The DFIR Report

1.8K posts

The DFIR Report banner
The DFIR Report

The DFIR Report

@TheDFIRReport

Real Intrusions by Real Attackers, the Truth Behind the Intrusion

thedfirreport.com/contact Katılım Nisan 2020
0 Takip Edilen67.8K Takipçiler
The DFIR Report
The DFIR Report@TheDFIRReport·
🚨 Investigation & Collaboration Request We are currently investigating malicious activity associated with the following LNK file: `1b3089a761da4a9b7a1bfb485cc857969346ce61` — `Employment_Verification_Details.lnk` After execution of the following DLL: `fc66b5d2f46dbb3bc8b29c611166dd56d5bb163e` — `mctsetup64.dll` We observed command-and-control communications with: 🌐 `work[.]officialm[.]com` — VT Score: 0/91 🌐 `31[.]192[.]107[.]162:443` — VT Score: 0/91 If you have observed related activity and/or possess additional intelligence, and would like to collaborate, please reach out! #DFIR #ThreatHunting #ThreatIntel
The DFIR Report tweet media
English
0
17
42
4.9K
The DFIR Report retweetledi
The DFIR Report
The DFIR Report@TheDFIRReport·
We identified an exposed server that provided unusual visibility into a large-scale, multi-victim exploitation and collection operation. Artifacts on the host showed that Claude Code and OpenClaw were embedded in the operator's day-to-day workflow, supporting troubleshooting, orchestration, and refinement of the collection pipeline. Logs indicated more than 900 confirmed compromises, with tens of thousands of harvested .env files spanning AI, cloud, payments, databases, messaging and more. Read the full report: thedfirreport.com/2026/04/22/bis…
The DFIR Report tweet media
English
4
71
245
52.9K
The DFIR Report
The DFIR Report@TheDFIRReport·
Step into real investigations. Real data, real cases, real threat actors, real tradecraft. Join us at DFIR Labs to put your skills to the test and gain insight from the real intrusions. 🧪 Your lab is waiting: thedfirreport.com/products/dfir-…
The DFIR Report tweet media
English
0
10
38
4K
The DFIR Report
The DFIR Report@TheDFIRReport·
Low noise. High signal. That’s not marketing language — it’s how we built our Threat Feed. If you get an alert in your environment from our feed — ping us. We’ll help triage it. That’s how much we trust the signal. We built this for defenders who are tired of chasing ghosts and burning cycles on low-fidelity alerts. When it fires, it’s worth your time. 🔎 Real context 🎯 High-confidence detections ⚡ Built for response, not dashboards Learn more about the Threat Feed: thedfirreport.com/products/threa…
The DFIR Report tweet media
English
0
5
31
5.1K
The DFIR Report retweetledi
EncapsulateJay
EncapsulateJay@EncapsulateJ·
This case has it all: Malvertising, trojanized software, and, of course ransomware that goes BOOM. If you want to read what like to work boots on the ground as an analyst in 2026, then this is for you. @TheDFIRReport whole team smashed it once again. thedfirreport.com/2026/06/29/fro…
English
0
3
7
2.3K
The DFIR Report retweetledi
Renzon
Renzon@r3nzsec·
Glad to contribute to this latest intrusion report with @TheDFIRReport gang! Bing Search > Bumblebee > Adaptix > Akira Ransomware Check this out! 👇
The DFIR Report@TheDFIRReport

➡️ New report out today by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira 🔎 A user searching for ManageEngine OpManager was led to a fake download site and installed a trojanized MSI. 🐝 That install launched BumbleBee, which brought in AdaptixC2 and gave the threat actor a foothold in the network. 🔐 From there, the actor created privileged accounts, moved to domain controllers and backup servers, dumped credentials, and exfiltrated data. 💥 The intrusion ended with Akira ransomware across the root domain, followed by a return two days later to encrypt a child domain. thedfirreport.com/2026/06/29/fro…

