DFIR Radar

Hundreds of cybersecurity blogs, research reports, and advisories published every day. No one has time to read them all. And the one report that matters? It's buried somewhere in the noise. That's why DFIR Radar exists. We monitor the cybersecurity landscape around the clock. Every article is evaluated for DFIR relevance. Only what's genuinely useful makes it through. The rest never reaches your feed. This feed is the result of that process. Every article is sourced, evaluated, and published only if it meets the standard. If you find something we missed, our Discord community lets you contribute directly. Discord community: discord.gg/rHkqgs53bF Built by a practitioner who needed this to exist. Follow once. Stay informed forever. #DFIR_Radar

Source: reversinglabs.com/blog/dirtyfrag…

CVE-2026-31431 (Dirty Frag/Copy Fail) Linux kernel privilege escalation vulnerability was actively exploited 9+ days before public disclosure. ReversingLabs identified 163 unique samples across ELF binaries, Python scripts, and malicious PyPI packages. Key technical details: • CVE-2026-31431 exploits kernel page-cache manipulation similar to Dirty Pipe (CVE-2022-0847) for local privilege escalation • Earliest malicious sample observed April 29, 2026 - major surge began May 1 with 50+ samples overnight • Shellcode pattern uses compact syscalls: setuid(0), setgid(0), setgroups(0), then execve("/bin/sh") with TERM=xterm • Linux.Trojan.Multiverze family actively adopted the exploit; malicious PyPI wheel "copyfail" distributed via supply chain Attack methodology (MITRE ATT&CK): • T1068: Exploitation for Privilege Escalation via kernel vulnerability • T1548.001: Abuse setuid/setgid mechanisms for root credential normalization • T1195.002: Supply chain compromise through malicious PyPI package distribution • T1059.004/.006: Unix shell and Python interpreter abuse for payload execution DFIR artifacts and detection: • V4bel reference implementation uses distinctive opcode patterns: b06a0f05 (setgid), b0690f05 (setuid), b0740f05 (setgroups) • Co-occurrence of /bin/sh and TERM=xterm strings with syscall patterns provides high-confidence detection • AV detection rates currently 2-17 scanners, indicating signature gap #DFIR_Radar

Source: trustedsec.com/blog/slamming-…

New analysis reveals how scammers abuse Microsoft Quick Assist for remote access scams. Research provides detection strategies for suspicious Quick Assist sessions and hardening recommendations to block abuse. #DFIR_Radar

Source: securityaffairs.com/192013/cyber-c…

Attackers actively exploit critical cPanel CVE-2026-41940 (CVSS 9.3) to deploy Filemanager backdoor via authentication bypass. Mr_Rot13 threat group targets thousands of instances with Go-based malware since February. #DFIR_Radar

Source: infosecurity-magazine.com/news/malicious…

Malicious Hugging Face repo typosquatted OpenAI's Privacy Filter, reaching 244K downloads in 18 hours via inflated metrics. Rust-based infostealer evades detection and harvests browser creds, crypto wallets, Discord tokens. #DFIR_Radar

Source: bleepingcomputer.com/news/security/…

TeamPCP threat group's Shai-Hulud campaign compromised 416+ npm/PyPI packages including TanStack and Mistral AI, using stolen OIDC tokens to publish malware with valid SLSA Build Level 3 attestations. Attack exploited legitimate CI/CD pipelines to appear cryptographically authentic. Technical breakdown: • Chained 3 vulns: risky pull_request-target workflow, GitHub Actions cache poisoning, OIDC token theft from runner memory • Clever Git trick: orphaned commit in TanStack/router fork accessed via malicious optional dependency, auto-executing during npm install • Targets 100+ credential types: GitHub PATs, AWS IAM, Kubernetes tokens, HashiCorp Vault, SSH keys, VS Code configs, .env files • Exfiltration via Session P2P network mimicking encrypted messenger traffic to evade detection • Persistence through Claude Code hooks and VS Code auto-run tasks survives package removal Self-propagation: steals GitHub/npm creds → enumerates linked packages → injects payload into tarballs → republishes malicious versions with valid signatures. Incident responders should audit IDE directories for router_runtime.js/setup.mjs artifacts, rotate all dev credentials, and block C2 infrastructure: api[.]masscan[.]cloud, git-tanstack[.]com, *[.]getsession[.]org. #DFIR_Radar

