The DFIR Report

New logo. New website. Same DFIR Report team. 🔎 Check out the incredible analysts behind the research: thedfirreport.com/company/analys…

Defender Tip: Monitor for vol.exe or python.exe interacting with memory dump files in user temp folders. If you see Hashdump in your logs and it isn't your IR team... you have a live intrusion. Want more info? Get in touch!

The Flow: A fake "Verify You Are Human" prompt leads to Node.js C2 (interlock RAT), followed by hands-on-keyboard activity where they use vol.exe from \AppData\Local\Temp\ to harvest credentials.

Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

"The IP 195.211.190[.]189 was hosted on infrastructure from Railnet LLC — a legal front for Russia-based bulletproof hosting provider Virtualine." Full report 👇 thedfirreport.com/2025/11/17/cat… #DFIR #Ransomware #ThreatIntel #BlueTeam #CyberSecurity

"On the Exchange email server, the threat actor used a legitimate Windows executable, SystemSettingsAdminFlows.exe, which allows users to customize or configure the system settings to user’s preference. This LOLBIN was used to disable Windows... " Report: thedfirreport.com/2026/02/23/apa…

🧪 DFIR Labs | LockBit Ransomware Case #27244 Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access. Step through the investigation and see how LockBit was deployed end-to-end. 👉 dfirlabs.thedfirreport.com/auth/login

➡️ The above is from a Private Threat Brief: "Fake WinSCP Software Serves Supper and Oyster " ➡️➡️Interested in receiving more details about this report? Contact us for a demo or pricing - thedfirreport.com/contact/

"In the logs we first observed a new service being installed on the backup server. Following that we observed the service execute and spawn a process tree that included a command to use COMSVCS to output a credential dump to a file in the temp directory:"

Low noise. High signal. If you get an alert from our feed in your environment, ping us. We’ll help triage it. That’s how much we trust the signal. 🔎 Actionable 🎯 High-confidence ⚡ Built for defenders thedfirreport.com/products/threa…

Report: thedfirreport.com/2026/02/23/apa… Services: thedfirreport.com/services/ Contact Us for pricing or a demo: thedfirreport.com/contact/

"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389..." Link to report ⬇️

➡️ The above is from a Private Threat Brief: "Fake RVTools Installer Leads to PipeMagic, CLFS Exploit, and Ransomexx" ➡️➡️Interested in receiving more details about this report or future private reports? Contact us for a demo or pricing - thedfirreport.com/contact/

"Around 50 minutes after the connection to this second domain controller the ransomware propagation began. Deployment of ransomware consisted of creating remote services on domain joined endpoints, and included distributing the files via SMB."

DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics

@TheKn0ck0ut @CryptoHackz sorry about that! thedfirreport.com/2025/12/17/cat…

@CryptoHackz @TheDFIRReport Same error

"SoftPerfect NetScan was used extensively during the intrusion… evidence from Security Event ID 4688 logs showed mstsc.exe /v:<IP address> being launched by netscan.exe, confirming the use of NetScan’s Remote Desktop functionality." Full report 👇 thedfirreport.com/2025/11/17/cat…

a lot of post compromise hands on keyboard activity will look like your admins, but not all of it....