We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Coordinated RDP Scans Seek Username Enumeration, Raising Intrusion Risks
GreyNoise observed a major spike in RDP scanning activity, with nearly 30,000 IPs probing Microsoft RDP portals for username enumeration flaws. Originating mainly from Brazil and targeting U.S. systems, the campaign appears coordinated, signaling potential preparation for brute-force, credential-stuffing, or ransomware intrusions worldwide.
Finance Executives Across Five Continents Targeted in New Espionage Campaign Attributed to MuddyWater
Hunt.io uncovered a global spear-phishing campaign by Iranian group MuddyWater, impersonating Rothschild & Co recruiters to target CFOs and finance leaders. Using Firebase phishing pages, malicious VBScript, and tools like NetBird and AteraAgent, the attackers achieved stealthy persistence and remote control across five continents’ financial sectors.
Murky Panda Abuses Trusted-Relationship in Cloud Attacks and Zero-Day Exploits for Espionage
CrowdStrike identifies Murky Panda, a China-linked espionage group, abusing trusted cloud relationships and exploiting zero-day vulnerabilities to infiltrate high-value targets across government, education, legal, professional services, and technology sectors. Using tools like Neo-reGeorg and CloudedHope, the group demonstrates advanced OPSEC and persistent cloud-based intelligence collection.
No Auth, No Control: MCP Servers Found Exposing Internal Tools, Data, and APIs Publicly
Knostic researchers discovered over 1,800 MCP servers publicly exposed without authentication, allowing access to internal tools and APIs. Many connect to sensitive dashboards and services, posing significant risk. This systemic issue stems from insecure AI deployments lacking basic access controls, leaving systems vulnerable to exploitation and operational disruption.
Crypto24 Campaign Shows Operational Maturity, with Custom Tooling & EDR Evasion
Trend Micro uncovered Crypto24 ransomware attacks against financial, entertainment, manufacturing, and technology firms across three continents. Operators exhibit high coordination, deploying custom tools like RealBlindingEDR to disable security drivers and evade defenses. Their careful timing, EDR removal, and stealthy persistence highlight rare operational maturity in ransomware campaigns.
UAT-7237 Targets Taiwan with Webshells, VPN Abuse, and Credential Theft
UAT-7237, a Chinese-speaking APT tracked by Cisco Talos, targets Taiwan’s technology sector using selective webshells, SoftEther VPN, and a custom loader called SoundBill. The group’s focus on credential theft, persistent access, and cloud/VPN infiltration highlights a strategic campaign aimed at long-term compromise of critical infrastructure.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
