Anvilogic Forge Threat Research Reports

Here you can find an accumulation of trending threats published weekly by the Anvilogic team.

We curate threat intelligence to provide situational awareness and actionable insights

Threat Identifier Detections

Atomic detections that serve as the foundation of our detection framework.

Threat Scenario Detections

Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.

Reports Hot Off the Forge

Threat News Reports
Trending Threat Reports
ResearchArticles

Forge Threat Report

Forge Report: First Half Threat Trends of 2024

Anvilogic Forge's latest report offers essential insights into key threat trends and adversarial tactics observed in the first half of 2024. From the pervasive use of PowerShell and remote access tools to sophisticated social engineering and attacks on the healthcare sector, this comprehensive analysis provides actionable intelligence and detection rules to bolster your defenses. Explore our key findings and access ready-to-deploy detection content to enhance your security posture.

All Threat Reports

Levels

All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
This is some text inside of a div block.
11
-
14
-
2024
Level:
Tactical
|
Source:

Ransomware Alliances Amplify Threat of Skilled Social Engineering Actors Scattered Spider

ReliaQuest’s investigation reveals a ten-hour breach at a manufacturing organization, where threat actor Scattered Spider exploited help desk processes to reset critical accounts and gain privileged access. In collaboration with the RansomHub ransomware group, they bypassed MFA, exfiltrated sensitive data, and encrypted systems, exposing severe security gaps in response protocols.

Manufacturing
This is some text inside of a div block.
11
-
07
-
2024
Level:
Strategic
|
Source:

Operation Magnus Seizes Key Servers, Halts Redline and Meta Infostealer Activities

In a multi-agency cyber crackdown on October 28, 2024, Operation Magnus dismantled the network infrastructure behind Redline and Meta infostealers. This takedown, led by Dutch and U.S. law enforcement, cut off access to servers used for data theft, disrupting tools that cybercriminals have used to harvest sensitive information since 2020. Authorities now hold critical insights into the malware's operators and distribution networks, with further legal actions expected.

Global
This is some text inside of a div block.
11
-
07
-
2024
Level:
Tactical
|
Source:

Microsoft Adds Intelligence on Midnight Blizzard’s RDP-Based Attacks Amid Ongoing Phishing Wave

Microsoft reports that Russian threat group Midnight Blizzard has launched an RDP-based phishing campaign aimed at defense, government, and tech sectors worldwide. By using signed RDP files in highly targeted emails, the group establishes remote sessions to gather sensitive data, leveraging local resources and deploying malware for persistent access. CERT-UA and Amazon provided additional mitigation advice and disrupted malicious infrastructure tied to the campaign.

Defense
Government
Education
Non-government organizations (NGOs)
Technology
This is some text inside of a div block.
11
-
07
-
2024
Level:
Tactical
|
Source:

UNC5812 Pushes Malware Through Telegram to Disrupt Ukraine’s Mobilization Efforts

The Russian-affiliated group UNC5812, using the alias "Civil Defense," has launched a campaign targeting Ukrainian military mobilization by distributing malware through Telegram. Utilizing decoy applications and various backdoors, including PURESTEALER and CRAXSRAT, the group gathers sensitive data and sows anti-mobilization sentiments. The campaign reflects Russia's disinformation strategy and influence tactics, as reported by Google Threat Intelligence.

Defense
This is some text inside of a div block.
11
-
07
-
2024
Level:
Tactical
|
Source:

North Korean Andariel Group Linked to Play Ransomware in New Cyber Campaign

North Korea’s Andariel Group, a state-sponsored cyber actor, is linked to Play ransomware in recent attacks, according to Unit 42. Traditionally focused on espionage and financial cybercrime, Andariel now acts as an initial access broker, leveraging tools like Sliver and DTrack. The investigation reveals strategic shifts, including RDP session control, credential theft, and evasion of EDR detection, culminating in Play ransomware deployment.

Global
This is some text inside of a div block.
10
-
31
-
2024
Level:
Strategic
|
Source:

Foreign Powers Escalate Influence Operations Ahead of U.S. Election

Microsoft’s Threat Analysis Center reports that Russia, Iran, and China are increasing influence operations ahead of U.S. Election 2024. Efforts include AI-generated disinformation, targeting candidates, and spreading divisive content on social issues, all aimed at undermining trust in the election. Coordinated countermeasures are essential to safeguard democratic integrity.

Global

Intelligence Levels for Threat Reports

Tactical

Detectable threat behaviors for response with threat scenarios or threat identifiers.

Strategic

General information security news, for awareness.

Whitepapers

No items found.

The World's Best SOC Teams Use Anvilogic

Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
Crypto.com Logo
Rakuten Mobile Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
St. George's University Logo
Paypal Logo
Sprinklr Logo
SAP Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
Crypto.com Logo
Rakuten Mobile Logo
St. George's University Logo
Navan Logo
ADP Logo
Labcorp Logo
Dyson Logo
siemens Logo

Build Detections You Want,
Where You Want

Build Detections You Want,
Where You Want