We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

DFIR Challenge Weekend Recap! The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge! Big shoutout to the top finishers who untangled the whole thing: 🥇 Jason Phang Vern Onn 🥈 Marko Yavorskyi 🥉 Bohdan Hrondzal

🌟New report out today!🌟 From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow. Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."

"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors. The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."

"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain. The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."

"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."

"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."

🌟New report out today!🌟 Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

🚨 New Lab Just Released: Specter’s Domain Heist – Private Case #35218 This lab is based on a detailed intrusion from our private case repositories 👇 📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil Link 👇

🚨 Search for software, end up getting ransomware! SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan. thedfirreport.com/2025/08/05/f...

🚨 New: DFIR Labs Pro Tier is here! 🎯 Smarter investigations with: • 🧠 AI Timeline Builder (w/ IOCs + notes) • ⏱️ More lab time + extension credits • 📊 Analytics dashboard w/ tailored insights 🔗 Dive in: dfirlabs.thedfirreport.com/subscription...

🚨 New Interlock RAT variant spotted! Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). 🔎 thedfirreport.com/2025/07/14/k... #DFIR #KongTuke #InterlockRAT #FileFix

📢DFIR Labs Enterprise Forensics Challenge📢 🔹 When: Aug 30, 2025 (14:00-18:00 UTC) 🔹 SIEM: Azure Log Analytics, Elastic, or Splunk 🔹 Teams: 2-3 analysts 🔹 Prizes: Top team wins! 🏆 Limited spots available. Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30/h...

A New DFIR Lab is out: The Hive Ransomware Fail 🐝 A domain is under siege, can you trace the threat actor's steps? Sharpen your triage and lateral movement skills in this hands-on investigation. ➡️Difficulty: Easy 1/2

🔎 We're Hiring: Senior Security Analyst We're looking for a full-time Senior Security Analyst with a passion for dissecting intrusions and translating technical findings into actionable insights. Check out the full job description and apply here 👉 forms.office.com/r/87y8wAp3gA

📢DFIR Labs Enterprise Forensics Challenge📢 🔹 When: Aug 30, 2025 (14:00-18:00 UTC) 🔹 SIEM: Azure Log Analytics, Elastic, or Splunk 🔹 Teams: 2-3 analysts 🔹 Prizes: Top team wins! 🏆 Limited spots available. Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

🎉 Huge News from DFIR Labs: Subscriptions are Here! 🎉 We're thrilled to announce that subscriptions are officially LIVE and we’re proud of what this means for the DFIR community 💙 1/5

🎉New DFIR Discussions Episode🎉 🔊Available on Spotify, Apple, & YouTube! 🎙️ We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang. Check it out and let us know what you think! open.spotify.com/episode/1SKP...

⚔️Registration for the DFIR Labs Enterprise CTF is now LIVE! ⚔️ Assemble your elite SOC/IR team (up to 3 members) for a 4-hour competition to prove you're the best in the industry. Win prizes, bragging rights, and glory! 🏆 Register now! 👉https://form.jotform.com/251605321344245

🎙️ New Podcast Episode Dropping Soon! We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang. Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍

🚨 That CTF finale was wild. Only 300 points between 1st and 3rd — it stayed neck-and-neck till the very last minute. Big congrats to our winners! 🥇 @Friffnz — 5100 pts 🥈 snail — 4840 pts 🥉 forynsics — 4800 pts

🚨 CTF is starting soon!🚨 Don't Miss the DFIR Labs CTF - Registration Still Open! ➡️When: Today, June 7th | 16:30–20:30 UTC ➡️➡️Register: dfirlabs.thedfirreport.com/ctf

/1 🚨 𝐂𝐓𝐅 𝐤𝐢𝐜𝐤𝐬 𝐨𝐟𝐟 𝐢𝐧 𝐥𝐞𝐬𝐬 𝐭𝐡𝐚𝐧 48𝐡 - 𝐚𝐧𝐝 𝐭𝐡𝐢𝐬 𝐨𝐧𝐞’𝐬 𝐛𝐢𝐠. One of the most involved cases we’ve ever made available to the public. You’ll be diving into an intrusion that hit 18 hosts, including: ➡️ Domain Controllers ➡️ Backup Servers ➡️ Hypervisors ➡️ RDP Servers (Guess the initial access gonna be? 😏)

"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses. The logic would rotate through the various servers until an online host was found. 1/3 #dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware

🎯 THIS SATURDAY: DFIR Labs CTF 🎯 ⏰ June 7 | 1630–2030 UTC 🔗 Register Now → dfirlabs.thedfirreport.com/ctf 🚀 DFIR Labs CTF is back! 💥 Only $9.99 to join 💥 Choose Elastic or Splunk 💥 Access a brand-new, unreleased case 💥 Top 5 get invited to join The DFIR Report team!

