The DFIR Report
@thedfirreport.bsky.social
🧪 DFIR Labs | LockBit Ransomware Case #27244
Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access.
Step through the investigation and see how LockBit was deployed end-to-end.
👉 dfirlabs.thedfirreport.com/auth/login
Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access.
Step through the investigation and see how LockBit was deployed end-to-end.
👉 dfirlabs.thedfirreport.com/auth/login
January 7, 2026 at 12:19 AM
🧪 DFIR Labs | LockBit Ransomware Case #27244
Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access.
Step through the investigation and see how LockBit was deployed end-to-end.
👉 dfirlabs.thedfirreport.com/auth/login
Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access.
Step through the investigation and see how LockBit was deployed end-to-end.
👉 dfirlabs.thedfirreport.com/auth/login
Reposted by The DFIR Report
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
December 26, 2025 at 1:53 PM
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
December 26, 2025 at 1:53 PM
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
dfirlabs.thedfirreport.com
"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."
December 22, 2025 at 8:05 PM
"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."
🎁 DFIR Labs Giveaway 🎁
We’re giving away 5 FREE DFIR Labs cases!
How to enter:
➡️Post your favorite DFIR Report
➡️Tell us why it's your favorite
That’s it! 🙌 We’ll select 5 winners before Christmas!
DFIR Labs - dfirlabs.thedfirreport.com/auth/login
Reports - thedfirreport.com
We’re giving away 5 FREE DFIR Labs cases!
How to enter:
➡️Post your favorite DFIR Report
➡️Tell us why it's your favorite
That’s it! 🙌 We’ll select 5 winners before Christmas!
DFIR Labs - dfirlabs.thedfirreport.com/auth/login
Reports - thedfirreport.com
December 22, 2025 at 1:28 PM
🎁 DFIR Labs Giveaway 🎁
We’re giving away 5 FREE DFIR Labs cases!
How to enter:
➡️Post your favorite DFIR Report
➡️Tell us why it's your favorite
That’s it! 🙌 We’ll select 5 winners before Christmas!
DFIR Labs - dfirlabs.thedfirreport.com/auth/login
Reports - thedfirreport.com
We’re giving away 5 FREE DFIR Labs cases!
How to enter:
➡️Post your favorite DFIR Report
➡️Tell us why it's your favorite
That’s it! 🙌 We’ll select 5 winners before Christmas!
DFIR Labs - dfirlabs.thedfirreport.com/auth/login
Reports - thedfirreport.com
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
December 10, 2025 at 7:16 PM
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
Reposted by The DFIR Report
🎉 BLACK FRIDAY DEAL IS LIVE! 🎉
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
November 24, 2025 at 4:19 PM
🎉 BLACK FRIDAY DEAL IS LIVE! 🎉
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
🎉 BLACK FRIDAY DEAL IS LIVE! 🎉
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
November 24, 2025 at 4:19 PM
🎉 BLACK FRIDAY DEAL IS LIVE! 🎉
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
store.thedfirreport.com/collections/...
"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."
November 20, 2025 at 12:01 AM
"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."
🐈 Cat’s Got Your Files: Lynx Ransomware
🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉
Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.
🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉
Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.
November 17, 2025 at 1:17 PM
🐈 Cat’s Got Your Files: Lynx Ransomware
🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉
Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.
🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉
Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains...
1/2
"Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains...
1/2
November 16, 2025 at 6:01 PM
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains...
1/2
"Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains...
1/2
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each...
1/2
"In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each...
1/2
November 15, 2025 at 6:01 PM
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each...
1/2
"In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each...
1/2
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic...
1/2
"On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic...
1/2
November 14, 2025 at 5:27 PM
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic...
1/2
"On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic...
1/2
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
November 13, 2025 at 3:55 PM
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and...
1/3
"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."
October 20, 2025 at 12:14 AM
"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
October 16, 2025 at 1:29 PM
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader.
All files involved in the initial access phase were signed with valid certificates.
All files involved in the initial access phase were signed with valid certificates.
DFIR Challenge Weekend Recap!
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
September 29, 2025 at 11:37 PM
DFIR Challenge Weekend Recap!
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
The challenge is complete! A massive thank you to everyone who participated in our latest DFIR Challenge!
Big shoutout to the top finishers who untangled the whole thing:
🥇 Jason Phang Vern Onn
🥈 Marko Yavorskyi
🥉 Bohdan Hrondzal
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
September 29, 2025 at 2:49 PM
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow.
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
September 23, 2025 at 11:19 PM
"Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow.
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the..."
"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors.
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
September 22, 2025 at 10:10 PM
"Two of the binaries observed in this attack were masquerading as products from well-known and reputable security vendors.
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
The first binary, GT_NET.exe is associated with Grixba, a custom data-gathering tool used by the Play ransomware group. Its metadata was crafted to..."
"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain.
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
September 21, 2025 at 1:05 PM
"The Zoom installer was created using Inno Setup, a free installer for Windows programs, and served as the delivery mechanism for a multi-stage malware deployment and execution chain.
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
The trojanized installer was a downloader, more publicly known as “d3f@ckloader”, and is..."
"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."
September 20, 2025 at 8:54 PM
"On the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to deploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a staging file share..."
"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."
September 19, 2025 at 11:58 PM
"On the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period from the IP address 109.160.16[.]68. No link was found from this IP to the other activity detailed so far in the report leading us to assess this was likely a ..."
🌟New report out today!🌟
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
September 8, 2025 at 2:47 PM
🌟New report out today!🌟
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Analysis and reporting completed by @r3nzsec, @EncapsulateJ, @rkonicekr, & Adam Rowe
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️