We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Experts Warn of Imminent AI Agent Use in Real-World Cyberattacks
Cybersecurity experts including Kevin Mandia warn that AI agents may soon power real-world cyberattacks. While major AI models are well-defended, unregulated or open-source alternatives could enable undetected automation. Experts urge preparation, as shifting motivations may trigger a new era of AI-driven cyber threats, led initially by criminal actors.
DarkCloud Malware Intensifies Targeting Government, Finance, and Tech
Unit 42 observed a spike in DarkCloud Stealer activity, with 78 samples identified in early 2025. Most targeted government entities, followed by tech and finance sectors. Delivered via phishing and AutoIt loaders, DarkCloud harvests credentials and persists through registry keys, while evading detection with advanced anti-analysis tactics.
APT36 Expands ClickFix Technique for Linux Systems
APT36, also known as Transparent Tribe, is expanding its ClickFix phishing campaign to include Linux payloads. A spoofed Ministry of Defence site drops shell commands that mimic past Windows-based tactics. Though current payloads are non-malicious, Hunt.io warns of evolving cross-platform tradecraft targeting Indian government entities.
Accenture CFO Stops Deepfake CEO Scam in Real-Time Incident
Accenture’s CFO prevented a deepfake-enabled fraud attempt after detecting anomalies in a video call with a fake CEO. The incident highlights rising risks from deepfakes in executive impersonation scams. Accenture has since strengthened verification protocols, urging cross-functional strategies and cultural vigilance against synthetic media threats.
CISA Flags Risk of Basic Cyberattacks on Energy Sector ICS/OT
CISA, alongside FBI and DOE, warns that low-skill attackers are targeting OT and ICS systems in the U.S. energy sector. Poor cyber hygiene—like default credentials and exposed remote access—can enable impactful disruptions. CISA recommends removing OT from the internet, enforcing MFA, and improving IT/OT network segmentation.
Babuk Ransomware Deployed After SentinelOne Agent Termination via MSI Interrupt
Stroz Friedberg discovered attackers exploited SentinelOne’s MSI upgrade process to disable EDR protection and deploy Babuk ransomware. By interrupting installation via taskkill, agents were disabled without needing authentication. SentinelOne now recommends enabling "Online authorization" to prevent local upgrades or downgrades, a feature recently set as default for new customers.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
