We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Crypto24 Campaign Shows Operational Maturity, with Custom Tooling & EDR Evasion
Trend Micro uncovered Crypto24 ransomware attacks against financial, entertainment, manufacturing, and technology firms across three continents. Operators exhibit high coordination, deploying custom tools like RealBlindingEDR to disable security drivers and evade defenses. Their careful timing, EDR removal, and stealthy persistence highlight rare operational maturity in ransomware campaigns.
UAT-7237 Targets Taiwan with Webshells, VPN Abuse, and Credential Theft
UAT-7237, a Chinese-speaking APT tracked by Cisco Talos, targets Taiwan’s technology sector using selective webshells, SoftEther VPN, and a custom loader called SoundBill. The group’s focus on credential theft, persistent access, and cloud/VPN infiltration highlights a strategic campaign aimed at long-term compromise of critical infrastructure.
HiddenLayer’s 2025 Threat Report Reveals 5 Leading AI Risks
HiddenLayer’s 2025 AI Threat Report outlines five top risks affecting AI systems, including supply chain exposure, public model malware, model theft, and chatbot exploitation. With 97% of enterprises using public models and only 16% running adversarial tests, the report calls for urgent improvements in AI-specific security controls.
Crypto24 Campaign Shows Operational Maturity, with Custom Tooling & EDR Evasion
Crypto24 ransomware operators have launched global attacks with custom tooling, including the RealBlindingEDR utility to disable security software. Using RDP abuse, keyloggers, and remote access tools, they bypass defenses and execute ransomware payloads stealthily. Trend Micro highlights their precision, off-peak targeting, and operational maturity across targeted industries.
UAT-7237 Targets Taiwan with Webshells, VPN Abuse, and Credential Theft
APT group UAT-7237 is targeting Taiwan’s technology sector using SoftEther VPN abuse, credential theft tools, and the SoundBill loader to deploy Cobalt Strike and Mimikatz. Cisco Talos links the group to broader Chinese threat ecosystems, noting selective webshell use and long-term persistence techniques across targeted cloud and VPN environments.
Backdoored XZ-Utils Library Persists in Public Docker Hub Repositories
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
