Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Cadet Blizzard Recognized as the Culprit of Russian Data Wiper Malware
Microsoft has identified the Russian threat group Cadet Blizzard, formerly known as DEV-0586, as the culprit behind the WhisperGate data wiper and various disruptive cyber operations against Ukraine. Active since 2020, Cadet Blizzard has targeted consulting, emergency services, government, law enforcement, and technology sectors. The group uses compromised credentials, web shells, and "living off the land" techniques to maintain low profiles. Their activities peaked during the Russia-Ukraine conflict and resumed with defacement attacks in early 2023.
APT38 Poses as Financial Service Sector to Infiltrate Networks
APT38, a North Korean threat group, poses as financial entities and venture capital firms to infiltrate networks, targeting financial institutions in Japan, Taiwan, and the US. Recorded Future's Insikt Group identified 74 domains and 6 malicious files used in this campaign. APT38's activities align with their history of targeting cryptocurrency exchanges and banks to support the North Korean government financially.
Inside the Operations of the Royal Ransomware Gang
The Royal ransomware gang, emerging in September 2022 and linked to former Conti members, is identified as a significant threat. Recently associated with the BlackSuit encryptor, the gang may be considering rebranding due to law enforcement pressure. Operating in small teams, the group includes subgroups like Zeon, Silent Ransom Group, and BlackBasta, and allies with BlackCat/ALPHV, AvosLocker, and others. They utilize tools such as Emotet, IcedID, and Sliver for their attacks.
South Korean Industries Under Attack by North Korean APT
North Korean APT group ITG10, also known as ScarCruft or Richochet Chollima, targets South Korean entities across various sectors, including communication, education, energy, and government. Using malicious lure documents, ITG10 distributes RokRAT malware via PowerShell scripts. IBM's Security X-Force highlights the group's focus on strategic, political, and military information related to the Korean peninsula.
Intrusions from Asylum Ambuscade Runs with Mixed Objectives
Cybercrime group Asylum Ambuscade targets financial services and government entities in Central Asia, Europe, and North America. Using phishing emails exploiting the Follina vulnerability (CVE-2022-30190) and malicious Google Ads, the group deploys spyware like AHKBOT. Their objectives include stealing confidential information and webmail credentials, with mixed motives of espionage and financial gain. ESET highlights the group's evolving target profile and tactics.
CVE-2023-34362: Signs of Clop & MOVEit Dates Back to 2021
The MOVEit vulnerability, CVE-2023-34362, has been exploited by the Clop ransomware gang since 2021. Researchers from Kroll and Huntress revealed that Clop meticulously planned for mass exploitation, with significant activity noted in April 2022 and early as July 2021. Recent attacks starting May 27, 2023, targeted numerous organizations for data theft and extortion, leveraging the long US holiday weekend. Clop has notified victims, demanding communication by June 14, 2023.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
Trusted by leading teams at
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
