We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
A Dangerous Pair with Phorpiex Botnet Expanding LockBit Ransomware Attacks
The Phorpiex botnet is now distributing LockBit ransomware, accelerating infections through automated malware delivery. Cybereason researchers warn that this shift increases ransomware risks across industries, with phishing emails initiating attacks. Variants include LockBit Downloader, TWIZT, and GandCrab, each leveraging defense evasion techniques. Organizations must strengthen defenses against this evolving threat.
North Korean IT Workers Leveraging Insider Access for Extortion
The FBI warns that North Korean IT workers are infiltrating U.S. companies through remote positions, stealing data, and extorting employers. Using fake identities, they exploit network access to exfiltrate proprietary code and credentials. Organizations should strengthen hiring processes, monitor network activity, and enforce strict access controls to mitigate this growing threat.
Web Shell Deployment in IIS Compromise Enables Data Theft
Trend Micro uncovered an IIS web shell attack that enabled remote command execution, persistence, and data exfiltration. Attackers used cmd.exe, PowerShell, and AnyDesk to establish control, deploying malicious scripts and stealing sensitive files. Security experts warn of increasing web shell threats and recommend monitoring IIS server activity for anomalies.
Threat Clusters STAC5143 and STAC5777 Exploit Email Bombarding and Microsoft Remote Tools
Threat clusters STAC5143 and STAC5777 exploited Microsoft Teams and Office 365 infrastructure for cyberattacks. STAC5143, linked to FIN7, used email bombing and Python malware, while STAC5777 deployed Black Basta ransomware through Teams-based scams. Sophos warns of increased social engineering and remote tool abuse, urging vigilance against emerging threats.
CISA’s Recommendations to Avoid Bad Software Security Practices
CISA’s Secure by Design guidance urges software manufacturers to adopt memory-safe programming, enforce MFA, sanitize user inputs, and maintain SBOMs. By eliminating default passwords and addressing vulnerabilities like SQL injection, the recommendations aim to secure critical infrastructure and mitigate cybersecurity risks while promoting safe software development practices globally.
WhatsApp Abused in Star Blizzard’s Targeted Spear-Phishing Operation
Star Blizzard, a Russian nation-state actor, exploited WhatsApp in a November 2024 spear-phishing campaign targeting government and defense officials. Victims were tricked into linking their WhatsApp accounts to attacker-controlled devices. Microsoft urges vigilance, especially when receiving QR code or link-based invitations, to mitigate risks from evolving phishing techniques.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
