We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
OpenAI Continues to Disrupt Cyber Threat Actors Exploiting AI for Influence Operations and Cybercrime
OpenAI disrupted multiple threat actors exploiting AI for cybercrime, disinformation, and surveillance. Activity spanned North Korean fraud schemes, Chinese propaganda, Iranian influence ops, and romance scams. OpenAI banned accounts tied to groups like APT38 and STORM-2035, and continues to collaborate with industry peers to prevent AI misuse globally.
Patched Check Point Vulnerability CVE-2024-24919 Exploited to Deploy ShadowPad Malware and Ransomware
CVE-2024-24919, patched in May 2024, is being exploited to steal VPN credentials, enabling ShadowPad and ransomware deployment. Targeting manufacturing and healthcare sectors, attackers gain access via VPNs, move laterally using RDP and SMB, and use DLL sideloading for persistence. Organizations are urged to patch and monitor activity.
EncryptHub A Emerging Threat Group Behind 618 Attacks Since 2024
EncryptHub, also known as Larva-208, has launched over 600 ransomware attacks globally since mid-2024. Using smishing, fake IT support, and credential theft, they deploy PowerShell-based encryptors and data stealers. Linked to RansomHub and BlackSuit, EncryptHub is a growing ransomware threat to enterprises through advanced social engineering tactics.
iVerify Uncovers Pegasus Spyware on Private Sector Devices, Expanding Surveillance Concerns
iVerify has uncovered Pegasus spyware on private sector devices, affecting executives in finance, real estate, and logistics. The findings reveal long-term surveillance dating back to 2021, with infections across Europe and the Middle East. This expands concerns beyond political targets, highlighting risks of corporate espionage and advanced mobile surveillance threats.
Russian Threat Actors Exploit Signal’s Linked Devices Feature for Espionage
Russian state-aligned hackers are exploiting Signal Messenger’s "Linked Devices" feature to gain persistent access to secure communications. GTIG reports phishing campaigns tricking victims into linking Signal accounts to attacker-controlled devices. Groups like Sandworm also extract Signal messages from compromised systems. Users should review linked devices and follow Signal’s latest security updates.
NailaoLocker Ransomware Targets European Healthcare Sector, Linked to Chinese Intrusion Sets
NailaoLocker ransomware has been attacking European healthcare entities, with signs of Chinese state-affiliated involvement. Threat actors exploit a Check Point zero-day and use espionage tools like ShadowPad. The ransomware lacks advanced features but follows a prolonged dwell time strategy. Security experts warn of its evolving capabilities and potential state-sponsored ties.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
