We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
CISA's #StopRansomware Advisory Warns of Ghost Ransomware Attacks in Over 70 Countries
CISA’s #StopRansomware advisory warns of the Ghost ransomware group, active in over 70 countries. Ghost actors exploit outdated vulnerabilities to gain access, deploy Cobalt Strike, and execute ransomware within hours. Their attacks target critical infrastructure, education, healthcare, and more. While they focus on encryption over data theft, strong security measures can deter them.
Insights from Google Threat Intelligence Highlights The Expanding Threat of Cybercrime
Google Threat Intelligence warns that cybercrime now outpaces state-sponsored hacking, driving ransomware, BEC scams, and national security threats. Attacks on healthcare have doubled, and financially motivated groups increasingly collaborate with nation-states. The report urges global cooperation to combat cybercriminal networks fueling espionage, data theft, and economic disruption.
NetSupport RAT Campaign Expands with ClickFix Technique
A malware campaign using fake CAPTCHA pages continues into 2025, now leveraging the ClickFix technique to trick users into executing NetSupport RAT. eSentire reports attackers using mshta.exe and PowerShell for stealthy infections, reinforcing the campaign’s persistence. NetSupport RAT enables remote control, data theft, and further malware deployment.
"BadPilot" Campaign From Russian APT Pose Ongoing Cyber Threat to Western Nations
Microsoft has identified the "BadPilot" cyber campaign by Russian APT Seashell Blizzard, which targets critical sectors across Western nations. Exploiting vulnerabilities in Microsoft Exchange, Zimbra, and Fortinet, the group employs RMM tools, web shells, and credential theft to enable long-term espionage and cyber disruptions, aligning with Russia’s geopolitical objectives.
Akira and Fog Dominate Ransomware Landscape, But Payouts Fall in Q4 2024
Coveware reports that ransomware payments hit a record low of 25% in Q4 2024, despite Akira and Fog leading attack volumes. Law enforcement takedowns and better defenses have disrupted operations, pushing threat actors toward data extortion and AI-driven phishing. VPN vulnerabilities, phishing, and social engineering remain top attack vectors.
Abyss Locker Ransomware Attack Chain Revealed with Windows, ESXi, and NAS Devices Compromised
Sygnia uncovered Abyss Locker ransomware exploiting SonicWall VPN flaws to infiltrate Windows, ESXi, and NAS devices. Attackers use PowerShell scripts for credential theft, disable security tools, and deploy Chisel for persistence. Files are encrypted with '.Abyss' and '.crypt' extensions. Organizations must enhance VPN security and monitor lateral movement techniques.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
