Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
ClickFix Pervasive in 2025, Fueling NetSupport, Latrodectus, and Lumma Stealer Infections Across Key Sectors
Unit 42 reports a surge in ClickFix malware campaigns in 2025, using user-executed commands to deliver NetSupport RAT, Latrodectus, and Lumma Stealer. Sectors hit hardest include technology, financial services, and manufacturing, with infections tied to ClearFake lures and clipboard manipulation. The trend highlights growing social engineering risks.
Justice Department Disrupts North Korean IT Worker Scheme Targeting U.S. Firms
The Justice Department dismantled a large-scale North Korean IT worker scheme targeting over 100 U.S. companies. Using stolen identities and U.S.-based enablers, operatives gained unauthorized access to sensitive systems and laundered millions. The crackdown included searches of 29 laptop farms, indictments, and asset seizures across multiple states and countries.
CISA Warns U.S. Infrastructure at Risk from Iranian-Linked Cyber Activity
CISA and U.S. agencies warn that Iranian-affiliated cyber actors may target critical infrastructure, especially organizations tied to defense or Israeli research. These threats exploit outdated systems, default credentials, and OT vulnerabilities. CISA urges proactive hardening, strong authentication, and updated incident response plans to mitigate the risk of ideological cyberattacks.
Microsoft Entra Gap Lets Guest Users Inject Subscriptions into Target Tenants
A flaw in Microsoft Entra allows guest users to inject subscriptions into external tenants while retaining full control. This bypasses standard auditing and access controls, enabling privilege escalation and persistence. Organizations must tighten subscription policies, audit guest activity, and monitor dynamic access to mitigate this under-recognized cloud risk.
Scattered Spider’s 2025 Strategy Centers on Voice Phishing and Help Desk Abuse
CrowdStrike highlights Scattered Spider’s 2025 escalation in targeting insurance, retail, and aviation sectors using voice phishing and help desk abuse. The group exploits Entra ID, VMware, and AWS environments, deploying ransomware variants like Akira and Play. CrowdStrike urges stronger MFA, access controls, and help desk protections to reduce impact.
Atomic Stealer Variant Targets macOS Users via ClickFix
CloudSEK reports a phishing campaign delivering Atomic macOS Stealer via ClickFix, targeting macOS users through fake Spectrum domains. Victims are prompted to run terminal commands, harvesting credentials using “dscl . -authonly.” Linked to Russian-speaking actors, this attack highlights growing multi-platform threats via social engineering.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
