The DFIR Report
@thedfirreport.bsky.social
...beachhead host without performing any credential access activities, indicating these credentials were also obtained prior to initial access."
Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/
3/3
Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/
3/3
Subscribe
If you would like to receive an email when we publish a new report, please type your email address below and press subscribe. If you do not receive the confirmation email within a few minutes, plea…
thedfirreport.com
November 13, 2025 at 3:55 PM
...beachhead host without performing any credential access activities, indicating these credentials were also obtained prior to initial access."
Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/
3/3
Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/
3/3
...there was no indication of brute force or password spraying occurring, indicating these credentials were obtained prior to the intrusion.
The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the...
2/3
The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the...
2/3
November 13, 2025 at 3:55 PM
...there was no indication of brute force or password spraying occurring, indicating these credentials were obtained prior to the intrusion.
The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the...
2/3
The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the...
2/3
➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
October 20, 2025 at 12:14 AM
➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
"...It's unclear why they scanned these external IPs. An interesting observation is that they scanned public IP ranges which hosted the C2 addresses used by Supper:"
October 20, 2025 at 12:14 AM
"...It's unclear why they scanned these external IPs. An interesting observation is that they scanned public IP ranges which hosted the C2 addresses used by Supper:"
➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
October 16, 2025 at 1:29 PM
➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/
The full lab from the challenge is now live, with all quiz-style questions included.
➡️ Try it via one-time access -> dfirlabs.thedfirreport.com/store
or subscription - > dfirlabs.thedfirreport.com/subscription...
And we just dropped the full report too:
📄 thedfirreport.com/2025/09/29/f...
➡️ Try it via one-time access -> dfirlabs.thedfirreport.com/store
or subscription - > dfirlabs.thedfirreport.com/subscription...
And we just dropped the full report too:
📄 thedfirreport.com/2025/09/29/f...
DFIR Labs Portal
Browse and purchase DFIR Labs to enhance your cybersecurity skills.
dfirlabs.thedfirreport.com
September 29, 2025 at 11:37 PM
The full lab from the challenge is now live, with all quiz-style questions included.
➡️ Try it via one-time access -> dfirlabs.thedfirreport.com/store
or subscription - > dfirlabs.thedfirreport.com/subscription...
And we just dropped the full report too:
📄 thedfirreport.com/2025/09/29/f...
➡️ Try it via one-time access -> dfirlabs.thedfirreport.com/store
or subscription - > dfirlabs.thedfirreport.com/subscription...
And we just dropped the full report too:
📄 thedfirreport.com/2025/09/29/f...
thedfirreport.com
September 29, 2025 at 2:49 PM
Report: thedfirreport.com/2024/12/02/t...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
September 23, 2025 at 11:19 PM
Report: thedfirreport.com/2024/12/02/t...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Report: thedfirreport.com/2025/09/08/b...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
September 22, 2025 at 10:10 PM
Report: thedfirreport.com/2025/09/08/b...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Report: thedfirreport.com/2025/03/31/f...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
September 21, 2025 at 1:05 PM
Report: thedfirreport.com/2025/03/31/f...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Report: thedfirreport.com/2025/01/27/c...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
September 20, 2025 at 8:54 PM
Report: thedfirreport.com/2025/01/27/c...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Report: thedfirreport.com/2025/05/19/a...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
September 19, 2025 at 11:58 PM
Report: thedfirreport.com/2025/05/19/a...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/
thedfirreport.com
September 8, 2025 at 2:47 PM
Get access to it through:
- Your subscription: dfirlabs.thedfirreport.com/subscription...
- Via one-time purchase from our store here: dfirlabs.thedfirreport.com/store
#dfir #CyberSecurity
- Your subscription: dfirlabs.thedfirreport.com/subscription...
- Via one-time purchase from our store here: dfirlabs.thedfirreport.com/store
#dfir #CyberSecurity
DFIR Labs - Subscription Plans
dfirlabs.thedfirreport.com
September 3, 2025 at 8:10 PM
Get access to it through:
- Your subscription: dfirlabs.thedfirreport.com/subscription...
- Via one-time purchase from our store here: dfirlabs.thedfirreport.com/store
#dfir #CyberSecurity
- Your subscription: dfirlabs.thedfirreport.com/subscription...
- Via one-time purchase from our store here: dfirlabs.thedfirreport.com/store
#dfir #CyberSecurity