Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
The Dual Threat of KandyKorn and RustBucket Campaigns by North Korean Hackers
In 2023, North Korean threat actors launched two distinct but interconnected campaigns, KandyKorn and RustBucket, primarily targeting the financial sector and blockchain engineers. SentinelOne, building upon research by Elastic Security Labs and JAMF Threat Labs, uncovers the intricate methods employed in these attacks. KandyKorn, a multi-stage operation, deceives blockchain engineers of a crypto exchange through a malicious Python application disguised as a cryptocurrency arbitrage bot distributed via Discord.
New Gh0st RAT Variant "SugarGh0st RAT" Runs Espionage Campaigns
Cisco Talos has identified a cyberespionage campaign using a new variant of the Gh0st RAT, dubbed SugarGh0st RAT, targeting users primarily in Uzbekistan and South Korea. This campaign, suspected to be orchestrated by a Chinese threat actor, uses sophisticated tactics including two distinct infection chains employing malicious RAR files and DynamicWrapperX loaders.
Cactus Ransomware Strikes Through Qlik Sense Vulnerabilities
Arctic Wolf Labs has identified a new cyber threat where Cactus ransomware operators exploit vulnerabilities in Qlik Sense applications. Utilizing CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the attackers gain initial access, subsequently deploying Cactus ransomware.
Job Centric Themes Fueling Two North Korean Campaigns
Unit 42 reveals two North Korean state-sponsored cyber campaigns, "Contagious Interview" and "Wagemole," exploiting job-centric themes. "Contagious Interview" targets software developers with simulated job interviews and collaboration hubs like GitHub, deploying malware like BeaverTail and InvisibleFerret for cryptocurrency theft, keylogging, and credential theft.
Boeing Supplements CISA Advisory for LockBit's Abuse of Citrix Bleed Vulnerability
A joint Cybersecurity Advisory, aided by Boeing and Kevin Beaumont, focuses on the threat of LockBit 3.0 ransomware exploiting the Citrix Bleed vulnerability (CVE-2023-4966). This vulnerability allows bypassing password and MFA requirements, enabling session hijacking on Citrix NetScaler ADC and Gateway appliances.
Fortinet Presents An In-Depth View of a Rhysida Intrusion
Fortinet's Managed Detection and Response team provides a thorough analysis of the Rhysida ransomware group, recently highlighted in CISA's #StopRansomware advisory. This ransomware-as-a-service has affected over 50 organizations, primarily in the United States, Germany, France, Italy, and England, with education, manufacturing, technology, government, and construction being the most targeted sectors.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
Trusted by leading teams at
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
