DFIR Radar

Hundreds of cybersecurity blogs, research reports, and advisories published every day. No one has time to read them all. And the one report that matters? It's buried somewhere in the noise. That's why DFIR Radar exists. We monitor the cybersecurity landscape around the clock. Every article is evaluated for DFIR relevance. Only what's genuinely useful makes it through. The rest never reaches your feed. This feed is the result of that process. Every article is sourced, evaluated, and published only if it meets the standard. If you find something we missed, our Discord community lets you contribute directly. Discord community: discord.gg/rHkqgs53bF Built by a practitioner who needed this to exist. Follow once. Stay informed forever. #DFIR_Radar

Source: securityaffairs.com/191920/malware…

JDownloader website compromised May 6-7 serving Python RAT via malicious Windows/Linux installers. Attackers exploited CMS vulnerability to redirect download links. #DFIR_Radar

Source: andreafortuna.org/2026/05/10/gho…

New attack bypasses all ransomware detection: GhostLock achieves full file unavailability across enterprise NAS using Windows API calls with zero encryption, writes, or forensic artifacts. Breakthrough findings: • Uses CreateFileW with dwShareMode=0x00000000 to hold exclusive handles on hundreds of thousands of files simultaneously • 32-thread parallel discovery maps 500K files in 6 minutes, locks 498K+ files in under 3 minutes with 99.6% success rate • Bypasses canary files, write-rate detection, behavioral AI, EDR, NDR - appears identical to document indexing • Victims get STATUS_SHARING_VIOLATION (0xC0000043) errors, complete application failure across ERP/document systems • Recovery requires storage admin to terminate SMB sessions - not covered in most IR runbooks Key technical details: • Leverages legitimate Win32 API behavior documented since Windows NT 3.1 • SMB2 CREATE requests use ShareAccess=0x00000000 per MS-SMB2 specification • No writes, renames, or entropy changes - zero disk forensic artifacts • Python PoC available on GitHub with exponential backoff for transient locks • Session persistence survives credential revocation for 15-60 minutes Primary detection opportunity: Monitor NAS session telemetry for >500 simultaneous exclusive handles per session. This metric exists in storage management APIs but isn't ingested into SIEMs. #DFIR_Radar

Source: hackers-arise.com/digital-forens…

New guide showcases Zircolite, a SIGMA-based detection engine that transforms dense Windows Event Logs and Sysmon data into visual security findings. #DFIR_Radar

Source: bleepingcomputer.com/news/security/…

Fake OpenAI repository on Hugging Face reached trending with 244K downloads, delivering Rust-based infostealer targeting browser data, crypto wallets, and credentials via malicious loader.py script. C2: recargapopular[.]com. #DFIR_Radar

Source: securityaffairs.com/191898/malware…

QLNX Linux RAT deploys fileless, memory-only execution with eBPF hiding, PAM backdoors, and P2P mesh networking to target DevOps environments. #DFIR_Radar

Which of this week's threats concerns you most heading into next week? The persistent firmware implants, mobile-focused campaigns, or state-sponsored ransomware operations? #DFIR_Radar #DFIR

📌 Operation HumanitarianBait: An Infostealer Campaign in Disguise

DFIR Weekly Recap | This week brought fresh Linux kernel exploits, persistent firmware threats, and a surge in mobile-targeted malware campaigns. • Copy Fail and DirtyFrag expose critical Linux page cache vulnerabilities exploited in the wild • FIRESTARTER firmware implant survives patches and reboots, challenging traditional IR approaches • UAT-8302 deploys extensive malware arsenal across multiple attack vectors • CloudZ RAT targets OTP messages through specialized Pheno plugin capabilities • TCLBANKER spreads Brazilian banking trojan via WhatsApp and Outlook channels • OpenClaw skill distributes Remcos RAT and GhostLoader to unsuspecting users • ClickFix leverages fake macOS utilities to deliver sophisticated infostealers • State-sponsored actors hide behind Chaos ransomware operations • WAInsight provides new open-source forensics for WhatsApp Android analysis • HumanitarianBait masks infostealer campaign as legitimate humanitarian effort Top stories in the thread below. #DFIR_Radar