We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
CISA Finds Cyber Hygiene Gaps in U.S. Infrastructure Network
A joint CISA and USCG assessment uncovered serious cyber hygiene flaws in a U.S. critical infrastructure organization. Issues included plaintext admin credentials, weak IT-OT segmentation, outdated protocols, and missing logs. While no active threats were found, CISA warns these gaps could enable adversaries to move laterally and persist undetected.
Russian State Actor Deploys ApolloShadow in Embassy Espionage Campaign
Microsoft reports Russian APT Secret Blizzard is targeting embassies in Moscow using ApolloShadow malware and adversary-in-the-middle tactics. By abusing likely ISP-level access and rogue certificates, the group intercepts secure traffic and establishes persistent access. The campaign shows how advanced AiTM threats can compromise diplomatic networks and evade traditional detection.
CISA, FBI, and Allies Release July 2025 Update on Scattered Spider’s Attack Threat Arsenal
CISA, FBI, and international partners released an updated threat profile of Scattered Spider, detailing advanced social engineering tactics, abuse of remote access tools, and data theft across cloud and hybrid environments. The report urges stronger MFA, monitoring, and segmentation to counter this persistent and opportunistic threat actor.
Lumma Stealer Returns with Active Campaigns Despite Disruption
Lumma Stealer has resurfaced just weeks after its May 2025 takedown, according to Trend Micro. Operators swiftly rebuilt infrastructure and now use stealthier delivery methods including GitHub abuse, fake keygens, and social engineering via ClickFix campaigns. The return highlights Lumma's resilience and adaptability in the evolving malware landscape.
Timely Action the Deciding Factor in Chaos and Medusa Ransomware Outcomes from Talos' IR Engagement
Cisco Talos analyzed two ransomware incidents involving Chaos and Medusa groups. Despite similar attacker techniques and tools, the speed of incident response was the key differentiator—early containment stopped Chaos, while delays led to full Medusa encryption. Talos emphasizes timely action as crucial in ransomware defense and recovery.
#StopRansomware Outlines Defensive Tactics Against Interlock
CISA, FBI, and other agencies released a joint advisory on Interlock ransomware, active since 2024. The group uses FileFix and ClickFix vectors, double extortion, and multiple RATs. Operating globally, Interlock targets both Linux and Windows systems. Agencies recommend defensive tactics to mitigate risk and reduce potential impact.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
