[Upcoming Session] Habits of High-Performing Detection Engineers feat. Zack 'techy' Allen. Join us January 16
Register
Skip to main content

Anvilogic Forge Threat Research Reports

Here you can find an accumulation of trending threats published weekly by the Anvilogic team.

Subscribe to Weekly Reports

We curate threat intelligence to provide situational awareness and actionable insights

Threat Identifier Detections

Atomic detections that serve as the foundation of our detection framework.

Threat Scenario Detections

Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.

Reports Hot Off the Forge

Threat News Reports
Trending Threat Reports
ResearchArticles

Forge Threat Report

Forge Report: First Half Threat Trends of 2024

Anvilogic Forge's latest report offers essential insights into key threat trends and adversarial tactics observed in the first half of 2024. From the pervasive use of PowerShell and remote access tools to sophisticated social engineering and attacks on the healthcare sector, this comprehensive analysis provides actionable intelligence and detection rules to bolster your defenses. Explore our key findings and access ready-to-deploy detection content to enhance your security posture.
Read the Full Report

Featured Threat Reports

01
-
09
-
2025
EC2 Grouper Targets AWS Environments with Undetermined Attack Objective
The EC2 Grouper threat group targets AWS environments, exploiting exposed keys in public repositories and executing automated API calls for reconnaissance and configuration changes. Fortinet highlights vulnerabilities in cloud security practices and urges stricter monitoring to prevent exploitation by this attacker. The group's ultimate objectives remain unknown.
See the Report
View the Detection
01
-
02
-
2025
APT29 Executes Large-Scale RDP Attack Campaign Focused on Espionage and Data Theft
APT29 (Earth Koshchei) launched a massive RDP campaign targeting defense, government, and technology sectors. Spear-phishing emails delivered rogue RDP files, connecting victims to attacker-controlled servers. The group used MITM tools like PyRDP to intercept sessions, exfiltrate sensitive data, and evade detection, marking a sophisticated espionage effort.
See the Report
View the Detection

All Threat Reports

Levels

All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
This is some text inside of a div block.
07
-
25
-
2024
Level:
Tactical
|
Source:
Trellix

Cactus Ransomware Uses SSH Tunnels and icacls for Persistent Attacks

Trellix's analysis reveals Cactus ransomware's exploitation of SSH tunnels and icacls for persistent attacks. Since March 2023, Cactus has targeted over 100 entities globally. It uses vulnerabilities in Ivanti MobileIron Sentry for initial access, establishes SSH backdoors, and employs various non-native tools for intrusion and data exfiltration before encrypting files with .cts extension.

Global
This is some text inside of a div block.
07
-
25
-
2024
Level:
Tactical
|
Source:
Sygnia

Reemergence of GhostEmperor with New EDR Evasion Techniques

Sygnia's investigation uncovers the reemergence of GhostEmperor, a China-affiliated threat group, employing advanced EDR evasion techniques and multi-stage malware. Targeting government and telecom sectors in Southeast Asia, GhostEmperor uses the Demodex rootkit and sophisticated obfuscation methods to avoid detection.

Government
Telecommunications
This is some text inside of a div block.
07
-
18
-
2024
Level:
Strategic
|
Source:
Mandiant

NATO Faces Increasing Cyber Attacks Amidst Geopolitical Tensions

Mandiant's report highlights escalating cyber threats to NATO amidst geopolitical tensions. State-sponsored groups like Russia's APT29 and Chinese actors engage in cyber espionage, while hacktivist groups increase disruptive attacks. The report underscores the dual threats of espionage and destructive cyberattacks targeting NATO's critical infrastructure.

Global
This is some text inside of a div block.
07
-
18
-
2024
Level:
Tactical
|
Source:
ASEC

HappyDoor Malware's Continuous Development by Kimsuky

ASEC's report reveals the ongoing evolution of HappyDoor malware by the North Korean group Kimsuky. First identified in 2021, the malware now features advanced info-stealing and backdoor capabilities. Distributed via spear-phishing, HappyDoor encrypts and exfiltrates data, using tools like ngrok and Chrome Remote Desktop for persistent access.

Global
This is some text inside of a div block.
07
-
18
-
2024
Level:
Strategic
|
Source:
Red Canary

Red Canary: Thwarts Ransomware From Early Signs of Malicious PowerShell

In June 2024, Red Canary prevented a ransomware attack on a major city hospital by detecting malicious PowerShell activity. The attack, originating from a webshell on a Microsoft Exchange server, was stopped before it could impact patient care. Key steps included monitoring for suspicious PowerShell activity and preventing the disabling of Windows Defender.

Healthcare
This is some text inside of a div block.
07
-
18
-
2024
Level:
Tactical
|
Source:
Australian Signals Directorate (ASD) & CISA

Cybersecurity Agencies Reveal Tactics of a Prolific Chinese Hacking Group

The ASD’s ACSC and CISA reveal the activities of APT40, a Chinese state-sponsored hacking group targeting global networks. Known for exploiting vulnerabilities in critical infrastructure, APT40 uses compromised devices to evade detection and exfiltrate sensitive data. Defensive measures include applying security patches, deploying web application firewalls, and replacing outdated networking devices.

Global

About the Forge & Threat Reports

Deploy and maintain detections and threat hunt across all of your logging platforms and security tools without centralizing your data or deploying new agents.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Sign Up For Weekly Threat Reports

Intelligence Levels for Threat Reports

Tactical

Detectable threat behaviors for response with threat scenarios or threat identifiers.

Strategic

General information security news, for awareness.

Whitepapers

White Paper: Forge Threat Detection Success at the Pyramid Apex
White Paper: Forge Threat Detection Success at the Pyramid Apex

The World's Best SOC Teams Use Anvilogic

Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
Crypto.com Logo
Rakuten Mobile Logo
St. George's University Logo
Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
TJX Logo
Crypto.com Logo
Rakuten Mobile Logo
St. George's University Logo

Research to keep you up-to-date on threats

Learn More

Interested in joining the Anvilogic team?

See Careers

Break Free from SIEM Lock-in

Break Free from SIEM Lock-in

Book a Demo
Arrest & Seizures
Election Security
Insider Threat
AI Security
Application & User Security
Cybersecurity Enforcement
User Security
Cybercrime
Russia and Ukraine
Cyberattack
Tactical Threat Detection
Vulnerability
Threat Actor Activities
Strategic InfoSec News
Ransomware News
Network Security
Featured
Mobile Security
Malware Campaigns
Data Breach
Internet of Things (IoT) Security
Critical Infrastructure Security
Application Security
Cloud Security