New logo. New website. Same DFIR Report team. 🔎 Check out the incredible analysts behind the research: thedfirreport.com/company/an…

🧪 DFIR Labs | Help Shape the Next DFIR Challenge We’re planning the next DFIR Challenge and want your input. Head over to our Discord and vote in the Announcements tab for the time slots that work best for you. Your feedback will help us schedule the next challenge so more people can participate, investigate, and test their skills. Discord: discord.gg/dfir Challenge details: dfirlabs.thedfirreport.com/d… #DFIR #BlueTeam #CyberSecurity

🛡️ Active Defense Threat Insights — Proactively Uncover Your Adversaries and Their TTPs Move beyond passive defense and generic threat feeds. Active Defense Threat Insights provides firsthand intelligence that reveals who is targeting your organization and how — delivering evidence-based insight into real adversary activity. We collect and analyze threat interactions to produce customer-specific Indicators of Compromise (IOCs) and detailed Tactics, Techniques, and Procedures (TTPs). These findings go far beyond surface-level summaries, giving your team the clarity needed to understand adversary behavior, intent, and focus areas unique to your environment. 💡 What You Get ➡️ Customer-specific IOCs and adversary TTPs. ➡️ Regular reports detailing targeted campaigns and emerging threats. ➡️ Early warning alerts for relevant or high-risk activity. ➡️ Analysis tailored to your industry and threat landscape. 🚀 Benefits ➡️ Hyper-Relevant Intelligence: Understand threats actively focused on your organization. ➡️ Proactive Early Warning: Detect and disrupt targeted activity before it impacts operations. ➡️ Adversary Insight: Learn how real attackers operate, not just what tools they use. ➡️ Stronger Defenses: Refine detections, response playbooks, and strategy with verified intelligence. ➡️ Strategic Advantage: Turn early insight into action to stay ahead of evolving threats. 📩 Contact us for details

Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

"Reviewing the network traffic, we also saw the download of an executable file with the typical MZ header and the “This program cannot be run in DOS mode” string:" Report: thedfirreport.com/2026/02/23…

🧪 DFIR Labs | Help Shape the Next DFIR Challenge We’re planning the next DFIR Challenge and want your input. Head over to our Discord and vote in the Announcements tab for the time slots that work best for you. Your feedback will help us schedule the next challenge so more people can participate, investigate, and test their skills. Discord: discord.gg/VmwpGpB5h6 Challenge details: dfirlabs.thedfirreport.com/d… #DFIR #BlueTeam #CyberSecurity

🔒 Private Threat Briefs — From the Front Lines of Incident Response Go beyond high-level threat summaries. Our Private Threat Briefs deliver unredacted, evidence-based intrusion analysis drawn directly from real investigations. Each brief provides a ground-truth view of how modern intrusions unfold with detailed timelines, command lines, file paths, and forensic artifacts. Delivered shortly after the investigation, they offer timely, operational intelligence to strengthen your defenses today. ⚙️ How Teams Use Our Briefs ▶️ Detection Engineering: Build precise detections from real attacker behavior. ▶️ Incident Response: Leverage real-world playbooks to guide investigations. ▶️ Red Teaming: Recreate authentic adversary operations to test resilience. ▶️ Analyst Training: Develop skills through hands-on, evidence-based cases. ▶️ AI, LLM & ML Development: Use our curated, verified data to train and validate cybersecurity models with real-world, ground-truth evidence. 📩 Contact us for details and examples. lnkd.in/gk-yfpJm #DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam

"On the 18th day of the intrusion, during the second round of threat actor activity, the threat actor moved to final objectives involving the deployment of ransomware across the environment. Using their injected Winlogon process... Report: thedfirreport.com/2026/02/23…