We had a blast speaking at the Ransomware Summit! 🎤💥 Huge thanks to everyone involved! 🎥 Missed our keynote? No worries — you can catch the full session here: 👉 www.youtube.com/live/nhB-xkm...

🔥 DFIR Labs is Evolving! Have You Seen What's New? 🔥 Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience! ➡️ Check it out now! dfirlabs.thedfirreport.com

"Analysis of command-line activity reveals the threat actor’s use of specific PowerShell cmdlets for discovering and interacting with virtual machines. 1/4

thedfirreport.com/2025/05/19/a... It was fun working on this Report with @pcsc0ut.bsky.social && 0xtornado. I hope my #threathunting friends will find it helpful. We came up with a new detection for Impacket tools in this investigation

🌟New report out today!🌟 Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & @0xtornado 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/05/19/a...

📉DFIR Labs Weekend Discount📉 Use this discount code to receive 10% off all DFIR Labs cases! Discount expires May 5th 04:00 UTC ⏲️Buy now, use anytime over the next 3 months. ➡️Discount code: WeekendDiscount20250502 Access DFIR Labs: store.thedfirreport.com/collections/...

📉DFIR Labs Weekend Discount📉 Use this discount code to receive 10% off all DFIR Labs cases! Discount expires May 5th 04:00 UTC ⏲️Buy now, use anytime over the next 3 months. ➡️Discount code: WeekendDiscount20250502 Access DFIR Labs: store.thedfirreport.com/collections/...

Wondering how effective our DFIR Labs are for practical skills? 🤔 Check out real user testimonials on gaining critical, hands-on experience & see why they recommend our platform: 👇 thedfirreport.com/services/dfi...

🌟New report out today!🌟 Navigating Through The Fog Analysis and reporting completed by Angelo Violetti, and reviewed by Zach Stanford. Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/04/28/n...

⏳We'll be selecting the date(s) for our inaugural Enterprise CTF very soon! ➡️If you're interested, please fill out this form by April 28th - forms.office.com/r/XhBg4p8i4q 🆕Choose between Azure Log Analytics, Splunk and Elastic!

Thank you to everyone who has submitted their reports so far! We're already seeing some excellent candidates and appreciate you getting these in promptly. For those still working, please note this is the last weekend before the deadline on Monday, April 21st.

Passionate about Digital Forensics and Incident Response? Want to share your expertise with the security community while collaborating with talented analysts worldwide? We're looking for volunteer analysts to join the team! Ready to join the team? ➡️https://github.com/The-DFIR-Report/DFIR-Artifacts

Want to join a team of amazing volunteer DFIR analysts? Ready to collaborate with us and leave your mark on the DFIR industry? Come join our team! We've updated our repo with a new report template and the graphics we commonly use. Apply today!👉 github.com/The-DFIR-Rep...

“For this case we observed TXT records being utilized for C2 communication rather than MX records. This can be identified by the "type: 16" in the Sysmon logs seen above. Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:” 1/2

Want to join a team of amazing volunteer DFIR analysts? Ready to collaborate with us and leave your mark on the DFIR industry? Come join our team! We've updated our repo with a new report template and the graphics we commonly use. Apply today!👉 github.com/The-DFIR-Rep...

🏹Fresh C2 Infrastructure Identified🏹 Here are a few examples of C2 infrastructure we're currently tracking: 🔗 a-0002[.]a2-msedge[.]net 🔗 m365-notifications[.]com 🔗 oncloudaccess[.]com Want access to intel like this? 📞Let’s talk: thedfirreport.com/contact/

🌟New report out today!🌟 Fake Zoom Ends in BlackSuit Ransomware Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/03/31/f...

🟢 Now Accepting Analyst Applications! We're looking for passionate volunteer analysts! 📝 Position: Volunteer Analyst (with paid opportunities) 🔍 Process: Analyze our test case and submit your report ⏰ Deadline: Submit your report by April 21 Link ⬇️

🌟New report out Monday, March 31st by @pigerlin, UC1 and @Miixxedup! 📬 Want to be the first to know? Subscribe for updates: thedfirreport.com/subscribe/

🧙 Want to join the team? 🧙 We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities! You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎 Follow us on socials—details drop soon!

📣 We just launched a new page to highlight the top players from our DFIR Labs CTF events: thedfirreport.com/services/dfi... Congratulations to the winners so far for making it to the CTF Winners table! If you’ve placed in a past event, your name’s up there!

🚨 New Threat Actor TTPs Discovered! 🚨 During a recent investigation, our team identified a previously unfamiliar C2 framework in the wild—confirmed as Specter Insight C2. #ThreatIntel #DFIR 1/

🧙 Want to join the team? 🧙 We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities! You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎 Follow us on socials—details drop soon!