Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Rare Tools and Post-Ransom Persistence Mark Unusual Fog Campaign
Symantec identified a Fog ransomware campaign targeting a financial institution in Asia using rare tools like Syteca, GC2, and Adaptix. Attackers maintained network access even after deploying ransomware, suggesting espionage or hybrid motives. Lateral movement, data exfiltration, and service-based persistence marked this unusually complex operation.
UNC6040 Campaign Exploits Salesforce Data Loader in Voice Phishing Attacks
Google’s Threat Intelligence Group links UNC6040 to voice phishing attacks abusing Salesforce Data Loader. Employees were tricked into using fake IT tools, enabling attackers to extract sensitive data, pivot to SaaS platforms, and conduct delayed extortion. No Salesforce vulnerabilities were exploited—only human error through social engineering.
Coordinated Influence Campaigns Exposed in Meta’s Q1 2025 Adversarial Report
Meta’s Q1 2025 Adversarial Threat Report reveals three influence operations from China, Iran, and Romania. These networks used fake accounts, AI-generated images, and political content to manipulate discourse across Facebook and Instagram. Meta removed the campaigns early, citing increasing use of cross-platform coordination and generative AI techniques.
FBI Warns of Ongoing SRG Campaigns Exploiting Remote Access Tools
The FBI reports Silent Ransom Group (SRG) is targeting U.S. law firms using phishing and IT impersonation to deploy remote access tools like WinSCP and Rclone. Once inside, attackers exfiltrate sensitive data and extort victims. SRG’s evolving tactics highlight the need for remote access monitoring and user training.
Finance Leaders Targeted in Global Phishing Operation Delivering NetBird
Trellix discovered a phishing campaign distributing NetBird malware to CFOs and finance executives across finance, energy, and insurance sectors. Victims received recruiter-themed emails linking to Firebase-hosted CAPTCHA pages delivering VBS scripts. The payload installs NetBird and OpenSSH, creating hidden admin accounts and enabling persistent remote access with minimal detection.
Initial Access Groups Reshaping Cyber Threat Landscape, Cisco Talos Warns
Cisco Talos reports that cyber intrusions increasingly involve multiple threat actors, as initial access groups (IAGs) split attacks into compromise and exploitation phases. This evolving model complicates attribution and response, requiring defenders to track both financially motivated and state-sponsored actors, and understand their relationships across the threat ecosystem.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
