We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Supply chain + dev tooling is also a real macOS vector now
Attackers are increasingly compromising macOS systems by poisoning developer tooling—npm packages, build scripts, and CI/CD pipelines. With 73% of developers using macOS, threat actors exploit postinstall scripts, LaunchAgents, and deceptive dev utilities. Campaigns like AdaptixC2 and Shai-Hulud show the growing scale and impact of macOS supply chain compromise.
Systems Trust Controls are under active, repeated attack
macOS systems face a sharp rise in attacks that bypass Gatekeeper, XProtect, and quarantine by manipulating user trust rather than exploiting vulnerabilities. Threat actors abuse AppleScript and social engineering to disable protections, leading to credential theft, crypto loss, and major supply chain risks across cryptocurrency, fintech, government, and technology sectors.
Big-Picture MacOS Threat Climate
DBIR 2024 and M-Trends 2025 highlight a shifting macOS threat landscape dominated by exploits, credential theft, and social engineering. Cross-platform malware families increasingly bypass Apple’s defenses while human error drives most breaches. macOS now mirrors global trends, from vulnerability exploitation to identity compromise and extortion workflows.
OpenAI Tracks Phish, Malware Tooling, And Low-Reach Influence Campaigns
OpenAI’s October 2025 report reveals threat actors integrating large language models into phishing, malware maintenance, scams, and small-scale influence operations. Despite disruptions of over 40 networks, investigators found no evidence of new offensive capabilities, emphasizing iterative abuse of AI tools, multilingual lure generation, and adaptive social engineering.
From CL-STA-0043 to Phantom Taurus: Multi-Year Hunt Reveals New PRC Cyber Playbook
Unit 42 formally identifies Phantom Taurus, a PRC-aligned APT evolved from cluster CL-STA-0043. Active since 2023, it targets government and telecom networks across Africa, the Middle East, and Asia. The group employs the .NET-based NET-STAR suite, IIS in-memory persistence, timestomping, and SQL-focused data exfiltration for espionage objectives.
W-9 Lure Kicks Off 28-Day Intrusion Ending in Exfiltration With No Ransomware
A May 2024 intrusion beginning with a malicious W-9 JavaScript downloader developed into a patient 28-day operation. Operators used Brute Ratel, Cobalt Strike, Zerologon, and living-off-the-land techniques to harvest credentials, move laterally, and exfiltrate data. The campaign ended with eviction—no ransomware was deployed.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
