We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Microsoft Adds Intelligence on Midnight Blizzard’s RDP-Based Attacks Amid Ongoing Phishing Wave
Microsoft reports that Russian threat group Midnight Blizzard has launched an RDP-based phishing campaign aimed at defense, government, and tech sectors worldwide. By using signed RDP files in highly targeted emails, the group establishes remote sessions to gather sensitive data, leveraging local resources and deploying malware for persistent access. CERT-UA and Amazon provided additional mitigation advice and disrupted malicious infrastructure tied to the campaign.
UNC5812 Pushes Malware Through Telegram to Disrupt Ukraine’s Mobilization Efforts
The Russian-affiliated group UNC5812, using the alias "Civil Defense," has launched a campaign targeting Ukrainian military mobilization by distributing malware through Telegram. Utilizing decoy applications and various backdoors, including PURESTEALER and CRAXSRAT, the group gathers sensitive data and sows anti-mobilization sentiments. The campaign reflects Russia's disinformation strategy and influence tactics, as reported by Google Threat Intelligence.
North Korean Andariel Group Linked to Play Ransomware in New Cyber Campaign
North Korea’s Andariel Group, a state-sponsored cyber actor, is linked to Play ransomware in recent attacks, according to Unit 42. Traditionally focused on espionage and financial cybercrime, Andariel now acts as an initial access broker, leveraging tools like Sliver and DTrack. The investigation reveals strategic shifts, including RDP session control, credential theft, and evasion of EDR detection, culminating in Play ransomware deployment.
Foreign Powers Escalate Influence Operations Ahead of U.S. Election
Microsoft’s Threat Analysis Center reports that Russia, Iran, and China are increasing influence operations ahead of U.S. Election 2024. Efforts include AI-generated disinformation, targeting candidates, and spreading divisive content on social issues, all aimed at undermining trust in the election. Coordinated countermeasures are essential to safeguard democratic integrity.
Multi-Turn Prompts Exploit AI Flaws in 'Deceptive Delight'
Unit 42 introduces "Deceptive Delight," a multi-turn technique that bypasses AI model safety by embedding unsafe topics in benign prompts. Tested on eight AI models, it achieved 65% success in just three interactions. Mitigation requires layered defenses, including prompt engineering and content filtering, to enhance AI resilience against such exploits.
Bumblebee Malware Campaigns Resurface with Phishing and MSI Techniques Deliver Silent Payloads
Netskope reports Bumblebee malware’s return following May 2024's Operation Endgame. Using phishing, MSI files, and silent execution tactics, Bumblebee delivers payloads such as ransomware and Cobalt Strike without creating forensic artifacts. This resurgence highlights the ongoing risk of ransomware and other advanced malware threats globally.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
