"The ransom note did not follow the normal LockBit format directing victims to a Tor leak site or TOX/Jabber communications; instead, it instructed them to download and use the Session private messaging application... Report: thedfirreport.com/2026/02/23/a...

Day 9: Ransomware deployment. The threat actor RDP’d from the beachhead to backup & file servers and dropped the Lynx payload “w.exe” using a compromised Domain Admin account. Full breakdown 👇 thedfirreport.com/2025/12/17/c... #DFIR #Ransomware #ThreatHunting #BlueTeam #CyberSecurity

This Diamond Model from our “Cat’s Got Your Files: Lynx Ransomware” report illustrates the four core elements of the intrusion. See how all four vertices aligned for full-domain compromise 👇 thedfirreport.com/2025/12/17/c... #DFIR #ThreatIntel #Ransomware #BlueTeam #CyberSecurity

"On some hosts, Microsoft Defender antivirus was active. On these systems, Defender detected and blocked execution of the service creation and Powershell execution..." Report:https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

"The threat actor also ran the command netstat -t, which displays active connections; however, -t is not a documented option for netstat on Windows." Report:https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

RDP bitmap cache artifacts revealed the threat actor opening the Veeam Backup & Replication console, reviewing backup jobs, tape & storage infrastructure — and removing backups from the configuration database. Full report 👇 thedfirreport.com/2025/12/17/c...

We’re seeing a “Missing Font” ClickFix chain in the wild. Flow: 1️⃣ Fake “Missing Font” prompt 2️⃣ Leads to a BSOD-style recovery screen 3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands #infosec #DFIR #threatintel

Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

"The IP 195.211.190[.]189 was hosted on infrastructure from Railnet LLC — a legal front for Russia-based bulletproof hosting provider Virtualine." Full report 👇 thedfirreport.com/2025/11/17/c... #DFIR #Ransomware #ThreatIntel #BlueTeam #CyberSecurity

"On the Exchange email server, the threat actor used a legitimate Windows executable, SystemSettingsAdminFlows.exe, which allows users to customize or configure the system settings to user’s preference. This LOLBIN was used to disable Windows... " Report: thedfirreport.com/2026/02/23/a...

"In the logs we first observed a new service being installed on the backup server. Following that we observed the service execute and spawn a process tree that included a command to use COMSVCS to output a credential dump to a file in the temp directory:"

Low noise. High signal. If you get an alert from our feed in your environment, ping us. We’ll help triage it. That’s how much we trust the signal. 🔎 Actionable 🎯 High-confidence ⚡ Built for defenders thedfirreport.com/products/thr...

"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389..." Link to report ⬇️

"Around 50 minutes after the connection to this second domain controller the ransomware propagation began. Deployment of ransomware consisted of creating remote services on domain joined endpoints, and included distributing the files via SMB."

"SoftPerfect NetScan was used extensively during the intrusion… evidence from Security Event ID 4688 logs showed mstsc.exe /v:<IP address> being launched by netscan.exe, confirming the use of NetScan’s Remote Desktop functionality." Full report 👇 thedfirreport.com/2025/11/17/c...

🌟New report out today!🌟 Apache ActiveMQ Exploit Leads to LockBit Ransomware Analysis and reporting completed by @malforsec, @lapadrino, and @PeteO. 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2026/02/23/a... #DFIR #DigitalForensics #BlueTeam

🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO! "The Base64 string $dsU contained the shellcode. We decoded it and used SpeakEasy..." If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/ #DFIR #IncidentResponse

🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO! "The first step in the exploitation was to send a maliciously crafted OpenWire command to the ActiveMQ server" If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/ #DFIR

SEO poisoning ➡️ Fake RVTools ➡️ Python backdoor ➡️ PipeMagic ➡️ CVE-2025-29824 ➡️ #Ransomexx — domain-wide in <19 hrs. The Python backdoor connected to azure-secure-agent[.]com (87.251.67[.]241), enabling cmd/PowerShell exec, payload download, screenshots, and IP discovery.

🧪 DFIR Labs | ALPHV Case #24952 Follow a real intrusion where IcedID led to ScreenConnect, custom C# tooling, and an ALPHV ransomware deployment. Hands-on analysis of attacker tradecraft from access to impact. 👉 dfirlabs.thedfirreport.com/auth/login

New logo. New website. Same DFIR Report team. 🔎 Check out the incredible analysts behind the research: thedfirreport.com/company/anal...

Don’t just block threats — disrupt them. Our IR-driven Threat Feed helps you: 🔎 Detect attacker infrastructure early ⚡ Hunt for active footholds 🛡️ Reduce false positives with continuously verified intel Get the edge: thedfirreport.com/contact/ #ThreatIntel #BlueTeam #DFIR

🐱 Cat’s Got Your Files: Lynx Ransomware Attackers abused valid credentials to access RDP, created high-privilege accounts for persistence, mapped the environment, and exfiltrated data before deploying Lynx ransomware. Report 👇 thedfirreport.com/2025/11/17/c...

🤝 We’ve partnered with @13CubedDFIR to level up your #DFIR training. 🔹 DFIR Labs users: Finish a quiz & get $100 OFF 13Cubed courses. 🔹 13Cubed users: Buy "Investigating Windows Endpoints" & get 20% OFF DFIR Labs! 👉 training.13cubed.com 👉 dfirlabs.thedfirreport.com

🧪 DFIR Labs | BlueSky Ransomware Lab Dive into a real investigation where a SQL brute force attack led to rapid BlueSky ransomware deployment. Explore how attackers compromised MSSQL, then used Cobalt Strike and Tor2Mine to spread ransomware! 👉 dfirlabs.thedfirreport.com/auth/login

We analyzed a DPRK-linked Contagious Interview intrusion where fake job lures abused npm install for C2 using trusted packages. A modular toolset (OtterCookie, InvisibleFerret, Tsunami) enabled cross-platform access and data theft targeting wallets, creds, and docs.

🧪 DFIR Labs | LockBit Ransomware Case #27244 Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access. Step through the investigation and see how LockBit was deployed end-to-end. 👉 dfirlabs.thedfirreport.com/auth/login

DFIR Labs is closing out the year with 25% off all cases and subscriptions. ✔ Buy now, redeem anytime over the next 3 months ⏰ Offer ends January 1 💳 Discount applied automatically at checkout dfirlabs.thedfirreport.com

DFIR Labs is closing out the year with 25% off all cases and subscriptions. ✔ Buy now, redeem anytime over the next 3 months ⏰ Offer ends January 1 💳 Discount applied automatically at checkout dfirlabs.thedfirreport.com

Extracting VNC screenshots and keylog data from #Latrodectus 🕷️ BackConnect netresec.com?b=25Cfd08

"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."

🎁 DFIR Labs Giveaway 🎁 We’re giving away 5 FREE DFIR Labs cases! How to enter: ➡️Post your favorite DFIR Report ➡️Tell us why it's your favorite That’s it! 🙌 We’ll select 5 winners before Christmas! DFIR Labs - dfirlabs.thedfirreport.com/auth/login Reports - thedfirreport.com

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. store.thedfirreport.com/collections/...

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. store.thedfirreport.com/collections/...

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

🐈 Cat’s Got Your Files: Lynx Ransomware 🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉 Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and... 1/3

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

DFIR Challenge Weekend Recap! The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge! Big shoutout to the top finishers who untangled the whole thing: 🥇 Jason Phang Vern Onn 🥈 Marko Yavorskyi 🥉 Bohdan Hrondzal

🌟New report out today!🌟 From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow. Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."

"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors. The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."

"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain. The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."

"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."

"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."