The DFIR Report
@thedfirreport.bsky.social
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
November 13, 2025 at 3:55 PM
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
October 16, 2025 at 1:29 PM
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
DFIR Challenge Weekend Recap!
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
September 29, 2025 at 11:37 PM
DFIR Challenge Weekend Recap!
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
September 29, 2025 at 2:49 PM
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow.
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
September 23, 2025 at 11:19 PM
"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow.
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors.
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
September 22, 2025 at 10:10 PM
"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors.
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain.
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
September 21, 2025 at 1:05 PM
"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain.
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."
September 20, 2025 at 8:54 PM
"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."
"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."
September 19, 2025 at 11:58 PM
"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."
🌟New report out today!🌟
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
September 8, 2025 at 2:47 PM
🌟New report out today!🌟
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
🚨 New Lab Just Released: Specter’s Domain Heist – Private Case #35218
This lab is based on a detailed intrusion from our private case repositories 👇
📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil
Link 👇
This lab is based on a detailed intrusion from our private case repositories 👇
📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil
Link 👇
September 3, 2025 at 8:10 PM
🚨 New Lab Just Released: Specter’s Domain Heist – Private Case #35218
This lab is based on a detailed intrusion from our private case repositories 👇
📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil
Link 👇
This lab is based on a detailed intrusion from our private case repositories 👇
📥 Workstation Compromise ➡️ Persistent Access ➡️ Discovery➡️ Privilege Escalation ➡️ Lateral Movement ➡️ Data Exfil
Link 👇
🎙️ New Podcast Episode Dropping Soon!
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
June 10, 2025 at 12:06 PM
🎙️ New Podcast Episode Dropping Soon!
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.
Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍
🚨 That CTF finale was wild. Only 300 points between 1st and 3rd — it stayed neck-and-neck till the very last minute.
Big congrats to our winners!
🥇 @Friffnz — 5100 pts
🥈 snail — 4840 pts
🥉 forynsics — 4800 pts
Big congrats to our winners!
🥇 @Friffnz — 5100 pts
🥈 snail — 4840 pts
🥉 forynsics — 4800 pts
June 8, 2025 at 12:34 PM
🚨 That CTF finale was wild. Only 300 points between 1st and 3rd — it stayed neck-and-neck till the very last minute.
Big congrats to our winners!
🥇 @Friffnz — 5100 pts
🥈 snail — 4840 pts
🥉 forynsics — 4800 pts
Big congrats to our winners!
🥇 @Friffnz — 5100 pts
🥈 snail — 4840 pts
🥉 forynsics — 4800 pts
"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses.
The logic would rotate through the various servers until an online host was found.
1/3
#dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware
The logic would rotate through the various servers until an online host was found.
1/3
#dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware
June 5, 2025 at 12:39 PM
"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses.
The logic would rotate through the various servers until an online host was found.
1/3
#dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware
The logic would rotate through the various servers until an online host was found.
1/3
#dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware
🎯 THIS SATURDAY: DFIR Labs CTF 🎯
⏰ June 7 | 1630–2030 UTC
🔗 Register Now → dfirlabs.thedfirreport.com/ctf
🚀 DFIR Labs CTF is back!
💥 Only $9.99 to join
💥 Choose Elastic or Splunk
💥 Access a brand-new, unreleased case
💥 Top 5 get invited to join The DFIR Report team!
⏰ June 7 | 1630–2030 UTC
🔗 Register Now → dfirlabs.thedfirreport.com/ctf
🚀 DFIR Labs CTF is back!
💥 Only $9.99 to join
💥 Choose Elastic or Splunk
💥 Access a brand-new, unreleased case
💥 Top 5 get invited to join The DFIR Report team!
June 4, 2025 at 12:04 PM
🎯 THIS SATURDAY: DFIR Labs CTF 🎯
⏰ June 7 | 1630–2030 UTC
🔗 Register Now → dfirlabs.thedfirreport.com/ctf
🚀 DFIR Labs CTF is back!
💥 Only $9.99 to join
💥 Choose Elastic or Splunk
💥 Access a brand-new, unreleased case
💥 Top 5 get invited to join The DFIR Report team!
⏰ June 7 | 1630–2030 UTC
🔗 Register Now → dfirlabs.thedfirreport.com/ctf
🚀 DFIR Labs CTF is back!
💥 Only $9.99 to join
💥 Choose Elastic or Splunk
💥 Access a brand-new, unreleased case
💥 Top 5 get invited to join The DFIR Report team!
🔥 DFIR Labs is Evolving! Have You Seen What's New? 🔥
Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience!
➡️ Check it out now! dfirlabs.thedfirreport.com
Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience!
➡️ Check it out now! dfirlabs.thedfirreport.com
May 22, 2025 at 6:44 PM
🔥 DFIR Labs is Evolving! Have You Seen What's New? 🔥
Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience!
➡️ Check it out now! dfirlabs.thedfirreport.com
Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience!
➡️ Check it out now! dfirlabs.thedfirreport.com
Wondering how effective our DFIR Labs are for practical skills? 🤔
Check out real user testimonials on gaining critical, hands-on experience & see why they recommend our platform:
👇
thedfirreport.com/services/dfi...
Check out real user testimonials on gaining critical, hands-on experience & see why they recommend our platform:
👇
thedfirreport.com/services/dfi...
May 1, 2025 at 12:10 PM
Wondering how effective our DFIR Labs are for practical skills? 🤔
Check out real user testimonials on gaining critical, hands-on experience & see why they recommend our platform:
👇
thedfirreport.com/services/dfi...
