We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Protestware
In protest of the Russia-Ukraine conflict, node-ipc developer Brandon Nozaki Miller released compromised versions 10.1.1 and 10.1.2, targeting users in Russia and Belarus. These versions corrupt files on the victim host, tracked as CVE-2022-23812. The sabotaged versions have been removed, and version 10.1.3 is now available without the malicious code.
Ukraine Targeted with Fraudulent Translation Software
On March 16th, 2022, SentinelOne reported that SaintBear is distributing fraudulent translation software in Ukraine to infect users with GrimPlant and GraphSteel malware. This campaign, active since February 2022, involves downloading additional payloads, running reconnaissance commands, establishing persistence, and collecting credentials.
Threat Group Delivers Cobalt Strike Through AV Updates
Ukrainian CERT warns of a phishing campaign by UAC-0056/Lorec53, delivering Cobalt Strike through fake antivirus updates. The campaign prompts users to download "itdefenderWindowsUpdatePackage.exe" which downloads a Cobalt Strike beacon from Discord. The attack establishes persistence, conducts reconnaissance, and executes commands on the victim host.
RURansom Wiper
TrendMicro reports the discovery of RURansom Wiper, a malware targeting Russian assets amid the Ukraine conflict. Detected between February 26 and March 2, 2022, the malware causes irreversible damage, without ransom demands. It executes only if the host's software or IP is Russian, with multiple variations observed.
Malware “Liberator” Targets Ukraine
Cisco Talos reports that cybercriminals are exploiting the Russia-Ukraine conflict by distributing the "Liberator" malware to Ukraine sympathizers. Disguised as a DDoS tool against Russia, the malware is spread through Telegram, specifically targeting members of the Ukraine IT Army. The threat actor behind this has been active since November 2021, distributing various information stealers.
TA416
Since November 2021, Chinese APT group TA416 has escalated phishing attacks on European diplomats, using web bugs, SMTP2Go for sender impersonation, and Dropbox links to deliver PlugX malware. The campaigns increased notably following Russia's invasion of Ukraine, highlighting significant geopolitical implications.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
