The DFIR Report

New logo. New website. Same DFIR Report team. 🔎 Check out the incredible analysts behind the research: thedfirreport.com/company/analys…

🛡️ Active Defense Threat Insights — Proactively Uncover Your Adversaries and Their TTPs Move beyond passive defense and generic threat feeds. Active Defense Threat Insights provides firsthand intelligence that reveals who is targeting your organization and how — delivering evidence-based insight into real adversary activity. We collect and analyze threat interactions to produce customer-specific Indicators of Compromise (IOCs) and detailed Tactics, Techniques, and Procedures (TTPs). These findings go far beyond surface-level summaries, giving your team the clarity needed to understand adversary behavior, intent, and focus areas unique to your environment. 💡 What You Get ➡️ Customer-specific IOCs and adversary TTPs. ➡️ Regular reports detailing targeted campaigns and emerging threats. ➡️ Early warning alerts for relevant or high-risk activity. ➡️ Analysis tailored to your industry and threat landscape. 🚀 Benefits ➡️ Hyper-Relevant Intelligence: Understand threats actively focused on your organization. ➡️ Proactive Early Warning: Detect and disrupt targeted activity before it impacts operations. ➡️ Adversary Insight: Learn how real attackers operate, not just what tools they use. ➡️ Stronger Defenses: Refine detections, response playbooks, and strategy with verified intelligence. ➡️ Strategic Advantage: Turn early insight into action to stay ahead of evolving threats. Start here 👉 thedfirreport.com/products/activ…

🎉 New DFIR Labs case drops this weekend! ClickFix → RomComRAT → Domain Compromise (Private Case #35646) ⚠️ Hard | 🎯 30 Qs + 5 bonus Nine-day op: fake CAPTCHA lure, custom RAT implants, credential theft, mass exfil. 🆕 New Splunk + Elastic dashboards included. 🎁 Launch weekend = giveaways + 10% off discount code Join our Discord for the code, prizes, and challenge details 👇 discord.gg/VmwpGpB5h6

🔒 Private DFIR Report: ViewState of Mind: Gladinet Exploit Opens the Door In January, we observed a threat actor gain initial access to an environment by exploiting CVE-2025-30406 on an exposed Gladinet CentreStack server. Looking at the network traffic at the time of this connection showed large VIEWSTATE payloads being sent to the server. Based on this pattern in the network traffic, the command execution from the IIS server, and the version of Gladinet CentreStack, we assessed that the threat actor successfully exploited CVE-2025-30406 for initial access in this intrusion. Private report — request access or a demo: thedfirreport.com/products/threa…

Cybersecurity Training Using Real Cases Whether you are just starting out in your cybersecurity career, sharpening your knowledge or are an expert, there is a lab for you! Dig into each case, analyze the evidence, and trace every step of the intrusion from start to finish. Ready to dive in? 👉 thedfirreport.com/products/dfir-…

Thanks and shout-outs to @sysdig, @Atos, @evangeorgevoug, @Mandiant, @ExpelSecurity, @RussianPanda9xx, and @r3nzsec!

Report: thedfirreport.com/2026/05/11/fla…

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware. The intrusion featured EtherRAT, Ethereum-based EtherHiding C2 configuration, TryCloudflare tunnels, GoTo Resolve, Rclone exfiltration to Wasabi, and a newer malware framework named TukTuk. TukTuk stood out for its resilient C2 design, using SaaS and cloud platforms such as ClickHouse and Supabase, with support for Ably, Dropbox, GitHub Issues, direct HTTP, Slack, and Arweave-based dead-drop configuration retrieval. Detection opportunities included! ➡️ Full report is linked in the replies. #ThreatIntel #ThreatHunting #DigitalForensics

Low noise. High signal. That’s not marketing language — it’s how we built our Threat Feed. If you get an alert in your environment from our feed — ping us. We’ll help triage it. That’s how much we trust the signal. We built this for defenders who are tired of chasing ghosts and burning cycles on low-fidelity alerts. When it fires, it’s worth your time. 🔎 Real context 🎯 High-confidence detections ⚡ Built for response, not dashboards Learn more about the Threat Feed: thedfirreport.com/products/threa…