Check out real user testimonials on gaining critical, hands-on experience & see why they recommend our platform:
👇
thedfirreport.com/services/dfi...
Passionate about Digital Forensics and Incident Response? Want to share your expertise with the security community while collaborating with talented analysts worldwide?
We're looking for volunteer analysts to join the team!
Ready to join the team? ➡️https://github.com/The-DFIR-Report/DFIR-Artifacts
We're looking for volunteer analysts to join the team!
Ready to join the team? ➡️https://github.com/The-DFIR-Report/DFIR-Artifacts
April 12, 2025 at 12:48 PM
Passionate about Digital Forensics and Incident Response? Want to share your expertise with the security community while collaborating with talented analysts worldwide?
We're looking for volunteer analysts to join the team!
Ready to join the team? ➡️https://github.com/The-DFIR-Report/DFIR-Artifacts
We're looking for volunteer analysts to join the team!
Ready to join the team? ➡️https://github.com/The-DFIR-Report/DFIR-Artifacts
“For this case we observed TXT records being utilized for C2 communication rather than MX records.
This can be identified by the "type: 16" in the Sysmon logs seen above. Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:”
1/2
This can be identified by the "type: 16" in the Sysmon logs seen above. Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:”
1/2
April 8, 2025 at 11:53 AM
“For this case we observed TXT records being utilized for C2 communication rather than MX records.
This can be identified by the "type: 16" in the Sysmon logs seen above. Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:”
1/2
This can be identified by the "type: 16" in the Sysmon logs seen above. Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:”
1/2
📣 We just launched a new page to highlight the top players from our DFIR Labs CTF events:
thedfirreport.com/services/dfi...
Congratulations to the winners so far for making it to the CTF Winners table! If you’ve placed in a past event, your name’s up there!
thedfirreport.com/services/dfi...
Congratulations to the winners so far for making it to the CTF Winners table! If you’ve placed in a past event, your name’s up there!
March 27, 2025 at 12:54 PM
📣 We just launched a new page to highlight the top players from our DFIR Labs CTF events:
thedfirreport.com/services/dfi...
Congratulations to the winners so far for making it to the CTF Winners table! If you’ve placed in a past event, your name’s up there!
thedfirreport.com/services/dfi...
Congratulations to the winners so far for making it to the CTF Winners table! If you’ve placed in a past event, your name’s up there!
PYSA/Mespinoza Ransomware
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
March 13, 2025 at 2:18 PM
PYSA/Mespinoza Ransomware
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
🎉 Congratulations to our winners 🎉
🥇1st Place: d1d1d1 @DreSecX
🥈2nd Place: mohan @imohanasundaram
🥉3rd Place: m.frithnz @Friffnz
We hope everyone enjoyed playing in our #DFIRLabsCTF!
🥇1st Place: d1d1d1 @DreSecX
🥈2nd Place: mohan @imohanasundaram
🥉3rd Place: m.frithnz @Friffnz
We hope everyone enjoyed playing in our #DFIRLabsCTF!
March 8, 2025 at 9:54 PM
🎉 Congratulations to our winners 🎉
🥇1st Place: d1d1d1 @DreSecX
🥈2nd Place: mohan @imohanasundaram
🥉3rd Place: m.frithnz @Friffnz
We hope everyone enjoyed playing in our #DFIRLabsCTF!
🥇1st Place: d1d1d1 @DreSecX
🥈2nd Place: mohan @imohanasundaram
🥉3rd Place: m.frithnz @Friffnz
We hope everyone enjoyed playing in our #DFIRLabsCTF!
"On the beachhead host, we saw failed command executions. This could be due to process injection or errors when the attacker used Pupy’s shell_exec.
The commands and argument order point to the use of the scanning tool fscan."
2/3
The commands and argument order point to the use of the scanning tool fscan."
2/3
January 30, 2025 at 1:31 PM
"On the beachhead host, we saw failed command executions. This could be due to process injection or errors when the attacker used Pupy’s shell_exec.
The commands and argument order point to the use of the scanning tool fscan."
2/3
The commands and argument order point to the use of the scanning tool fscan."
2/3
"The threat actor executed ipconfig /all to gather network configuration details. Shortly after, we observed network scanning behavior and brute-force attacks across the 10.xx.xx.0/24 subnet.
Targeted services included SSH, RDP, MySQL, MSSQL, FTP, and SMB."
1/3
Targeted services included SSH, RDP, MySQL, MSSQL, FTP, and SMB."
1/3
January 30, 2025 at 1:31 PM
"The threat actor executed ipconfig /all to gather network configuration details. Shortly after, we observed network scanning behavior and brute-force attacks across the 10.xx.xx.0/24 subnet.
Targeted services included SSH, RDP, MySQL, MSSQL, FTP, and SMB."
1/3
Targeted services included SSH, RDP, MySQL, MSSQL, FTP, and SMB."
1/3
"The threat actors repeatedly leveraged remote services to facilitate lateral movement within the network. Their activity began with the deployment of SystemBC and GhostSOCKS proxy tools to a domain controller."
🌟New report out Monday, January 27th by @r3nzsec, @MyDFIR & @MittenSec!
🌟New report out Monday, January 27th by @r3nzsec, @MyDFIR & @MittenSec!
January 25, 2025 at 2:33 PM
"The threat actors repeatedly leveraged remote services to facilitate lateral movement within the network. Their activity began with the deployment of SystemBC and GhostSOCKS proxy tools to a domain controller."
🌟New report out Monday, January 27th by @r3nzsec, @MyDFIR & @MittenSec!
🌟New report out Monday, January 27th by @r3nzsec, @MyDFIR & @MittenSec!