We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
The Gentlemen Ransomware Group Emerges with Custom Tools and Global Impact
Trend Micro attributes a sophisticated new ransomware group, “The Gentlemen,” to attacks on 27 victims in 17 countries. Operators adapt tooling to bypass defenses, abuse privileged credentials and FortiGate accounts, stage encrypted exfiltration via WinSCP, and deploy ransomware domain-wide via NETLOGON—followed by cleanup routines to frustrate recovery and forensics.
HexStrike-AI Abuse Marks Turning Point in Cyber Offense
Check Point reports that HexStrike-AI, initially designed for red teaming, has been weaponized by attackers to exploit Citrix NetScaler CVEs within minutes. Using over 150 coordinated AI agents, the framework automates scanning, exploitation, and persistence, shrinking defensive response time and signaling a major shift toward AI-driven cyber offense.
Namespace Recycling Leaves Thousands of AI Projects Vulnerable
Unit 42 uncovered a systemic AI supply-chain flaw where deleted or transferred model namespaces can be reclaimed by attackers. By recreating trusted Author/ModelName paths, adversaries can insert malicious models into production pipelines. The report urges pinning immutable IDs, internal mirroring, and monitoring namespace changes to prevent silent hijacks.
Attackers Weaponize File Explorer and Fake PDFs in ClickFix-Style MetaStealer Campaign
Huntress discovered a refined ClickFix-style campaign that uses the search-ms File Explorer handler and a fake “Readme Anydesk.pdf” LNK to trick victims into running an MSI. The staged installer drops a packed MetaStealer payload (ls26.exe) and supporting DLLs, demonstrating evolving social-engineering tradecraft designed to evade detection and harvest credentials.
Russian State-Backed APT Leverages DLL Sideloading to Deliver Outlook-Based Backdoor
Lab52 attributes a new Outlook-focused backdoor, “NotDoor,” to APT28. Delivered via DLL sideloading (malicious SSPICLI.dll loaded by OneDrive.exe), the VBA macro watches for trigger emails to execute commands, upload/download files, and exfiltrate encrypted data—employing registry persistence and stealthy beaconing to support prolonged espionage operations.
FTC Cautions Companies on Risks of Complying With EU and UK Data Rules
The FTC warned major U.S. technology firms that complying with EU and UK data laws by weakening encryption or content standards could violate U.S. law. Chair Andrew Ferguson stressed that extending foreign surveillance or censorship practices to Americans risks breaching Section 5 of the FTC Act and undermining consumer security.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