💡 Train Your AI on Reality, Not a Simulation. The DFIR Report's AI Training Ground gives organizations access to authentic, anonymized data from real-world cyber intrusions, purpose-built for developing and validating AI, ML, and LLM-based security models. Backed by years of trusted DFIR expertise, it delivers the ground truth your models need to perform where it actually matters. Whether you're advancing detection algorithms, refining LLM security applications, or conducting data-driven cyber research, the AI Training Ground provides the realism your technology needs. 👉 Contact us to learn more: thedfirreport.com/products/a…

EtherRAT brought blockchain-backed C2 into this intrusion. A malicious MSI masquerading as Sysinternals RAMMap deployed EtherRAT, which used EtherHiding to retrieve Ethereum-hosted C2 config updates before pivoting to TryCloudflare infrastructure. Full report: thedfirreport.com/2026/05/11… #DFIR #ThreatIntel #DigitalForensics

Want to know as soon as a new DFIR Report drops? Subscribe to our mailing list and get email notifications when new reports are published: thedfirreport.com/subscribe/

On the Domain Controller, the actor used dsa.msc to create three persistence accounts — including “administratr” — designed to mimic legitimate users already in the environment. Full report 👇 thedfirreport.com/2025/12/17… #DFIR #ActiveDirectory #Ransomware #ThreatHunting #BlueTeam

Is there a better way to learn than using real data from real intrusions? This is why we developed DFIR Labs, a one-stop-shop where you can work through various cases and see how your skills stack up to intruders. 💪 Start flexing your skills here: thedfirreport.com/products/d…

We identified a large-scale React2Shell (CVE-2025-55182) operation that scanned millions of targets and confirmed 900 successful exploits. Logs showed an automated pipeline for exploitation, hit scoring, alerting, and secret harvesting. Claude Code and OpenClaw were used as an operator-side harness supporting exploitation activity and workflow orchestration. Read the full case: thedfirreport.com/2026/04/22…

"On other hosts, the LB3.exe file was executed via the Explorer.exe process and spawned a subprocess with the -psex option, which was likely intended to trigger the ransomware’s ability to spread via a PsExec-style SMB spreader configurable..." Report: thedfirreport.com/2026/02/23…

We're proud to have contributed to this year's Verizon Data Breach Investigations Report (DBIR)! Read the report: verizon.com/about/news/breac…

We’re proud to share that, through collaboration with trusted partners, including the FBI, we were able to help stop a ransomware attack against a government entity before it could fully unfold. This outcome shows the power of strong public-private partnerships and timely threat intelligence. When defenders, investigators, and security teams work together quickly, we can disrupt threats before they become real-world impact. Thank you to everyone involved for their swift action, trust, and collaboration!

🛡️ Active Defense Threat Insights — Proactively Uncover Your Adversaries and Their TTPs Move beyond passive defense and generic threat feeds. Active Defense Threat Insights provides firsthand intelligence that reveals who is targeting your organization and how — delivering evidence-based insight into real adversary activity. We collect and analyze threat interactions to produce customer-specific Indicators of Compromise (IOCs) and detailed Tactics, Techniques, and Procedures (TTPs). These findings go far beyond surface-level summaries, giving your team the clarity needed to understand adversary behavior, intent, and focus areas unique to your environment. 💡 What You Get ➡️ Customer-specific IOCs and adversary TTPs. ➡️ Regular reports detailing targeted campaigns and emerging threats. ➡️ Early warning alerts for relevant or high-risk activity. ➡️ Analysis tailored to your industry and threat landscape. 🚀 Benefits ➡️ Hyper-Relevant Intelligence: Understand threats actively focused on your organization. ➡️ Proactive Early Warning: Detect and disrupt targeted activity before it impacts operations. ➡️ Adversary Insight: Learn how real attackers operate, not just what tools they use. ➡️ Stronger Defenses: Refine detections, response playbooks, and strategy with verified intelligence. ➡️ Strategic Advantage: Turn early insight into action to stay ahead of evolving threats. Start here 👉 thedfirreport.com/products/a…