Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
FileFix Pushes Interlock RAT with Browser-Triggered PowerShell Execution Chain
DFIR Report and Proofpoint observed a May–June 2025 spike in Interlock RAT activity via FileFix—a new infection technique abusing browser-based file explorers to run hidden PowerShell scripts. The PHP variant of Interlock RAT enables stealthy reconnaissance, lateral movement, and persistence using Cloudflare tunneling and targeted domain enumeration.
MuddyWater, APT33 Lead Wave of Iranian Cyberattacks Against Industrial Sectors
Nozomi Networks reports a 133% surge in Iranian state-linked cyberattacks during May–June 2025, primarily targeting U.S. manufacturing and transportation. MuddyWater and APT33 led the wave, with OilRig, Fox Kitten, and others also active. These attacks reflect escalating geopolitical tensions and growing threats to critical infrastructure sectors.
ClickFix Pervasive in 2025, Fueling NetSupport, Latrodectus, and Lumma Stealer Infections Across Key Sectors
Unit 42 reports a surge in ClickFix malware campaigns in 2025, using user-executed commands to deliver NetSupport RAT, Latrodectus, and Lumma Stealer. Sectors hit hardest include technology, financial services, and manufacturing, with infections tied to ClearFake lures and clipboard manipulation. The trend highlights growing social engineering risks.
Justice Department Disrupts North Korean IT Worker Scheme Targeting U.S. Firms
The Justice Department dismantled a large-scale North Korean IT worker scheme targeting over 100 U.S. companies. Using stolen identities and U.S.-based enablers, operatives gained unauthorized access to sensitive systems and laundered millions. The crackdown included searches of 29 laptop farms, indictments, and asset seizures across multiple states and countries.
CISA Warns U.S. Infrastructure at Risk from Iranian-Linked Cyber Activity
CISA and U.S. agencies warn that Iranian-affiliated cyber actors may target critical infrastructure, especially organizations tied to defense or Israeli research. These threats exploit outdated systems, default credentials, and OT vulnerabilities. CISA urges proactive hardening, strong authentication, and updated incident response plans to mitigate the risk of ideological cyberattacks.
Microsoft Entra Gap Lets Guest Users Inject Subscriptions into Target Tenants
A flaw in Microsoft Entra allows guest users to inject subscriptions into external tenants while retaining full control. This bypasses standard auditing and access controls, enabling privilege escalation and persistence. Organizations must tighten subscription policies, audit guest activity, and monitor dynamic access to mitigate this under-recognized cloud risk.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
