Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

"The IP 195.211.190[.]189 was hosted on infrastructure from Railnet LLC — a legal front for Russia-based bulletproof hosting provider Virtualine." Full report 👇 thedfirreport.com/2025/11/17/c... #DFIR #Ransomware #ThreatIntel #BlueTeam #CyberSecurity

"On the Exchange email server, the threat actor used a legitimate Windows executable, SystemSettingsAdminFlows.exe, which allows users to customize or configure the system settings to user’s preference. This LOLBIN was used to disable Windows... " Report: thedfirreport.com/2026/02/23/a...

"In the logs we first observed a new service being installed on the backup server. Following that we observed the service execute and spawn a process tree that included a command to use COMSVCS to output a credential dump to a file in the temp directory:"

Low noise. High signal. If you get an alert from our feed in your environment, ping us. We’ll help triage it. That’s how much we trust the signal. 🔎 Actionable 🎯 High-confidence ⚡ Built for defenders thedfirreport.com/products/thr...

"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389..." Link to report ⬇️

"Around 50 minutes after the connection to this second domain controller the ransomware propagation began. Deployment of ransomware consisted of creating remote services on domain joined endpoints, and included distributing the files via SMB."

"SoftPerfect NetScan was used extensively during the intrusion… evidence from Security Event ID 4688 logs showed mstsc.exe /v:<IP address> being launched by netscan.exe, confirming the use of NetScan’s Remote Desktop functionality." Full report 👇 thedfirreport.com/2025/11/17/c...

🌟New report out today!🌟 Apache ActiveMQ Exploit Leads to LockBit Ransomware Analysis and reporting completed by @malforsec, @lapadrino, and @PeteO. 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2026/02/23/a... #DFIR #DigitalForensics #BlueTeam

🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO! "The Base64 string $dsU contained the shellcode. We decoded it and used SpeakEasy..." If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/ #DFIR #IncidentResponse

🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO! "The first step in the exploitation was to send a maliciously crafted OpenWire command to the ActiveMQ server" If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/ #DFIR

SEO poisoning ➡️ Fake RVTools ➡️ Python backdoor ➡️ PipeMagic ➡️ CVE-2025-29824 ➡️ #Ransomexx — domain-wide in <19 hrs. The Python backdoor connected to azure-secure-agent[.]com (87.251.67[.]241), enabling cmd/PowerShell exec, payload download, screenshots, and IP discovery.

🧪 DFIR Labs | ALPHV Case #24952 Follow a real intrusion where IcedID led to ScreenConnect, custom C# tooling, and an ALPHV ransomware deployment. Hands-on analysis of attacker tradecraft from access to impact. 👉 dfirlabs.thedfirreport.com/auth/login

New logo. New website. Same DFIR Report team. 🔎 Check out the incredible analysts behind the research: thedfirreport.com/company/anal...

Don’t just block threats — disrupt them. Our IR-driven Threat Feed helps you: 🔎 Detect attacker infrastructure early ⚡ Hunt for active footholds 🛡️ Reduce false positives with continuously verified intel Get the edge: thedfirreport.com/contact/ #ThreatIntel #BlueTeam #DFIR

🐱 Cat’s Got Your Files: Lynx Ransomware Attackers abused valid credentials to access RDP, created high-privilege accounts for persistence, mapped the environment, and exfiltrated data before deploying Lynx ransomware. Report 👇 thedfirreport.com/2025/11/17/c...

🤝 We’ve partnered with @13CubedDFIR to level up your #DFIR training. 🔹 DFIR Labs users: Finish a quiz & get $100 OFF 13Cubed courses. 🔹 13Cubed users: Buy "Investigating Windows Endpoints" & get 20% OFF DFIR Labs! 👉 training.13cubed.com 👉 dfirlabs.thedfirreport.com

🧪 DFIR Labs | BlueSky Ransomware Lab Dive into a real investigation where a SQL brute force attack led to rapid BlueSky ransomware deployment. Explore how attackers compromised MSSQL, then used Cobalt Strike and Tor2Mine to spread ransomware! 👉 dfirlabs.thedfirreport.com/auth/login

We analyzed a DPRK-linked Contagious Interview intrusion where fake job lures abused npm install for C2 using trusted packages. A modular toolset (OtterCookie, InvisibleFerret, Tsunami) enabled cross-platform access and data theft targeting wallets, creds, and docs.

🧪 DFIR Labs | LockBit Ransomware Case #27244 Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access. Step through the investigation and see how LockBit was deployed end-to-end. 👉 dfirlabs.thedfirreport.com/auth/login

DFIR Labs is closing out the year with 25% off all cases and subscriptions. ✔ Buy now, redeem anytime over the next 3 months ⏰ Offer ends January 1 💳 Discount applied automatically at checkout dfirlabs.thedfirreport.com

DFIR Labs is closing out the year with 25% off all cases and subscriptions. ✔ Buy now, redeem anytime over the next 3 months ⏰ Offer ends January 1 💳 Discount applied automatically at checkout dfirlabs.thedfirreport.com

Extracting VNC screenshots and keylog data from #Latrodectus 🕷️ BackConnect netresec.com?b=25Cfd08

"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."

🎁 DFIR Labs Giveaway 🎁 We’re giving away 5 FREE DFIR Labs cases! How to enter: ➡️Post your favorite DFIR Report ➡️Tell us why it's your favorite That’s it! 🙌 We’ll select 5 winners before Christmas! DFIR Labs - dfirlabs.thedfirreport.com/auth/login Reports - thedfirreport.com

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. store.thedfirreport.com/collections/...

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. store.thedfirreport.com/collections/...

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

🐈 Cat’s Got Your Files: Lynx Ransomware 🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉 Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic... 1/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and... 1/3

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

DFIR Challenge Weekend Recap! The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge! Big shoutout to the top finishers who untangled the whole thing: 🥇 Jason Phang Vern Onn 🥈 Marko Yavorskyi 🥉 Bohdan Hrondzal

🌟New report out today!🌟 From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow. Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."

"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors. The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."

"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain. The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."

"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."

"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."

🌟New report out today!🌟 Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

🚨 New Lab Just Released: Specter’s Domain Heist – Private Case #35218 This lab is based on a detailed intrusion from our private case repositories 👇 📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil Link 👇

🚨 Search for software, end up getting ransomware! SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan. thedfirreport.com/2025/08/05/f...

🚨 New: DFIR Labs Pro Tier is here! 🎯 Smarter investigations with: • 🧠 AI Timeline Builder (w/ IOCs + notes) • ⏱️ More lab time + extension credits • 📊 Analytics dashboard w/ tailored insights 🔗 Dive in: dfirlabs.thedfirreport.com/subscription...

🚨 New Interlock RAT variant spotted! Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). 🔎 thedfirreport.com/2025/07/14/k... #DFIR #KongTuke #InterlockRAT #FileFix

📢DFIR Labs Enterprise Forensics Challenge📢 🔹 When: Aug 30, 2025 (14:00-18:00 UTC) 🔹 SIEM: Azure Log Analytics, Elastic, or Splunk 🔹 Teams: 2-3 analysts 🔹 Prizes: Top team wins! 🏆 Limited spots available. Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30/h...