSSH, creating hidden admin accounts and enabling persistent remote access with minimal detection.
Initial Access Groups Reshaping Cyber Threat Landscape, Cisco Talos Warns
Cisco Talos reports that cyber intrusions increasingly involve multiple threat actors, as initial access groups (IAGs) split attacks into compromise and exploitation phases. This evolving model complicates attribution and response, requiring defenders to track both financially motivated and state-sponsored actors, and understand their relationships across the threat ecosystem.
Attack Chain Evolution Reveals Muddled Libra’s Continuous Refinement of its Capabilities
Unit 42’s latest analysis of Muddled Libra shows the threat group evolving its tactics across ransomware and extortion campaigns. Now targeting help desks, using AI voice models, and deploying tools like PsExec, BlackCat, and RMM software, Muddled Libra poses a serious and adaptive threat to enterprise environments globally.
Leaked Access Key Enables Cloud Intrusion, AWS Identity Center Abused for Persistence
Datadog uncovered an AWS breach exploiting a leaked access key tied to a management account. Attackers used AWS Identity Center and Lambda to establish persistence, created IAM users, disabled centralized services, and abused Telegram bots for automation. The case highlights how long-term keys can trigger full cloud compromise.
Fake Voices, Real Threat: FBI Flags Rise in Deepfake Vishing Attacks
The FBI warns of deepfake vishing attacks impersonating senior U.S. officials using AI-generated voices and smishing tactics. Active since April 2025, the campaign exploits trust to hijack accounts and extract sensitive data. The agency advises verifying messages via trusted channels and enabling multi-factor authentication to prevent compromise.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