English
0
1
14
3.5K
The DFIR Report
The DFIR Report@TheDFIRReport·
"From network traffic recorded during the second round of exploitation, we saw the ActiveMQ Server process downloading the malicious XML file containing the commands to be run in the command-line interface: " Report: thedfirreport.com/2026/02/23/apa…
The DFIR Report tweet media
English
1
12
43
6.2K
The DFIR Report
The DFIR Report@TheDFIRReport·
➡️ New report out today by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira 🔎 A user searching for ManageEngine OpManager was led to a fake download site and installed a trojanized MSI. 🐝 That install launched BumbleBee, which brought in AdaptixC2 and gave the threat actor a foothold in the network. 🔐 From there, the actor created privileged accounts, moved to domain controllers and backup servers, dumped credentials, and exfiltrated data. 💥 The intrusion ended with Akira ransomware across the root domain, followed by a return two days later to encrypt a child domain. thedfirreport.com/2026/06/29/fro…
English
2
27
65
10.8K
The DFIR Report
The DFIR Report@TheDFIRReport·
🎉 New report out Monday 6/29 by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. "Approximately 44 hours after the initial compromise, the threat actor initiated the Akira ransomware deployment, beginning with the backup server. The binary, staged as C:\ProgramData\locker.exe, was executed using the following parameters: locker.exe -p=G:\ -n=15 . In this context, the -p flag defines the target encryption path, while -n determines the percentage of each file to be encrypted—a tactic often used to speed up the encryption process. On the file server, the threat actor uninstalled FileZilla, likely to remove evidence of exfiltration, before executing the ransomware locally. From the domain controller, the threat actor utilized remote execution flags to target and encrypt network shares, followed by several additional passes across various directories to maximize the impact of the deployment."
The DFIR Report tweet media
English
7
16
90
9.3K
The DFIR Report
The DFIR Report@TheDFIRReport·
🎉 New report out Monday 6/29 by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec "The threat actor used BumbleBee, AdaptixC2 and RustDesk, in addition to a reverse SSH tunnel to establish connections to their C2 infrastructure."
The DFIR Report tweet media
English
1
11
68
6.8K
The DFIR Report
The DFIR Report@TheDFIRReport·
🎉 New report out Monday 6/29 by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. "Despite already having domain admin privileges, the threat actor targeted the Veeam PostgreSQL database and extracted stored credentials. The activity included encoded PowerShell, psql.exe, and DPAPI decryption logic designed to recover both legacy and newer Veeam credential formats."
The DFIR Report tweet media
English
4
4
32
5K
The DFIR Report
The DFIR Report@TheDFIRReport·
🎉 New report out Monday 6/29 by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. "On the second day of the intrusion, the threat actor accessed a domain controller and used wbadmin.exe to extract ntds.dit along with the SYSTEM and SECURITY hives. The files were staged in C:\ProgramData, giving the actor everything needed to crack domain-wide password hashes offline."
The DFIR Report tweet media
English
5
9
31
5.4K
The DFIR Report
The DFIR Report@TheDFIRReport·
🎉 New report out Monday 6/29 by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. "In July 2025, a user searching for ManageEngine OpManager was lured to a lookalike domain serving a trojanized MSI installer. The installer dropped BumbleBee via DLL side-loading, launching the intrusion that later led to AdaptixC2, credential theft, data exfiltration, and Akira ransomware."
The DFIR Report tweet media
English
1
11
35
5.8K
The DFIR Report retweetledi
treadwater
treadwater@_treadwater·
@TheDFIRReport Having completed three labs and participated in two CTFs, I can attest to the immense value of being able to search through data from real intrusions. I've used these experiences to flesh out hunting playbooks and provide training in my shop regarding threat actor TTPs.
English
0
1
4
1.7K
The DFIR Report
The DFIR Report@TheDFIRReport·
🧪 DFIR Labs Enterprise Trial Opportunity We’re giving 5 organizations a free trial of our DFIR Labs Enterprise Plan. Give your team access to hands-on DFIR training, real-world labs, and enterprise-ready learning resources built for analysts, threat hunters, and security teams. To claim one of the available trials: 📩 DM us with your company email address or 📧 Email us directly at training@thedfirreport.com Learn more about our plans here: dfirlabs.thedfirreport.com/subscription-p… #DFIR #InfoSec #BlueTeam
The DFIR Report tweet media
English
1
2
13
3.9K
The DFIR Report
The DFIR Report@TheDFIRReport·
🔒 Private DFIR Report: ViewState of Mind: Gladinet Exploit Opens the Door The threat actor changed to a new execution pattern that would be used throughout the intrusion. This pattern followed the execution chain common for tools such as atexec.py or the NetExec schtask_as module and was later also observed being used for lateral movement. However, the command execution appeared to be heavily customized by the threat actor. It used AES encrypted commands and sent data back and forth via fields within the task rather than new file writes like impacket's atexec.py uses. Private report — request access or a demo: thedfirreport.com/products/threa…
The DFIR Report tweet media
English
0
4
18
3.6K
The DFIR Report retweetledi
Renzon
Renzon@r3nzsec·
Really enjoying the first day of @a41con with the @TheDFIRReport folks at the blue team village. Come and say hi if you're around! #area41 #dfir
Renzon tweet mediaRenzon tweet mediaRenzon tweet mediaRenzon tweet media
English
0
2
25
2.8K
The DFIR Report
The DFIR Report@TheDFIRReport·
Keep your skills sharp 🧠 DFIR Labs is an interactive platform where you can asses real world threats, test your skills and improve knowledge along the way. Get Started here: thedfirreport.com/products/dfir-…
The DFIR Report tweet media
English
0
14
34
3.4K
The DFIR Report
The DFIR Report@TheDFIRReport·
🔒 Private DFIR Report: ClickFix Leads to Tsundere Bot, Tunnels, RMMs, and Double Theft Hands-on-keyboard activity began less than 20 minutes after initial execution. The threat actor quickly performed host and domain discovery, captured screenshots, enumerated domain users and groups, and escalated operations through Cobalt Strike, Kerberoasting, and the use of compromised privileged credentials. Request access to the private DFIR report or schedule a demo to see how our Threat Intelligence offering delivers timely, actionable intel for defenders: thedfirreport.com/products/threa…
The DFIR Report tweet media
English
2
26
95
7.7K