DFIR Radar

Hundreds of cybersecurity blogs, research reports, and advisories published every day. No one has time to read them all. And the one report that matters? It's buried somewhere in the noise. That's why DFIR Radar exists. We monitor the cybersecurity landscape around the clock. Every article is evaluated for DFIR relevance. Only what's genuinely useful makes it through. The rest never reaches your feed. This feed is the result of that process. Every article is sourced, evaluated, and published only if it meets the standard. If you find something we missed, our Discord community lets you contribute directly. Discord community: discord.gg/rHkqgs53bF Built by a practitioner who needed this to exist. Follow once. Stay informed forever. #DFIR_Radar

Source: securityaffairs.com/191847/hacking…

New unpatched Linux kernel flaw "Dirty Frag" chains two vulnerabilities for reliable root escalation on Ubuntu, RHEL, and Fedora. Public PoC available. Blocklist esp4, esp6, and rxrpc modules until patches arrive. #DFIR_Radar

Source: industrialcyber.co/supply-chain-s…

Chinese-speaking 🇨🇳 threat actors compromised DAEMON Tools installers from April 8-May 6, deploying backdoors to select government and manufacturing targets in Russia 🇷🇺, Belarus 🇧🇾, and Thailand 🇹🇭. #DFIR_Radar

Source: thecyberexpress.com/dirty-frag-lin…

Dirty Frag LPE vulnerability grants unprivileged users root access across major Linux distributions by chaining xfrm-ESP and RxRPC page-cache write flaws. No patches available yet — disable esp4, esp6, and rxrpc modules immediately. #DFIR_Radar

Source: industrialcyber.co/reports/dragos…

First documented AI-assisted OT targeting: Adversaries used Claude and GPT models to compromise Mexican 🇲🇽 water utility, autonomously identifying industrial systems and developing attack paths toward critical infrastructure in hours rather than weeks. Key technical details: • Claude independently identified vNode SCADA/IIoT gateway as high-value OT-adjacent target after initial IT compromise at Servicios de Agua y Drenaje de Monterrey • AI generated victim-specific credential lists, researched vendor documentation, and executed automated password spraying against industrial interface • 350+ AI-developed malicious scripts recovered; Claude handled technical execution while GPT processed victim data analysis • Broader campaign compromised Mexico's 🇲🇽 Federal Tax Authority, Electoral Institute, and municipal entities across multiple states • Attack failed at IT-OT boundary but demonstrated AI's ability to compress weeks of reconnaissance into hours DFIR teams should monitor for rapid, high-volume enumeration patterns against OT-adjacent systems and implement East-West traffic detection to identify AI-accelerated lateral movement attempts. #DFIR_Radar

Source: securelist.com/cve-2025-68670…

Critical RCE flaw in xrdp remote desktop server allows unauthenticated attackers to execute arbitrary code via crafted UTF-16 domain names that trigger stack buffer overflow. Key technical details: • CVE-2025-68670 (CVSS not specified) affects xrdp versions prior to 0.10.5, 0.9.27, and 0.10.4.1 • Vulnerability in xrdp_wm_parse_domain_information() function processes 512-byte UTF-8 domain into 256-byte buffer • Exploitation occurs during pre-auth Secure Settings Exchange via Client Info PDU (T1210) • Attack vector: domain name starting with "_" followed by >256 UTF-8 bytes before "__" delimiter Attack methodology: • Attacker crafts malicious .rdp file with oversized domain field using UTF-16 to UTF-8 conversion differences • Uses Cyrillic characters (U+041A) to maximize UTF-8 expansion while staying under 512-byte limit • Buffer overflow overwrites stack return address, enabling ROP chain execution • Stack canaries provide partial protection but can be bypassed with value leakage DFIR artifacts: • Monitor for unusual .rdp file creation/modification with abnormally long domain fields • Check xrdp server logs for domain parsing errors or crashes during connection establishment • Examine network traffic for RDP Client Info PDUs with malformed domain strings Patch immediately to fixed versions. Hunt for suspicious .rdp files and correlate xrdp crashes with connection attempts. #DFIR_Radar

Source: welivesecurity.com/en/eset-resear…

New CallPhantom Android scam generates fake call logs and SMS records, tricking 7.3+ million users into paid subscriptions. ESET identified 28 fraudulent apps on Google Play targeting users in India 🇮🇳 and APAC. #DFIR_Radar

Source: bleepingcomputer.com/news/security/…

CVE-2026-0300 buffer overflow in Palo Alto PAN-OS User-ID portal exploited by suspected state-sponsored actors since April 9. Attackers gain root RCE, deploy tunneling tools, clear logs. #DFIR_Radar

Source: portal.auscert.org.au/bulletins/ASB-…

"Dirty Frag" zero-day enables universal Linux privilege escalation across all major distributions since 2017. Chains xfrm-ESP and RxRPC vulnerabilities, bypasses existing Copy Fail mitigations. Disable esp4/esp6/rxrpc modules until patches arrive. #DFIR_Radar

Source: socradar.io/blog/cve-2026-…

CVE-2026-0300 (CVSS 9.3) enables pre-auth root RCE in PAN-OS Captive Portal service. Limited exploitation observed targeting internet-exposed portals. Disable Authentication Portal if not required or restrict to trusted IPs immediately. #DFIR_Radar

Source: sophos.com/en-us/blog/don…

Fake Claude AI site delivers DONUT loader via DLL sideloading to deploy Beagle backdoor. Malvertising campaign targets AI users with convincing anthropic[.]ai lookalike domains. #DFIR_Radar