Fox-IT

Dissect update Say hello to Dissect version 3.21 - Minimum Python version is now 3.10 - New dissect.apfs project – initial support for macOS, available through the API - Improved usability for interacting with nested targets - Support for CramFS and Apple Sparse Image Format (ASIF) And much more! check out the full release notes lnkd.in/ePmdCugY

Sharing is caring! We've uploaded malware samples from our latest Lazarus research to VirusTotal (d86c51db1a0f3c6b71b1b62a766d6daa). This includes macOS, Linux and Windows samples used by this actor, such as custom screenshotters and keyloggers. See our blogpost for the hashes: blog.fox-it.com/2025/09/01/thr…

𝗡𝗲𝘄 𝗗𝗶𝘀𝘀𝗲𝗰𝘁 𝗿𝗲𝗹𝗲𝗮𝘀𝗲 𝘃.𝟯.𝟮𝟬.𝟭 𝗶𝘀 𝗼𝘂𝘁! Important: deprecation notice for Python 3.9, next Dissect version will support Python 3.10 and up - VMFS implementation rewritten from scratch - Mounting btrfs subvolumes with target-mount enabled - Performance improvements in dissect.util converting to Rust - Reduced memory consumption by extfs And much more! For full details see the release notes github.com/fox-it/dissect…

🧀 𝗡𝗲𝘄 𝗯𝗹𝗼𝗴: "𝗧𝗵𝗿𝗲𝗲 𝗟𝗮𝘇𝗮𝗿𝘂𝘀 𝗥𝗔𝗧𝘀 𝗖𝗼𝗺𝗶𝗻𝗴 𝗳𝗼𝗿 𝗬𝗼𝘂𝗿 𝗖𝗵𝗲𝗲𝘀𝗲" Read about PondRAT, ThemeForestRAT and RemotePE - three RATs we encountered during incident response involving the Lazarus group. Check the indicators and don't let them steal your cheese! #ThreatIntel #Lazarus #DFIR blog.fox-it.com/2025/09/01/thr…

🔒Great news for #DFIR folks! Dissect now supports both BitLocker & LUKS encrypted disks, making forensic analysis smoother and more comprehensive. Another step forward for digital forensics capabilities! Read more in this blog: blog.fox-it.com/2024/12/11/dec… #InfoSec #DigitalForensics

Dissect release v3.17 - what's new? 🔹Support for BitLocker and LUKS encrypted disks 🔹Support for BSD Vinum volumes 🔹A new MSSQL log parser 🔹Retrieve installed Ubuntu Snap & Windows applications 🔹Now possible to create aliases in target-shell github.com/fox-it/dissect…

Some of these servers show similarities with known attacker infra, like hosting *.js files. We observed compromised FortiManager devices use cURL to retrieve such files, e.g. dom.js. Another server had a file named exp-7.2.6.py, which is also a valid FortiManager version. These are not hard links to FortiJump, but we wanted share this before going into the weekend. #happyhunting #sharingiscaring

Pivoting on the SimpleHTTP server on port 443 (but not TLS) and ASN 20473 we found servers that are likely related to the #FortiJump #FortiManager CVE-2024-47575 exploitation campaign that are not yet publicly mentioned. IOCs: * 107.191.63[.]169 * 139.180.138[.]190 * 149.28.157[.]135 * 167.179.90[.]211 * 216.238.98[.]214 * 65.20.78[.]114 These servers were observed over a period between May and October 2024. #threatintel #sharingiscaring

Our SOC detected suspicious activity from 158.247.199[.]37 directed at FortiManager ports as early as May 2024. #threatintel #fortianalyzer #fortijump fortiguard.com/psirt/FG-IR-24…

Hey cyber sleuths! Dissect open source just turned two, and we're not done celebrating. Surprise! Our Dissect add-on for Splunk is now also open sourced, making your Dissect records ingestion a breeze. Prepare to enhance your Splunk powers! 🥳 lnkd.in/g38ii8Et

Check out our latest blog from our Red Team about EDR evasion through malware virtualisation: blog.fox-it.com/2024/09/25/red…

Say hello to Dissect summer release V.3.15! · Major rewrite of dissect core engine – cstruct v.4.0 is now released! · Target tools usability improvements · MPLog parser added to Windows defender plugin · Identification of Windows 11 improved Release 3.15 · fox-it/dissect · GitHub

· Acquire: paths de-duplication, consistent casing of drive letters for Windows, multiple targets github.com/fox-it/dissect…

Dissect release v.3.14 is out! Highlights: · New project: dissect.archive – archive & backup formats. Already supports WIM format. · New flow.record version (changes in TCP Splunk adapter) · dissect-target: layer fs, TOML, Catroot plugin

This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. blog.fox-it.com/2024/04/25/sif…

🚀 Our open-source Dissect project now supports reading Fortinet firmware files! 🛡️ Easily mount, browse or dump FortiGate firmware files hassle-free with Dissect. No extra steps needed! #Dissect #Fortinet #FortiGate #Firmware github.com/fox-it/dissect…

Check out our latest blog where we pluck the feathers off Android Malware Vultur's latest variants, revealing its most recent developments in masquerading malicious activity and how it maximises remote control over infected devices. blog.fox-it.com/2024/03/28/and…

🌟 Dissect Task Board Now Live! 🌟 Dive into Dissect projects, select tasks, suggest features, and code with a global community. Let's innovate together! 🔗 Look under issues in each Dissect project, or use this filter (log in needed) github.com/issues?q=is%3A…

- Support for Windows installations on drive letters other than C:\ - Support for Linux systems mounts by label Check out all features and plugins improvements in the release notes! github.com/fox-it/dissect…

Time for a new Dissect release - v.3.13 is out! Highlights: - New fs support for vmtar and cpio - New plugins for Brave browser, Doker logs, and Linux locate - JSON, YAML and XML formats added to the unified configuration parser