Anvilogic Forge Threat Research Reports

Here you can find an accumulation of trending threats published weekly by the Anvilogic team.

We curate threat intelligence to provide situational awareness and actionable insights

Threat Identifier Detections

Atomic detections that serve as the foundation of our detection framework.

Threat Scenario Detections

Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.

Reports Hot Off the Forge

Threat News Reports
Trending Threat Reports
ResearchArticles

Forge Threat Report

Forge Report: First Half Threat Trends of 2024

Anvilogic Forge's latest report offers essential insights into key threat trends and adversarial tactics observed in the first half of 2024. From the pervasive use of PowerShell and remote access tools to sophisticated social engineering and attacks on the healthcare sector, this comprehensive analysis provides actionable intelligence and detection rules to bolster your defenses. Explore our key findings and access ready-to-deploy detection content to enhance your security posture.

All Threat Reports

Levels

All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
This is some text inside of a div block.
06
-
05
-
2025
Level:
Strategic
|
Source:

Coordinated Influence Campaigns Exposed in Meta’s Q1 2025 Adversarial Report

Meta’s Q1 2025 Adversarial Threat Report reveals three influence operations from China, Iran, and Romania. These networks used fake accounts, AI-generated images, and political content to manipulate discourse across Facebook and Instagram. Meta removed the campaigns early, citing increasing use of cross-platform coordination and generative AI techniques.

Global
This is some text inside of a div block.
06
-
05
-
2025
Level:
Tactical
|
Source:

FBI Warns of Ongoing SRG Campaigns Exploiting Remote Access Tools

The FBI reports Silent Ransom Group (SRG) is targeting U.S. law firms using phishing and IT impersonation to deploy remote access tools like WinSCP and Rclone. Once inside, attackers exfiltrate sensitive data and extort victims. SRG’s evolving tactics highlight the need for remote access monitoring and user training.

Healthcare
Insurance
Legal
This is some text inside of a div block.
06
-
05
-
2025
Level:
Tactical
|
Source:

Finance Leaders Targeted in Global Phishing Operation Delivering NetBird

Trellix discovered a phishing campaign distributing NetBird malware to CFOs and finance executives across finance, energy, and insurance sectors. Victims received recruiter-themed emails linking to Firebase-hosted CAPTCHA pages delivering VBS scripts. The payload installs NetBird and OpenSSH, creating hidden admin accounts and enabling persistent remote access with minimal detection.

Energy
Financial
Insurance
This is some text inside of a div block.
05
-
29
-
2025
Level:
Strategic
|
Source:

Initial Access Groups Reshaping Cyber Threat Landscape, Cisco Talos Warns

Cisco Talos reports that cyber intrusions increasingly involve multiple threat actors, as initial access groups (IAGs) split attacks into compromise and exploitation phases. This evolving model complicates attribution and response, requiring defenders to track both financially motivated and state-sponsored actors, and understand their relationships across the threat ecosystem.

Global
This is some text inside of a div block.
05
-
29
-
2025
Level:
Tactical
|
Source:

Attack Chain Evolution Reveals Muddled Libra’s Continuous Refinement of its Capabilities

Unit 42’s latest analysis of Muddled Libra shows the threat group evolving its tactics across ransomware and extortion campaigns. Now targeting help desks, using AI voice models, and deploying tools like PsExec, BlackCat, and RMM software, Muddled Libra poses a serious and adaptive threat to enterprise environments globally.

Global
This is some text inside of a div block.
05
-
29
-
2025
Level:
Tactical
|
Source:

Leaked Access Key Enables Cloud Intrusion, AWS Identity Center Abused for Persistence

Datadog uncovered an AWS breach exploiting a leaked access key tied to a management account. Attackers used AWS Identity Center and Lambda to establish persistence, created IAM users, disabled centralized services, and abused Telegram bots for automation. The case highlights how long-term keys can trigger full cloud compromise.

Global

Intelligence Levels for Threat Reports

Tactical

Detectable threat behaviors for response with threat scenarios or threat identifiers.

Strategic

General information security news, for awareness.

Whitepapers

No items found.

The World's Best SOC Teams Use Anvilogic

Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
Crypto.com Logo
Rakuten Mobile Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
Paypal Logo
Sprinklr Logo
SAP Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
Crypto.com Logo
Rakuten Mobile Logo
St. George's University Logo
Navan Logo
ADP Logo
Labcorp Logo
Dyson Logo
siemens Logo

Build Detections You Want,
Where You Want

Build Detections You Want,
Where You Want