We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
UAC-0006 Distributes SmokeLoader Backdoor
On May 29, 2023, CERT-UA reported a campaign by UAC-0006 distributing SmokeLoader malware via phishing emails. The emails contain archive attachments (HTML, VHDX, VHD) leading to a JavaScript loader that downloads and installs SmokeLoader. An error led to a Cobalt Strike beacon in one case. The campaign uses Russian domains and repurposed tools, attributed to UAC-0006.
Void Rabisu Shifts Motives for Geopolitical Opportunities
Trend Micro has identified a shift in Void Rabisu's motives, now targeting Ukrainian government, military, energy, and utilities sectors, as well as European and US allies. Since October 2022, Void Rabisu has deployed the RomCom backdoor, refining it for command execution and detection evasion. The group uses Google Ads and phishing to distribute RomCom, posing as legitimate software like AstraChat. The malware's capabilities include data exfiltration, remote access, and cryptocurrency theft.
G20 Nations Face Cyber Threats from Chinese APT Group
The Chinese APT group SharpPanda is targeting government entities in G20 nations, using spearphishing with outdated Microsoft Office vulnerabilities and backdoor malware for espionage. Researchers from Cyble report that the group's activities have increased since 2018. SharpPanda uses tools like RoyalRoad to exploit vulnerabilities and establish persistence, gathering sensitive data from targeted systems.
UAC-0063 Targeted Ukraine Government for Cyber Espionage
UAC-0063, a cyber espionage group tracked by CERT-UA, targeted a Ukrainian government agency between April 18-20, 2023. Using phishing emails with macro-enabled Word documents, the group deployed malware including LOGPIE keylogger, CHERRYSPY Python backdoor, and STILLARCH data search and exfiltration tool. CERT-UA advises monitoring and restricting living-off-the-land binaries and suspicious Python usage.
Deadly Russian Malware With Impact Against the Industrial Power Grid
Mandiant researchers discovered Russian-linked malware CosmicEnergy designed to disrupt power grids by targeting IEC-104 devices. Found on VirusTotal, CosmicEnergy is Python-based and resembles malware used against Ukraine's energy sector. It exploits MSSQL servers to send remote commands, posing a significant threat to critical infrastructure in Europe, the Middle East, and Asia.
Threat Group, "GUI-vil" Prefers GUI for Coinmining Operations
The financially motivated threat group GUI-vil, tracked by Permiso, has been active in cloud cryptomining operations since 2021. Preferring GUI tools over CLI utilities, GUI-vil exploits vulnerabilities and exposed credentials to launch large EC2 instances for mining cryptocurrency. The group's operational tactics include mimicking legitimate users and adapting persistence to avoid detection. GUI-vil's activity, including using tools like S3 Browser and AWS Management Console, underscores the need for robust cloud security measures.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
