Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Attackers Weaponize File Explorer and Fake PDFs in ClickFix-Style MetaStealer Campaign
Huntress discovered a refined ClickFix-style campaign that uses the search-ms File Explorer handler and a fake “Readme Anydesk.pdf” LNK to trick victims into running an MSI. The staged installer drops a packed MetaStealer payload (ls26.exe) and supporting DLLs, demonstrating evolving social-engineering tradecraft designed to evade detection and harvest credentials.
Russian State-Backed APT Leverages DLL Sideloading to Deliver Outlook-Based Backdoor
Lab52 attributes a new Outlook-focused backdoor, “NotDoor,” to APT28. Delivered via DLL sideloading (malicious SSPICLI.dll loaded by OneDrive.exe), the VBA macro watches for trigger emails to execute commands, upload/download files, and exfiltrate encrypted data—employing registry persistence and stealthy beaconing to support prolonged espionage operations.
FTC Cautions Companies on Risks of Complying With EU and UK Data Rules
The FTC warned major U.S. technology firms that complying with EU and UK data laws by weakening encryption or content standards could violate U.S. law. Chair Andrew Ferguson stressed that extending foreign surveillance or censorship practices to Americans risks breaching Section 5 of the FTC Act and undermining consumer security.
Coordinated RDP Scans Seek Username Enumeration, Raising Intrusion Risks
GreyNoise observed a major spike in RDP scanning activity, with nearly 30,000 IPs probing Microsoft RDP portals for username enumeration flaws. Originating mainly from Brazil and targeting U.S. systems, the campaign appears coordinated, signaling potential preparation for brute-force, credential-stuffing, or ransomware intrusions worldwide.
Finance Executives Across Five Continents Targeted in New Espionage Campaign Attributed to MuddyWater
Hunt.io uncovered a global spear-phishing campaign by Iranian group MuddyWater, impersonating Rothschild & Co recruiters to target CFOs and finance leaders. Using Firebase phishing pages, malicious VBScript, and tools like NetBird and AteraAgent, the attackers achieved stealthy persistence and remote control across five continents’ financial sectors.
Murky Panda Abuses Trusted-Relationship in Cloud Attacks and Zero-Day Exploits for Espionage
CrowdStrike identifies Murky Panda, a China-linked espionage group, abusing trusted cloud relationships and exploiting zero-day vulnerabilities to infiltrate high-value targets across government, education, legal, professional services, and technology sectors. Using tools like Neo-reGeorg and CloudedHope, the group demonstrates advanced OPSEC and persistent cloud-based intelligence collection.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
