We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
MacOS Infostealers on the Rise with Atomic, Poseidon, and Cthulhu Stealer
Unit 42 has identified a 101% increase in macOS infostealers, including Atomic, Poseidon, and Cthulhu Stealer. These malware variants exploit AppleScript to steal credentials, browser data, and cryptocurrency wallets. Attackers distribute them via malvertising and phishing. As macOS threats grow, users must remain vigilant against deceptive system prompts and Trojanized software.
AI Startup DeepSeek Exposes Over a Million Log Entries Due to Database Misconfiguration
AI startup DeepSeek exposed over a million log entries due to a misconfigured ClickHouse database, leaving chat logs, API keys, and backend data unprotected. Researchers at Wiz identified the issue, which has since been mitigated. The incident highlights critical security risks in AI infrastructure, emphasizing the need for stronger data protection measures.
Google Unveils State-Sponsored Hackers’ AI Experiments on Gemini
Google Threat Intelligence Group (GTIG) uncovered state-sponsored hackers from Iran, China, North Korea, and Russia testing Gemini AI for cyber operations. While AI hasn’t yet enabled advanced cyberattacks, adversaries are leveraging it for phishing, reconnaissance, and scripting assistance. Google emphasizes ongoing AI security improvements to prevent future misuse.
Tangerine Turkey Exploits VBS and BAT Scripts in Cryptomining Scheme
Red Canary identified Tangerine Turkey, a VBS worm spreading via USB drives to deploy cryptominers. The malware uses DLL hijacking through "printui.exe" to evade detection, with potential ties to Universal Mining. XMRig indicators suggest Monero mining involvement. Organizations should monitor for unusual script executions and rogue directories.
A Dangerous Pair with Phorpiex Botnet Expanding LockBit Ransomware Attacks
The Phorpiex botnet is now distributing LockBit ransomware, accelerating infections through automated malware delivery. Cybereason researchers warn that this shift increases ransomware risks across industries, with phishing emails initiating attacks. Variants include LockBit Downloader, TWIZT, and GandCrab, each leveraging defense evasion techniques. Organizations must strengthen defenses against this evolving threat.
North Korean IT Workers Leveraging Insider Access for Extortion
The FBI warns that North Korean IT workers are infiltrating U.S. companies through remote positions, stealing data, and extorting employers. Using fake identities, they exploit network access to exfiltrate proprietary code and credentials. Organizations should strengthen hiring processes, monitor network activity, and enforce strict access controls to mitigate this growing threat.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
