Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Aggressive Scattered Spider Attacks Continue to Pose Grave Risk to Organizations Globally
Scattered Spider remains one of the most dangerous threat groups in operation, targeting global organizations with aggressive, fast-moving attacks. Halcyon reports the group’s use of social engineering, credential theft, and ransomware variants like DragonForce and Play to cause widespread operational damage across on-prem, cloud, and virtual environments.
Scattered Spider Shifts Focus to U.S. Insurance Sector, Google Warns
Scattered Spider has turned its attention to the U.S. insurance industry, according to Google. Recent incidents at major providers suggest the group is using social engineering to bypass defenses, particularly targeting help desks and call centers. Organizations are urged to enhance identity verification and access control procedures immediately.
North Korean Group Deploys Python-Based PylangGhost RAT in Job Scam Campaigns
Cisco Talos identified North Korean group Famous Chollima using the Python-based PylangGhost RAT in fake job recruitment scams. Masquerading as firms like Coinbase, the actor targets marketing and tech professionals. Victims unknowingly install the RAT, which enables file theft, persistence, and remote control across compromised systems.
Water Curse Targets Devs and Red Teamers via Weaponized GitHub Repos
Trend Micro uncovered Water Curse, a threat actor weaponizing GitHub repositories to target developers, gamers, and red teamers. The campaign deploys multi-stage malware hidden in project files, enabling privilege escalation, data exfiltration, and persistent access. It leverages GitHub’s reach and legitimate services like Telegram and Gofile for command and control.
INTERPOL’s Operation Secure Leads to 32 Arrests, 41 Server Seizures in Cybercrime Crackdown
INTERPOL’s Operation Secure dismantled major infostealer operations across 26 countries, arresting 32 individuals and seizing 41 servers. With backing from Group-IB, Kaspersky, and Trend Micro, the effort disrupted Lumma, META, and RisePro networks and notified over 216,000 victims, marking a major win in global cybercrime enforcement.
Stealth Falcon Exploits CVE-2025-33053 in Targeted Espionage Across Middle East
APT group Stealth Falcon exploited CVE-2025-33053 in a new espionage campaign targeting defense and government entities in the Middle East. Using WebDAV-hosted malware, Horus Loader, and a customized Mythic-based implant, the group maintained stealth with LOLBins, obfuscation, and advanced evasion tactics, continuing its long-standing regional targeting strategy.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
