We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
APT41 UEFI Malware MoonBounce
Kaspersky reports that APT41 is using the highly persistent MoonBounce UEFI firmware implant, which resides in the SPI flash memory of the motherboard. The implant operates filelessly, initiating from the CORE_DXE component during the UEFI boot sequence and reaching out to a C2 server for further payloads. The implant was first identified in spring 2021, with evidence suggesting espionage activity starting as early as 2020.
Chinese Cyber-Espionage Group Earth Lusca
TrendMicro has identified the Chinese cyber-espionage group Earth Lusca, which conducts undercover operations on institutions of interest to the Chinese government while also engaging in financially motivated activities. Since mid-2021, Earth Lusca has targeted a wide range of industries, including education, finance (specifically cryptocurrency), gambling, government, news, telecommunications, and religion. The group employs watering hole attacks, spear-phishing campaigns, and exploits public-facing vulnerabilities such as ProxyShell and Oracle vulnerabilities to gain initial access.
WhisperGate
Palo Alto Unit42 reports on WhisperGate malware, targeting Ukraine since January 13, 2022. WhisperGate includes Stage1.exe, which overwrites master boot records, and Stage2.exe, an in-memory implant retrieving malicious files from Discord. The malware employs LOLBINs and anti-analysis techniques for evasion.
Crypto.com Data Breach
Crypto.com, one of the largest cryptocurrency trading platforms, disclosed a data breach on January 17th, 2022, compromising at least 483 customer accounts. Users reported unauthorized withdrawals, prompting the company to suspend transactions and implement additional security measures. Crypto.com's CEO Kris Marszalek confirmed that no customer funds were lost, and affected customers were fully reimbursed. The breach involved unauthorized withdrawals totaling 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other currencies. The company revoked all customers’ 2FA tokens, causing a 14-hour downtime for the withdrawal infrastructure.
Web Page Archive Files
NetSkope Threat Labs has identified malicious Microsoft Office documents using Web Page Archive files (.mht/.mhtml) in recent attacks. These files, potentially linked to APT32/OceanLotus, contain VBS code that drops DLL files and creates a scheduled task. The DLL injects itself into another process and runs rundll32 indefinitely, sending data to a C2 server on Glitch.
Signed DLL Campaigns / Polyglot
Researchers Jason Reaves and Joshua Platt detail campaigns using polyglotting to bypass security by embedding VBScript in signed DLLs. Malicious installers distribute malware such as AterAgent RAT, Zloader, Gozi, and Cobalt Strike. These scripts alter Windows Defender, invoke PowerShell downloads, modify the registry, and execute shutdown commands.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
