We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
APT37 and Chinotto Malware
Kaspersky identifies North Korean APT37 targeting South Korean journalists, defectors, and human rights activists using Chinott malware. Distributed via watering holes, spear-phishing, and smishing, Chinott variants in PowerShell, Windows, and Android share command and control schemes based in HTTP. Capabilities include registry modification, persistence through PowerShell, and file collection.
APT31 SoWaT Route Implant
Imp0rtp3 research details APT31's use of the SoWaT router implant, which functions as a client or server using TLS for communication. The implant supports 16 commands, including a killswitch that activates if no connections are made within 24 hours. The report also highlights APT31's use of Operational Relay Boxes (ORBs) in their network operations involving hacked routers.
UNC2190 - Arcane and Sabbath
Mandiant's research on UNC2190 (Arcane/Sabbath) reveals the group's targeting of critical infrastructure in the US and Canada, along with sectors in education, health, and natural resources. Using ROLLCOAST ransomware, UNC2190 employs multifaceted extortion, data theft, and backup destruction. Notably, no ROLLCOAST code has been found for two years.
WIRTE Group
Kaspersky reports the WIRTE group is using Excel 4.0 macros to target high-profile entities, particularly in the Middle East. The attacks involve phishing campaigns, LotL techniques, and a PowerShell implant called LitePower. There's low confidence attribution linking WIRTE to the Gaza Cybergang.
Vestas Wind Systems Impacted by Cyberattack
Vestas Wind Systems, a wind turbine manufacturer, was hit by a cyberattack on November 19th, 2021. The company is working to restore internal IT systems, with investigations ongoing. Preliminary findings indicate no impact on customer or supply chain operations.
Squirrelwaffle + ProxyShell and ProxyLogon
Trend Micro reports the Squirrelwaffle loader exploiting ProxyShell and ProxyLogon vulnerabilities to hijack email threads without initial lateral movement or malware installation. When victims open a macro-enabled Excel file, a Qbot DLL is downloaded and executed via regsvr32. This technique has been observed since September 2021.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
