We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
INTERPOL’s Operation Synergia II Targets Phishing, Ransomware, and Info-Stealers Across 95 Nations
INTERPOL’s Operation Synergia II took down global cybercrime networks from April to August 2024, targeting phishing, ransomware, and info-stealers across 95 nations. The operation, with assistance from major cybersecurity firms, led to 41 arrests and the seizure of 59 servers, showcasing a robust global alliance against cyber threats.
EDR Bypass Tool Exploited in Extortion Scheme
Unit 42’s analysis reveals how threat actors used the EDR bypass tool "disabler.exe" in a complex extortion attack, gaining network access via the Atera tool and evading defenses through advanced tactics. With tactics overlapping Conti’s playbook, the attack exemplifies growing cybercrime sophistication and the rise of AV/EDR evasion tools on forums.
Ransomware Alliances Amplify Threat of Skilled Social Engineering Actors Scattered Spider
ReliaQuest’s investigation reveals a ten-hour breach at a manufacturing organization, where threat actor Scattered Spider exploited help desk processes to reset critical accounts and gain privileged access. In collaboration with the RansomHub ransomware group, they bypassed MFA, exfiltrated sensitive data, and encrypted systems, exposing severe security gaps in response protocols.
Operation Magnus Seizes Key Servers, Halts Redline and Meta Infostealer Activities
In a multi-agency cyber crackdown on October 28, 2024, Operation Magnus dismantled the network infrastructure behind Redline and Meta infostealers. This takedown, led by Dutch and U.S. law enforcement, cut off access to servers used for data theft, disrupting tools that cybercriminals have used to harvest sensitive information since 2020. Authorities now hold critical insights into the malware's operators and distribution networks, with further legal actions expected.
Microsoft Adds Intelligence on Midnight Blizzard’s RDP-Based Attacks Amid Ongoing Phishing Wave
Microsoft reports that Russian threat group Midnight Blizzard has launched an RDP-based phishing campaign aimed at defense, government, and tech sectors worldwide. By using signed RDP files in highly targeted emails, the group establishes remote sessions to gather sensitive data, leveraging local resources and deploying malware for persistent access. CERT-UA and Amazon provided additional mitigation advice and disrupted malicious infrastructure tied to the campaign.
UNC5812 Pushes Malware Through Telegram to Disrupt Ukraine’s Mobilization Efforts
The Russian-affiliated group UNC5812, using the alias "Civil Defense," has launched a campaign targeting Ukrainian military mobilization by distributing malware through Telegram. Utilizing decoy applications and various backdoors, including PURESTEALER and CRAXSRAT, the group gathers sensitive data and sows anti-mobilization sentiments. The campaign reflects Russia's disinformation strategy and influence tactics, as reported by Google Threat Intelligence.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
