Report: thedfirreport.com/2025/12/17/c...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo: thedfirreport.com/contact/

This Diamond Model from our “Cat’s Got Your Files: Lynx Ransomware” report illustrates the four core elements of the intrusion.

See how all four vertices aligned for full-domain compromise 👇
thedfirreport.com/2025/12/17/c...

#DFIR #ThreatIntel #Ransomware #BlueTeam #CyberSecurity

"On some hosts, Microsoft Defender antivirus was active. On these systems, Defender detected and blocked execution of the service creation and Powershell execution..."

Report:thedfirreport.com/2026/02/23/apache-active...

"The threat actor also ran the command netstat -t, which displays active connections; however, -t is not a documented option for netstat on Windows."

Report:thedfirreport.com/2026/02/23/apache-active...

RDP bitmap cache artifacts revealed the threat actor opening the Veeam Backup & Replication console, reviewing backup jobs, tape & storage infrastructure — and removing backups from the configuration database.

Full report 👇
thedfirreport.com/2025/12/17/c...

We’re seeing a “Missing Font” ClickFix chain in the wild.

Flow:
1️⃣ Fake “Missing Font” prompt
2️⃣ Leads to a BSOD-style recovery screen
3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands

#infosec #DFIR #threatintel

Defender Tip: Monitor for vol.exe or python.exe interacting with memory dump files in user temp folders. If you see Hashdump in your logs and it isn't your IR team... you have a live intrusion.

Want more info? Get in touch!

The Flow: A fake "Verify You Are Human" prompt leads to Node.js C2 (interlock RAT), followed by hands-on-keyboard activity where they use vol.exe from \AppData\Local\Temp\ to harvest credentials.

➡️Dump RAM: Capturing mem.raw from the infected host.
➡️Extract Hashes: Using windows.hashdump to pull NTLM hashes.
➡️Steal Credentials: Using windows.cachedump to extract cached creds.

Threat Actors are "Bringing Their Own Forensics"

In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines.

Commonly a tool for defenders, the TAs are using it to:

"The IP 195.211.190[.]189 was hosted on infrastructure from Railnet LLC — a legal front for Russia-based bulletproof hosting provider Virtualine."

Full report 👇
thedfirreport.com/2025/11/17/c...

#DFIR #Ransomware #ThreatIntel #BlueTeam #CyberSecurity

"On the Exchange email server, the threat actor used a legitimate Windows executable, SystemSettingsAdminFlows.exe, which allows users to customize or configure the system settings to user’s preference. This LOLBIN was used to disable Windows... "

Report: thedfirreport.com/2026/02/23/a...

➡️ The above is from a Private Threat Brief: "Fake WinSCP Software Serves Supper and Oyster "
➡️➡️Interested in receiving more details about this report? Contact us for a demo or pricing - thedfirreport.com/contact/

"In the logs we first observed a new service being installed on the backup server. Following that we observed the service execute and spawn a process tree that included a command to use COMSVCS to output a credential dump to a file in the temp directory:"

Low noise. High signal.

If you get an alert from our feed in your environment, ping us. We’ll help triage it. That’s how much we trust the signal.

🔎 Actionable
🎯 High-confidence
⚡ Built for defenders

thedfirreport.com/products/thr...

Report: thedfirreport.com/2026/02/23/a...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo: thedfirreport.com/contact/

"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389..."

Link to report ⬇️

➡️ The above is from a Private Threat Brief: "Fake RVTools Installer Leads to PipeMagic, CLFS Exploit, and Ransomexx"
➡️➡️Interested in receiving more details about this report or future private reports? Contact us for a demo or pricing - thedfirreport.com/contact/

"Around 50 minutes after the connection to this second domain controller the ransomware propagation began. Deployment of ransomware consisted of creating remote services on domain joined endpoints, and included distributing the files via SMB."

Cat’s Got Your Files: Lynx Ransomware - The DFIR Report Key Takeaways The DFIR Report Services Contact us today for pricing or a demo! The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-expos...

thedfirreport.com/2025/12/17/c...

"SoftPerfect NetScan was used extensively during the intrusion… evidence from Security Event ID 4688 logs showed mstsc.exe /v:<IP address> being launched by netscan.exe, confirming the use of NetScan’s Remote Desktop functionality."

Full report 👇
thedfirreport.com/2025/11/17/c...

Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon.  This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability…

🌟New report out today!🌟

Apache ActiveMQ Exploit Leads to LockBit Ransomware

Analysis and reporting completed by @malforsec, @lapadrino, and @PeteO.

🔊Audio: Available on Spotify, Apple, YouTube and more!

thedfirreport.com/2026/02/23/a...

#DFIR #DigitalForensics #BlueTeam

🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO!

"The Base64 string $dsU contained the shellcode. We decoded it and used SpeakEasy..."

If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/

#DFIR #IncidentResponse

🎉New report out Monday 2/23 by @malforsec, @lapadrino, and @PeteO!

"The first step in the exploitation was to send a maliciously crafted OpenWire command to the ActiveMQ server"

If you would like to be notified when we publish the report 👉️ thedfirreport.com/subscribe/

#DFIR

➡️ The above is from a Private Threat Brief: "Fake RVTools Installer Leads to PipeMagic, CLFS Exploit, and Ransomexx"
➡️➡️Interested in receiving more details about this report or would like IOCs in near real time? Contact us for a demo or pricing - thedfirreport.com/contact/

SEO poisoning ➡️ Fake RVTools ➡️ Python backdoor ➡️ PipeMagic ➡️ CVE-2025-29824 ➡️ #Ransomexx — domain-wide in <19 hrs.

The Python backdoor connected to azure-secure-agent[.]com (87.251.67[.]241), enabling cmd/PowerShell exec, payload download, screenshots, and IP discovery.

🧪 DFIR Labs | ALPHV Case #24952

Follow a real intrusion where IcedID led to ScreenConnect, custom C# tooling, and an ALPHV ransomware deployment.

Hands-on analysis of attacker tradecraft from access to impact.
👉 dfirlabs.thedfirreport.com/auth/login

Meet The DFIR Report Analysts | Cybersecurity Experts Discover the volunteer analysts behind The DFIR Report. Meet the experts documenting real-world intrusions and strengthening global cyber defense.

New logo. New website. Same DFIR Report team. 🔎

Check out the incredible analysts behind the research:
thedfirreport.com/company/anal...

Don’t just block threats — disrupt them.

Our IR-driven Threat Feed helps you:

🔎 Detect attacker infrastructure early
⚡ Hunt for active footholds
🛡️ Reduce false positives with continuously verified intel

Get the edge: thedfirreport.com/contact/

#ThreatIntel #BlueTeam #DFIR

🐱 Cat’s Got Your Files: Lynx Ransomware

Attackers abused valid credentials to access RDP, created high-privilege accounts for persistence, mapped the environment, and exfiltrated data before deploying Lynx ransomware.

Report 👇
thedfirreport.com/2025/11/17/c...