➡️ The above is from a Private Threat Brief: "Fake WinSCP Software Serves Supper and Oyster "
➡️➡️Interested in receiving more details about this report? Contact us for a demo or pricing - thedfirreport.com/contact/
"In the logs we first observed a new service being installed on the backup server. Following that we observed the service execute and spawn a process tree that included a command to use COMSVCS to output a credential dump to a file in the temp directory:"
Low noise. High signal.
If you get an alert from our feed in your environment, ping us. We’ll help triage it. That’s how much we trust the signal.
🔎 Actionable
🎯 High-confidence
⚡ Built for defenders
thedfirreport.com/products/thr...
Report: thedfirreport.com/2026/02/23/a...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo: thedfirreport.com/contact/
"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389..."
Link to report ⬇️
➡️ The above is from a Private Threat Brief: "Fake RVTools Installer Leads to PipeMagic, CLFS Exploit, and Ransomexx"
➡️➡️Interested in receiving more details about this report or future private reports? Contact us for a demo or pricing - thedfirreport.com/contact/
"Around 50 minutes after the connection to this second domain controller the ransomware propagation began. Deployment of ransomware consisted of creating remote services on domain joined endpoints, and included distributing the files via SMB."
"SoftPerfect NetScan was used extensively during the intrusion… evidence from Security Event ID 4688 logs showed mstsc.exe /v:<IP address> being launched by netscan.exe, confirming the use of NetScan’s Remote Desktop functionality."
Full report 👇
thedfirreport.com/2025/11/17/c...
🌟New report out today!🌟
Apache ActiveMQ Exploit Leads to LockBit Ransomware
Analysis and reporting completed by @malforsec, @lapadrino, and @PeteO.
🔊Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2026/02/23/a...
#DFIR #DigitalForensics #BlueTeam
🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO!
"The Base64 string $dsU contained the shellcode. We decoded it and used SpeakEasy..."
If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/
#DFIR #IncidentResponse
🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO!
"The first step in the exploitation was to send a maliciously crafted OpenWire command to the ActiveMQ server"
If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/
#DFIR
➡️ The above is from a Private Threat Brief: "Fake RVTools Installer Leads to PipeMagic, CLFS Exploit, and Ransomexx"
➡️➡️Interested in receiving more details about this report or would like IOCs in near real time? Contact us for a demo or pricing - thedfirreport.com/contact/
SEO poisoning ➡️ Fake RVTools ➡️ Python backdoor ➡️ PipeMagic ➡️ CVE-2025-29824 ➡️ #Ransomexx — domain-wide in <19 hrs.
The Python backdoor connected to azure-secure-agent[.]com (87.251.67[.]241), enabling cmd/PowerShell exec, payload download, screenshots, and IP discovery.
🧪 DFIR Labs | ALPHV Case #24952
Follow a real intrusion where IcedID led to ScreenConnect, custom C# tooling, and an ALPHV ransomware deployment.
Hands-on analysis of attacker tradecraft from access to impact.
👉 dfirlabs.thedfirreport.com/auth/login
New logo. New website. Same DFIR Report team. 🔎
Check out the incredible analysts behind the research:
thedfirreport.com/company/anal...
Don’t just block threats — disrupt them.
Our IR-driven Threat Feed helps you:
🔎 Detect attacker infrastructure early
⚡ Hunt for active footholds
🛡️ Reduce false positives with continuously verified intel
Get the edge: thedfirreport.com/contact/
#ThreatIntel #BlueTeam #DFIR
🐱 Cat’s Got Your Files: Lynx Ransomware
Attackers abused valid credentials to access RDP, created high-privilege accounts for persistence, mapped the environment, and exfiltrated data before deploying Lynx ransomware.
Report 👇
thedfirreport.com/2025/11/17/c...
🤝 We’ve partnered with @13CubedDFIR to level up your #DFIR training.
🔹 DFIR Labs users: Finish a quiz & get $100 OFF 13Cubed courses.
🔹 13Cubed users: Buy "Investigating Windows Endpoints" & get 20% OFF DFIR Labs!
👉 training.13cubed.com
👉 dfirlabs.thedfirreport.com
🧪 DFIR Labs | BlueSky Ransomware Lab
Dive into a real investigation where a SQL brute force attack led to rapid BlueSky ransomware deployment.
Explore how attackers compromised MSSQL, then used Cobalt Strike and Tor2Mine to spread ransomware!
👉 dfirlabs.thedfirreport.com/auth/login
➡️ The above is from a recent Private Threat Brief: "Job Interview or North Koreans: A Contagious Interview Intrusion"
➡️➡️Interested in receiving private reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
We analyzed a DPRK-linked Contagious Interview intrusion where fake job lures abused npm install for C2 using trusted packages. A modular toolset (OtterCookie, InvisibleFerret, Tsunami) enabled cross-platform access and data theft targeting wallets, creds, and docs.
🧪 DFIR Labs | LockBit Ransomware Case #27244
Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access.
Step through the investigation and see how LockBit was deployed end-to-end.
👉 dfirlabs.thedfirreport.com/auth/login
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
Extracting VNC screenshots and keylog data from #Latrodectus 🕷️ BackConnect
netresec.com?b=25Cfd08
➡️ The above is from a Private Threat Brief: "SSH by ClickFix: Node.js RAT Leads to SystemBC and S3 Exfiltration "
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - lnkd.in/gk-yfpJm
"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."
🎁 DFIR Labs Giveaway 🎁
We’re giving away 5 FREE DFIR Labs cases!
How to enter:
➡️Post your favorite DFIR Report
➡️Tell us why it's your favorite
That’s it! 🙌 We’ll select 5 winners before Christmas!
DFIR Labs - dfirlabs.thedfirreport.com/auth/login
Reports - thedfirreport.com
➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
