We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Global Operation Seizes BlackSuit Ransomware Infrastructure and $1M in Crypto
Operation Checkmate dismantled BlackSuit ransomware infrastructure, seizing four servers, nine domains, and $1M in crypto tied to ransom payments. Linked to Royal and Conti, BlackSuit has extorted over $370M from 450+ U.S. victims. Law enforcement emphasized a disruption-first strategy targeting both infrastructure and financial lifelines of cybercrime groups.
New Threat Actor ‘Curly COMrades’ Uses NGEN Hijacking and Multi-Layer Tunnels for Persistence
Bitdefender identified Curly COMrades, a Russian-aligned APT, targeting government and energy sectors in Georgia and Moldova. The group uses NGEN hijacking, curl-based data exfiltration, COM hijacking, and multi-layer tunneling for persistence and stealth. Their MucorAgent malware executes encrypted payloads without spawning PowerShell, enabling long-term covert access.
RomCom Continues Exploiting Zero-Day Vulnerabilities With CVE-2025-8088
Russian-linked APT RomCom exploited CVE-2025-8088, a WinRAR zero-day, in targeted attacks against defense, finance, and logistics firms. Delivered via spearphishing archives, the flaw allowed arbitrary code execution. Though no breaches occurred, a patch was released in version 7.13. RomCom’s tactics reflect ongoing use of zero-days for espionage.
Google Confirms CRM Breach in Ongoing ShinyHunters Data Theft Campaign
Google confirmed a CRM breach by UNC6040 (ShinyHunters) in June 2025. Using vishing and custom tools, attackers accessed public SMB contact data from Salesforce. While no sensitive information was compromised, the breach is part of a broader campaign impacting multiple global firms through data theft and extortion tactics.
Backdoor, Ransomware, Loaders: Project AK47 Powers CL-CRI-1040 Intrusions
Unit 42 reports that threat actor CL-CRI-1040 is using the Project AK47 toolset—including a custom backdoor, ransomware, and loaders—to exploit SharePoint vulnerabilities. The group, linked to LockBit and Warlock operations, shows overlaps with Microsoft's Storm-2603 cluster. Despite financial motives, signs of espionage complicate attribution.
Ransomware Actors Use Consistent Playbooks to Cripple Defenses and Delete Backups
Huntress analyzed a ransomware intrusion where attackers reused a known playbook to disable Microsoft Defender, delete backups, and tamper with system protections. The attack, halted before encryption, showed iterative refinement of tools and techniques. It highlights the need for defenders to monitor PowerShell misuse and Defender configuration changes.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
