LightNews
thedfirreport.bsky.social
The DFIR Report
@thedfirreport.bsky.social
1.1K followers 0 following 120 posts
Real Intrusions by Real Attackers, the Truth Behind the Intrusion. https://thedfirreport.com
thedfirreport.com
Posts Media Videos Starter Packs
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 12d
The full lab from the challenge is now live, with all quiz-style questions included.
➡️ Try it via one-time access -> dfirlabs.thedfirreport.com/store
or subscription - > dfirlabs.thedfirreport.com/subscription...

And we just dropped the full report too:
📄 thedfirreport.com/2025/09/29/f...
DFIR Labs Portal
Browse and purchase DFIR Labs to enhance your cybersecurity skills.
dfirlabs.thedfirreport.com
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 12d
DFIR Challenge Weekend Recap!

The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!

Big shoutout to the top finishers who untangled the whole thing:

🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 13d
Report: thedfirreport.com/2025/09/29/f...
thedfirreport.com
1 1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 13d
🌟New report out today!🌟

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.

Audio: Available on Spotify, Apple, YouTube and more!

Report:⬇️
1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 18d
Report: thedfirreport.com/2024/12/02/t...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 18d
"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow.

Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
1 1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 19d
Report: thedfirreport.com/2025/09/08/b...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 19d
"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors.

The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
1 3
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 21d
Report: thedfirreport.com/2025/03/31/f...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
1 1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 21d
"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain.

The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 22d
Report: thedfirreport.com/2025/01/27/c...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 22d
"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."
2 3
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 22d
Report: thedfirreport.com/2025/05/19/a...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · 22d
"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."
1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Sep 8
thedfirreport.com/2025/09/08/b...
thedfirreport.com
1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Sep 8
🌟New report out today!🌟

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe

Audio: Available on Spotify, Apple, YouTube and more!

Report:⬇️
1 2
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Sep 3
Get access to it through:

- Your subscription: dfirlabs.thedfirreport.com/subscription...
- Via one-time purchase from our store here: dfirlabs.thedfirreport.com/store

#dfir #CyberSecurity
DFIR Labs - Subscription Plans
dfirlabs.thedfirreport.com
1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Sep 3
🚨 New Lab Just Released: Specter’s Domain Heist – Private Case #35218

This lab is based on a detailed intrusion from our private case repositories 👇

📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil

Link 👇
1 1
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Aug 5
🚨 Search for software, end up getting ransomware!

SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan.

thedfirreport.com/2025/08/05/f...
From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in …
thedfirreport.com
1 3
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Jul 23
🚨 New: DFIR Labs Pro Tier is here!

🎯 Smarter investigations with:
• 🧠 AI Timeline Builder (w/ IOCs + notes)
• ⏱️ More lab time + extension credits
• 📊 Analytics dashboard w/ tailored insights

🔗 Dive in: dfirlabs.thedfirreport.com/subscription...
DFIR Labs - Subscription Plans
dfirlabs.thedfirreport.com
1 3
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Jul 14
🚨 New Interlock RAT variant spotted!

Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT).

🔎 thedfirreport.com/2025/07/14/k...

#DFIR #KongTuke #InterlockRAT #FileFix
KongTuke FileFix Leads to New Interlock RAT Variant
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware,…
thedfirreport.com
1 2
Reposted by The DFIR Report
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Jun 25
📢DFIR Labs Enterprise Forensics Challenge📢

🔹 When: Aug 30, 2025 (14:00-18:00 UTC)
🔹 SIEM: Azure Log Analytics, Elastic, or Splunk
🔹 Teams: 2-3 analysts
🔹 Prizes: Top team wins! 🏆

Limited spots available.

Register Now: dfirlabs.thedfirreport.com/dfirchalleng...
DFIR Labs - Digital Forensics Challenge - Enterprise Edition
dfirlabs.thedfirreport.com
1 2
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Jun 30
🌟New report out today!🌟

Hide Your RDP: Password Spray Leads to RansomHub Deployment

Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2

🔊Audio: Available on Spotify, Apple, YouTube and more!

thedfirreport.com/2025/06/30/h...
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Key Takeaways Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period. Mimikatz and Nirsoft were used to harvest credential…
thedfirreport.com
2 3
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Jun 27
Buy Now: store.thedfirreport.com/products/the... (or use your subscription token 😉)

Oh, and the dashboard?

We gave it a full UI refresh. Cleaner, faster, easier to use. Hope you enjoy it!

2/2
The Hive Ransomware Fail - Public Case #18364
This case is based on the public report From ScreenConnect to Hive Ransomware in 61 hours. You will investigate a domain-wide compromise that progressed through multiple stages, beginning with the abu...
store.thedfirreport.com
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Jun 27
A New DFIR Lab is out: The Hive Ransomware Fail 🐝

A domain is under siege, can you trace the threat actor's steps? Sharpen your triage and lateral movement skills in this hands-on investigation.

➡️Difficulty: Easy

1/2
1 1 4