Anvilogic Forge Threat Research Reports

Here you can find an accumulation of trending threats published weekly by the Anvilogic team.

We curate threat intelligence to provide situational awareness and actionable insights

Threat Identifier Detections

Atomic detections that serve as the foundation of our detection framework.

Threat Scenario Detections

Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.

Reports Hot Off the Forge

• Threat News Reports
‍• Trending Threat Reports
‍• ResearchArticles

Forge Threat Report

Forge Report: First Half Threat Trends of 2024

Anvilogic Forge's latest report offers essential insights into key threat trends and adversarial tactics observed in the first half of 2024. From the pervasive use of PowerShell and remote access tools to sophisticated social engineering and attacks on the healthcare sector, this comprehensive analysis provides actionable intelligence and detection rules to bolster your defenses. Explore our key findings and access ready-to-deploy detection content to enhance your security posture.

Read the Full Report

Featured Threat Reports

2025

NetSupport RAT Campaign Expands with ClickFix Technique

A malware campaign using fake CAPTCHA pages continues into 2025, now leveraging the ClickFix technique to trick users into executing NetSupport RAT. eSentire reports attackers using mshta.exe and PowerShell for stealthy infections, reinforcing the campaign’s persistence. NetSupport RAT enables remote control, data theft, and further malware deployment.

See the Report

View the Detection

2025

"BadPilot" Campaign From Russian APT Pose Ongoing Cyber Threat to Western Nations

Microsoft has identified the "BadPilot" cyber campaign by Russian APT Seashell Blizzard, which targets critical sectors across Western nations. Exploiting vulnerabilities in Microsoft Exchange, Zimbra, and Fortinet, the group employs RMM tools, web shells, and credential theft to enable long-term espionage and cyber disruptions, aligning with Russia’s geopolitical objectives.

See the Report

View the Detection

All Threat Reports

This is some text inside of a div block.

2024

Level:

Tactical

Source:

Sygnia

Reemergence of GhostEmperor with New EDR Evasion Techniques

Sygnia's investigation uncovers the reemergence of GhostEmperor, a China-affiliated threat group, employing advanced EDR evasion techniques and multi-stage malware. Targeting government and telecom sectors in Southeast Asia, GhostEmperor uses the Demodex rootkit and sophisticated obfuscation methods to avoid detection.

Government

Telecommunications

This is some text inside of a div block.

2024

Level:

Strategic

Source:

Mandiant

NATO Faces Increasing Cyber Attacks Amidst Geopolitical Tensions

Mandiant's report highlights escalating cyber threats to NATO amidst geopolitical tensions. State-sponsored groups like Russia's APT29 and Chinese actors engage in cyber espionage, while hacktivist groups increase disruptive attacks. The report underscores the dual threats of espionage and destructive cyberattacks targeting NATO's critical infrastructure.

Global

This is some text inside of a div block.

2024

Level:

Tactical

Source:

ASEC

HappyDoor Malware's Continuous Development by Kimsuky

ASEC's report reveals the ongoing evolution of HappyDoor malware by the North Korean group Kimsuky. First identified in 2021, the malware now features advanced info-stealing and backdoor capabilities. Distributed via spear-phishing, HappyDoor encrypts and exfiltrates data, using tools like ngrok and Chrome Remote Desktop for persistent access.

Global

This is some text inside of a div block.

2024

Level:

Strategic

Source:

Red Canary

Red Canary: Thwarts Ransomware From Early Signs of Malicious PowerShell

In June 2024, Red Canary prevented a ransomware attack on a major city hospital by detecting malicious PowerShell activity. The attack, originating from a webshell on a Microsoft Exchange server, was stopped before it could impact patient care. Key steps included monitoring for suspicious PowerShell activity and preventing the disabling of Windows Defender.

Healthcare

This is some text inside of a div block.

2024

Level:

Tactical

Source:

Australian Signals Directorate (ASD) & CISA

Cybersecurity Agencies Reveal Tactics of a Prolific Chinese Hacking Group

The ASD’s ACSC and CISA reveal the activities of APT40, a Chinese state-sponsored hacking group targeting global networks. Known for exploiting vulnerabilities in critical infrastructure, APT40 uses compromised devices to evade detection and exfiltrate sensitive data. Defensive measures include applying security patches, deploying web application firewalls, and replacing outdated networking devices.

Global

This is some text inside of a div block.

2024

Level:

Strategic

Source:

OpenSSH, Qualys & The Record

New "regreSSHion" Vulnerability - CVE-2024-6387, Could Enable Remote Code Execution on Linux

The newly discovered regreSSHion vulnerability (CVE-2024-6387) in OpenSSH allows remote code execution on glibc-based Linux systems. Found by Qualys, this flaw affects versions 8.5p1 to 9.7p1. Updating to version 9.8p1 or later is essential to mitigate this severe threat and secure your systems.

Global

About the Forge & Threat Reports

Deploy and maintain detections and threat hunt across all of your logging platforms and security tools without centralizing your data or deploying new agents.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.