🧪 DFIR Labs | LockBit Ransomware Case #27244 Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access. Step through the investigation and see how LockBit was deployed end-to-end. 👉 dfirlabs.thedfirreport.com/auth/login

DFIR Labs is closing out the year with 25% off all cases and subscriptions. ✔ Buy now, redeem anytime over the next 3 months ⏰ Offer ends January 1 💳 Discount applied automatically at checkout dfirlabs.thedfirreport.com

DFIR Labs is closing out the year with 25% off all cases and subscriptions. ✔ Buy now, redeem anytime over the next 3 months ⏰ Offer ends January 1 💳 Discount applied automatically at checkout dfirlabs.thedfirreport.com

Extracting VNC screenshots and keylog data from #Latrodectus 🕷️ BackConnect netresec.com?b=25Cfd08

"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."

🎁 DFIR Labs Giveaway 🎁 We’re giving away 5 FREE DFIR Labs cases! How to enter: ➡️Post your favorite DFIR Report ➡️Tell us why it's your favorite That’s it! 🙌 We’ll select 5 winners before Christmas! DFIR Labs - dfirlabs.thedfirreport.com/auth/login Reports - thedfirreport.com

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. store.thedfirreport.com/collections/...

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. store.thedfirreport.com/collections/...

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

🐈 Cat’s Got Your Files: Lynx Ransomware 🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉 Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and... 1/3

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

DFIR Challenge Weekend Recap! The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge! Big shoutout to the top finishers who untangled the whole thing: 🥇 Jason Phang Vern Onn 🥈 Marko Yavorskyi 🥉 Bohdan Hrondzal

🌟New report out today!🌟 From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow. Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."

"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors. The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."

"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain. The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."

"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."

"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."

🌟New report out today!🌟 Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

🚨 New Lab Just Released: Specter’s Domain Heist – Private Case #35218 This lab is based on a detailed intrusion from our private case repositories 👇 📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil Link 👇

🚨 Search for software, end up getting ransomware! SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan. thedfirreport.com/2025/08/05/f...

🚨 New: DFIR Labs Pro Tier is here! 🎯 Smarter investigations with: • 🧠 AI Timeline Builder (w/ IOCs + notes) • ⏱️ More lab time + extension credits • 📊 Analytics dashboard w/ tailored insights 🔗 Dive in: dfirlabs.thedfirreport.com/subscription...

🚨 New Interlock RAT variant spotted! Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). 🔎 thedfirreport.com/2025/07/14/k... #DFIR #KongTuke #InterlockRAT #FileFix

📢DFIR Labs Enterprise Forensics Challenge📢 🔹 When: Aug 30, 2025 (14:00-18:00 UTC) 🔹 SIEM: Azure Log Analytics, Elastic, or Splunk 🔹 Teams: 2-3 analysts 🔹 Prizes: Top team wins! 🏆 Limited spots available. Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30/h...

A New DFIR Lab is out: The Hive Ransomware Fail 🐝 A domain is under siege, can you trace the threat actor's steps? Sharpen your triage and lateral movement skills in this hands-on investigation. ➡️Difficulty: Easy 1/2

🔎 We're Hiring: Senior Security Analyst We're looking for a full-time Senior Security Analyst with a passion for dissecting intrusions and translating technical findings into actionable insights. Check out the full job description and apply here 👉 forms.office.com/r/87y8wAp3gA

📢DFIR Labs Enterprise Forensics Challenge📢 🔹 When: Aug 30, 2025 (14:00-18:00 UTC) 🔹 SIEM: Azure Log Analytics, Elastic, or Splunk 🔹 Teams: 2-3 analysts 🔹 Prizes: Top team wins! 🏆 Limited spots available. Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

🎉 Huge News from DFIR Labs: Subscriptions are Here! 🎉 We're thrilled to announce that subscriptions are officially LIVE and we’re proud of what this means for the DFIR community 💙 1/5

🎉New DFIR Discussions Episode🎉 🔊Available on Spotify, Apple, & YouTube! 🎙️ We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang. Check it out and let us know what you think! open.spotify.com/episode/1SKP...

⚔️Registration for the DFIR Labs Enterprise CTF is now LIVE! ⚔️ Assemble your elite SOC/IR team (up to 3 members) for a 4-hour competition to prove you're the best in the industry. Win prizes, bragging rights, and glory! 🏆 Register now! 👉https://form.jotform.com/251605321344245

🎙️ New Podcast Episode Dropping Soon! We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang. Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍

🚨 That CTF finale was wild. Only 300 points between 1st and 3rd — it stayed neck-and-neck till the very last minute. Big congrats to our winners! 🥇 @Friffnz — 5100 pts 🥈 snail — 4840 pts 🥉 forynsics — 4800 pts

🚨 CTF is starting soon!🚨 Don't Miss the DFIR Labs CTF - Registration Still Open! ➡️When: Today, June 7th | 16:30–20:30 UTC ➡️➡️Register: dfirlabs.thedfirreport.com/ctf

/1 🚨 𝐂𝐓𝐅 𝐤𝐢𝐜𝐤𝐬 𝐨𝐟𝐟 𝐢𝐧 𝐥𝐞𝐬𝐬 𝐭𝐡𝐚𝐧 48𝐡 - 𝐚𝐧𝐝 𝐭𝐡𝐢𝐬 𝐨𝐧𝐞’𝐬 𝐛𝐢𝐠. One of the most involved cases we’ve ever made available to the public. You’ll be diving into an intrusion that hit 18 hosts, including: ➡️ Domain Controllers ➡️ Backup Servers ➡️ Hypervisors ➡️ RDP Servers (Guess the initial access gonna be? 😏)

"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses. The logic would rotate through the various servers until an online host was found. 1/3 #dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware

🎯 THIS SATURDAY: DFIR Labs CTF 🎯 ⏰ June 7 | 1630–2030 UTC 🔗 Register Now → dfirlabs.thedfirreport.com/ctf 🚀 DFIR Labs CTF is back! 💥 Only $9.99 to join 💥 Choose Elastic or Splunk 💥 Access a brand-new, unreleased case 💥 Top 5 get invited to join The DFIR Report team!

We had a blast speaking at the Ransomware Summit! 🎤💥 Huge thanks to everyone involved! 🎥 Missed our keynote? No worries — you can catch the full session here: 👉 www.youtube.com/live/nhB-xkm...

🔥 DFIR Labs is Evolving! Have You Seen What's New? 🔥 Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience! ➡️ Check it out now! dfirlabs.thedfirreport.com

"Analysis of command-line activity reveals the threat actor’s use of specific PowerShell cmdlets for discovering and interacting with virtual machines. 1/4

thedfirreport.com/2025/05/19/a... It was fun working on this Report with @pcsc0ut.bsky.social && 0xtornado. I hope my #threathunting friends will find it helpful. We came up with a new detection for Impacket tools in this investigation

🌟New report out today!🌟 Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & @0xtornado 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/05/19/a...

📉DFIR Labs Weekend Discount📉 Use this discount code to receive 10% off all DFIR Labs cases! Discount expires May 5th 04:00 UTC ⏲️Buy now, use anytime over the next 3 months. ➡️Discount code: WeekendDiscount20250502 Access DFIR Labs: store.thedfirreport.com/collections/...

📉DFIR Labs Weekend Discount📉 Use this discount code to receive 10% off all DFIR Labs cases! Discount expires May 5th 04:00 UTC ⏲️Buy now, use anytime over the next 3 months. ➡️Discount code: WeekendDiscount20250502 Access DFIR Labs: store.thedfirreport.com/collections/...