Real Intrusions by Real Attackers, the Truth Behind the Intrusion.
Detections: http://github.com/The-DFIR-Report | Services: http://thedfirreport.com/services |
Weβre proud to share that, through collaboration with trusted partners, including the FBI, we were able to help stop a ransomware attack against a government entity before it could fully unfold.
This outcome shows the power of strong public-private partnerships and timely threat intelligence. When defenders, investigators, and security teams work together quickly, we can disrupt threats before they become real-world impact.
Thank you to everyone involved!
π‘οΈ Active Defense Threat Insights β Proactively Uncover Your Adversaries and Their TTPs
Move beyond passive defense & generic threat feeds. Active Defense Threat Insights provides firsthand intelligence that reveals who is targeting your organization and how β delivering evidence-based insight into real adversary activity.
Start here π https://thedfirreport.com/products/active-defense/
π New DFIR Labs case drops this weekend!
ClickFix β RomComRAT β Domain Compromise (Private Case #35646)
β οΈ Hard | π― 30 Qs + 5 bonus
Nine-day op: fake CAPTCHA lure, custom RAT implants, credential theft, mass exfil.
π New Splunk + Elastic dashboards included.
π Launch weekend = giveaways + 10% off discount code
Join our Discord for the code, prizes, and challenge details π
https://discord.gg/VmwpGpB5h6
π Private DFIR Report: ViewState of Mind: Gladinet Exploit Opens the Door
In January, we observed a threat actor gain initial access to an environment by exploiting CVE-2025-30406 on an exposed Gladinet CentreStack server. Looking at the network traffic at the time of this connection showed large VIEWSTATE payloads being sent to the server.
Private report β request access or a demo: https://thedfirreport.com/products/threat-intel/private-dfir-reports/
Cybersecurity Training Using Real Cases
Whether you are just starting out in your cybersecurity career, sharpening your
knowledge or are an expert, there is a lab for you!
Dig into each case, analyze the evidence, and trace every step of the intrusion from start to finish.
Ready to dive in? π https://thedfirreport.com/products/dfir-labs/
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware.
Detection opportunities included!
Full report: https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
Low noise. High signal.
Thatβs not marketing language β itβs how we built our Threat Feed.
If you get an alert in your environment from our feed β ping us. Weβll help triage it. Thatβs how much we trust the signal.
We built this for defenders who are tired of chasing ghosts and burning cycles on low-fidelity alerts. When it fires, itβs worth your time.
π Real context
π― High-confidence detections
β‘ Built for response, not dashboards
Learn more about the Threat Feed:
https://thedfirreport.com/products/threat-feed/
"Soon after the collection activities performed on the beachhead host on day six of the intrusion, the threat actor browsed to the temporary file sharing site https://temp.sh β a site commonly used by threat actors to exfiltrate data or host malicious payloads."
In this Lynx ransomware case, https://temp.sh was leveraged as part of the exfiltration workflow prior to ransomware deployment.
Report: https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
Services: https://thedfirreport.com/services/
Last week's DFIR Labs Discord challenge:
A threat actor recently hid commands inside a scheduled task's Description field β AES-encrypted and triggered by an obfuscated PowerShell payload.
Can you find the final command executed?
Join the DFIR Labs Discord server for the question, answer, and walkthrough.
π DFIR Labs Giveaway β tomorrow.
We're giving away free cases and subscriptions to members of the DFIR Labs Discord server. Multiple winners!
To participate: join the DFIR Labs Discord server before tomorrow's drawing. Already a member? You're in.
π https://discord.gg/VmwpGpB5h6
π Check out DFIR Labs: https://dfirlabs.thedfirreport.com/
