We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Black Basta, Cactus Ransomware Actors Evolve Tactics Amid Surge in Spam-Fueled Attacks
Cisco Talos observed rising phishing and ransomware activity in Q1 2025, with Black Basta and Cactus using spam floods, vishing, and MFA token theft to gain access. Manufacturing, healthcare, and retail were top targets. Rapid evolution of attacker tactics underscores the need for stronger MFA and social engineering defenses.
New Record Set as IC3 Reports $16.6B in Cybercrime Losses for 2024
The FBI’s IC3 recorded $16.6B in cybercrime losses for 2024, a 33% increase from 2023. While complaints dropped slightly, financial impact surged. Investment fraud, BEC, and ransomware drove losses. Older adults were disproportionately affected, while call center fraud and new ransomware variants emerged as growing threats.
Phishing Campaign Delivers FOG Ransomware via Fake “Pay Adjustment” Notices
Trend Micro tracked an ongoing phishing campaign where fake "Pay Adjustment" emails deliver FOG ransomware. Victims span sectors like tech, healthcare, and education. The attack uses disguised .lnk files, PowerShell loaders, privilege escalation exploits, and hidden ransomware payloads, encrypting data with a .flocked extension and dropping DOGE-themed ransom notes.
An Initial Access Broker Facilitates a Cactus Ransomware Intrusion in Multi-Phase Breach
Cisco Talos reported a multi-phase breach in which IAB Toymaker used a custom backdoor, LAGTOY, to gain initial access to a critical infrastructure network. After three weeks of dormancy, access was handed to a Cactus ransomware affiliate, who executed reconnaissance, exfiltration, and ransomware deployment over a twelve-day window.
Concern Mounts Over China’s Strategic Cyber Positioning
Chinese APTs, including Volt Typhoon, are targeting critical U.S. infrastructure by exploiting edge device blind spots and rotating infrastructure to avoid detection. Experts warn China is positioning itself for potential disruption scenarios. Defenders are urged to go beyond EDR and integrate AI, identity protection, and network analytics to respond.
Silent Ransomware Attack Exploits AWS Native Features to Encrypt Cloud Storage
A stealth ransomware campaign exploits stolen AWS credentials to encrypt S3 bucket contents using native server-side encryption (SSE-C). No files are deleted or exfiltrated, making detection difficult. Victims receive ransom notes requesting BTC payments for decryption. Security experts urge IAM audits, key rotation, and SSE-C permission restrictions.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
