Anvilogic Forge Threat Research Reports

HiddenLayer’s 2025 Threat Report Reveals 5 Leading AI Risks

HiddenLayer’s 2025 AI Threat Report outlines five top risks affecting AI systems, including supply chain exposure, public model malware, model theft, and chatbot exploitation. With 97% of enterprises using public models and only 16% running adversarial tests, the report calls for urgent improvements in AI-specific security controls.

Crypto24 Campaign Shows Operational Maturity, with Custom Tooling & EDR Evasion

Crypto24 ransomware operators have launched global attacks with custom tooling, including the RealBlindingEDR utility to disable security software. Using RDP abuse, keyloggers, and remote access tools, they bypass defenses and execute ransomware payloads stealthily. Trend Micro highlights their precision, off-peak targeting, and operational maturity across targeted industries.

UAT-7237 Targets Taiwan with Webshells, VPN Abuse, and Credential Theft

APT group UAT-7237 is targeting Taiwan’s technology sector using SoftEther VPN abuse, credential theft tools, and the SoundBill loader to deploy Cobalt Strike and Mimikatz. Cisco Talos links the group to broader Chinese threat ecosystems, noting selective webshell use and long-term persistence techniques across targeted cloud and VPN environments.

Backdoored XZ-Utils Library Persists in Public Docker Hub Repositories

Global Operation Seizes BlackSuit Ransomware Infrastructure and $1M in Crypto

Operation Checkmate dismantled BlackSuit ransomware infrastructure, seizing four servers, nine domains, and $1M in crypto tied to ransom payments. Linked to Royal and Conti, BlackSuit has extorted over $370M from 450+ U.S. victims. Law enforcement emphasized a disruption-first strategy targeting both infrastructure and financial lifelines of cybercrime groups.

New Threat Actor ‘Curly COMrades’ Uses NGEN Hijacking and Multi-Layer Tunnels for Persistence

Bitdefender identified Curly COMrades, a Russian-aligned APT, targeting government and energy sectors in Georgia and Moldova. The group uses NGEN hijacking, curl-based data exfiltration, COM hijacking, and multi-layer tunneling for persistence and stealth. Their MucorAgent malware executes encrypted payloads without spawning PowerShell, enabling long-term covert access.