Source: blog.talosintelligence.com/state-sponsore…

State-sponsored actors exploit trust boundaries using legitimate tools and credentials, requiring fundamentally different IR approaches than ransomware response. They operate for months undetected, using PowerShell, WMI, and existing admin tools rather than custom malware. Key operational differences: • Reconnaissance phase lasts weeks/months using OSINT and social engineering, often leaving zero artifacts in defender logs • Initial access via legitimate credentials from spear phishing or supply chain compromise - no exploit signatures • Lateral movement through trusted tools (SCCM, Puppet, PowerShell AD queries) that appear as routine admin tasks • Multiple persistence mechanisms across infrastructure: scheduled tasks, service configs, dormant accounts, firmware implants • Anti-forensics includes log clearing, timestamp manipulation, memory-only operations, and false flag attribution Critical preparedness gaps: • Default logging insufficient - enable Windows process creation (4688), PowerShell script block logging (4104), deploy Sysmon on critical systems • Behavioral baselines must be continuously updated to reflect organizational changes and seasonal patterns • Out-of-band communications essential - assume adversary can monitor internal IR channels if they have domain admin • OT/ICS environments need hardware-enforced unidirectional gateways, not software-defined segmentation #DFIR_Radar

Source: invictus-ir.com/news/incident-…

EKS containers are ephemeral - when pods crash, logs vanish forever unless shipped to CloudWatch beforehand. New guide details forensic artifacts and containment strategies for Kubernetes breaches. Key technical details: • EKS logging sources: API server logs, audit logs, authenticator logs (RBAC/IAM), controller manager, scheduler, and application logs • Non-EKS sources: CloudTrail (lateral movement detection), VPC Flow logs (C2 traffic), GuardDuty alerts • Critical artifacts: /var/log/pods directory on worker nodes, memory dumps from compromised containers • Detection queries for kubectl exec abuse: filter requestURI containing "/exec" in kube-apiserver-audit logs Containment strategy: • Apply "Deny-All" NetworkPolicy to quarantine infected pods while preserving forensic evidence • Remove pod labels to stop load balancer traffic routing • Rotate compromised authentication credentials immediately • Replace infected containers entirely - treat as cattle, not pets Real-world case: TraderTraitor (North Korean 🇰🇵 APT) pivoted from phished EKS cluster to cryptocurrency exchange financial systems via exposed service account tokens. Enable comprehensive EKS logging before incidents occur. Query CloudWatch for suspicious kubectl exec and secrets access patterns. #DFIR_Radar

Source: infosecwriteups.com/microsoft-edge…

New research reveals Microsoft Edge stores all saved passwords in cleartext memory, extractable via simple memory dumps without decryption. Microsoft claims this is by design for "fast, secure experience." POC tool available. #DFIR_Radar

Source: securityaffairs.com/192003/malware…

TrickMo Android banking trojan migrates C2 communications to TON blockchain network, enabling stealth operations and turning infected devices into network pivots with SSH tunneling capabilities. #DFIR_Radar

Source: wiz.io/blog/mini-shai…

TeamPCP executes sophisticated supply chain attack compromising TanStack, UiPath, and Mistral npm packages through GitHub Actions cache poisoning and OIDC token theft. Attack affects millions of weekly downloads and introduces destructive wiper targeting developer machines. Key technical details: • Exploited GitHub Actions pull_request_target workflow to poison pnpm cache, then extracted OIDC tokens from runner memory (`/proc//mem`) • Malicious packages deploy via optionalDependencies orphan commit and embedded router_init.js (~2.3MB obfuscated) • Credential stealer targets CI/CD tokens, cloud credentials (AWS IMDSv2, GCP, Azure), K8s service accounts, HashiCorp Vault • Triple C2 exfiltration: typosquat git-tanstack[.]com, Session messenger network, GitHub API dead drops Attack methodology: • Self-propagating worm uses stolen npm/GitHub tokens to publish additional poisoned packages • UiPath variant uses preinstall script downloading Bun runtime (same TTPs as previous SAP compromise) • Persistent gh-token-monitor daemon polls GitHub every 60s, triggers `rm -rf ~/` on token revocation • Avoids Russian-configured systems (geofencing typical of TeamPCP operations) Check lockfiles for affected versions, search for router_init.js/setup.mjs files, remove gh-token-monitor daemons BEFORE rotating tokens to prevent wiper activation. #DFIR_Radar