On day 6 of the intrusion, the threat actor browsed to temp.sh — a temporary file-sharing site commonly abused for data exfiltration and payload hosting. Full report 👇 thedfirreport.com/2025/12/17/cat… #DFIR #Ransomware #ThreatHunting #BlueTeam #CyberSecurity

Last week's DFIR Labs Discord challenge: A threat actor recently hid commands inside a scheduled task's Description field — AES-encrypted and triggered by an obfuscated PowerShell payload. Can you find the final command executed? Join the DFIR Labs Discord server for the question, answer, and walkthrough. 👉 discord.gg/VmwpGpB5h6

🎁 DFIR Labs Giveaway — tomorrow. We're giving away free cases and subscriptions to members of the DFIR Labs Discord server. Multiple winners! To participate: join the DFIR Labs Discord server before tomorrow's drawing. Already a member? You're in. 👉 discord.gg/VmwpGpB5h6 DFIR Labs is our hands-on training platform — work real cases built from actual intrusions, sharpen your detection and forensics skills, and level up the way DFIR practitioners learn: by doing. 🔗 Check out DFIR Labs: dfirlabs.thedfirreport.com

"The ransom note did not follow the normal LockBit format directing victims to a Tor leak site or TOX/Jabber communications; instead, it instructed them to download and use the Session private messaging application... Report: thedfirreport.com/2026/02/23/apa…

Elon Musk once offered Sam Altman a deal. Change the name of OpenAI to ClosedAI and he would drop the lawsuit.

"The Claude project transcripts under the /bissascanner/ project show the operator using Claude Code to read the scanner codebase, understand lease and acknowledgement flow, troubleshoot misses, review benchmark output, and document the project well enough to rebuild parts of the acquisition layer. The project outputs include Chain-of-Thought (CoT) prompts showing Claude evaluating and planning improvements for the scanner."

"The scanner relies on an acquirer file containing targets and a lease file defining the exploit type. These files show the operator obtaining target feeds from ZIP archives hosted on cs2[.]ip[.]thc[.]org, assigning the cve_2025_55182 module, and deploying a payload intended to enumerate .env files, cloud metadata, Kubernetes service account context, local credential stores, database and Redis access, cryptocurrency wallet material, and other high-value secrets. A file titled “confirmed hits” indicates that more than 900 companies were exploited through this workflow."

We identified an exposed server that provided unusual visibility into a large-scale, multi-victim exploitation and collection operation. Artifacts on the host showed that Claude Code and OpenClaw were embedded in the operator's day-to-day workflow, supporting troubleshooting, orchestration, and refinement of the collection pipeline. Logs indicated more than 900 confirmed compromises, with tens of thousands of harvested .env files spanning AI, cloud, payments, databases, messaging and more. Read the full report: thedfirreport.com/2026/04/22/bis…

Day 9: Ransomware deployment. The threat actor RDP’d from the beachhead to backup & file servers and dropped the Lynx payload “w.exe” using a compromised Domain Admin account. Full breakdown 👇 thedfirreport.com/2025/12/17/cat… #DFIR #Ransomware #ThreatHunting #BlueTeam #CyberSecurity

Zurich, we'll see you in June! We're proud to share that two of our researchers, Alessandro Di Carlo and Angelo Violetti, will be taking the stage at Area41 2026, Switzerland's premier technical information security conference. Their talk — DFIR Report at Cons: Deconstructing Real-World Intrusions — will dig into the kind of hands-on intrusion analysis our team lives and breathes. Being selected to present here is a genuine honor, and we couldn't be prouder of the work Alessandro and Angelo will be sharing with the community. If you're attending, don't miss their talk, and come say hello between sessions! #Area41 #InfoSec #CyberSecurity