We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Phosphorus/APT32 New PowerLess Trojan
Cybereason reports that Iranian group Phosphorus/APT35 is using the new PowerLess Trojan and exploiting Log4Shell vulnerabilities. The Trojan avoids detection by running PowerShell in a .NET context, downloading additional payloads for information theft. There are potential links between this activity and Memento ransomware based on infrastructure overlaps.
News Corp Cyberattack
News Corp reported a January 2022 cyberattack by hackers aligned with a foreign government. The attackers accessed emails and documents of employees, including journalists. Affected News Corp properties include Fox News, The Wall Street Journal, New York Post, and News UK. Data exfiltration was confirmed, though full impact details are undisclosed.
MuddyWater ATP Group
Cisco Talos research reveals that the Iranian APT group MuddyWater, linked to Iran's Ministry of Intelligence and Security (MOIS), is targeting users in Turkey. The group uses malicious PDFs, Office documents, and Windows executables to gain initial access. MuddyWater leverages living-off-the-land binaries (LoLBins) like VBS scripts and DLLs to evade detection. Persistence is established through registry key modifications, and the group uses canarytokens to track code execution and implement anti-analysis methods. These tokens notify the attacker when an object is opened, adding layers of evasion and control.
Koxic Ransomware
Cyble Research Labs analyzes Koxic ransomware, detailing its process of collecting system information, modifying registry keys, and tampering with system defenses. The ransomware terminates security applications, deletes shadow copies, and collects sensitive information, which is exfiltrated before encryption. Encrypted files are given the extension "KOXIC_KLIBD," and a ransomware note is distributed to victim hosts.
Conti Ransomware Hits KP Snacks
On January 28th, 2022, British snacks producer KP Snacks was compromised by the Conti ransomware gang. The attack resulted in the compromise and leak of sensitive documents, including employee records and financial documents. Due to the disruption to its supply chain, KP Snacks has notified markets that there may be shortages and delivery delays or cancellations, with the impact expected to last until the end of March.
Antlion APT Group
Symantec reports on Antlion, a Chinese state-backed APT group, targeting Taiwanese financial institutions and manufacturing organizations with prolonged dwell times. Using the custom xPack backdoor, the group executed various commands, exploited vulnerabilities like EternalBlue, and used tools such as PsExec for data collection.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
