"In particular, the RDP bitmap cache of the beachhead host shows the threat actor opening the Veeam Backup & Replication console."

From there, they browsed active backup jobs, tape infrastructure, and storage repositories — before removing backups from the configuration database, as evidenced by reconstructed RDP bitmap cache artifacts.

Report: https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
Services: https://thedfirreport.com/services/
Contact Us for pricing or a demo: https://thedfirreport.com/contact/

We’re seeing a “Missing Font” ClickFix chain in the wild.

Flow:
1️⃣ Fake “Missing Font” prompt
2️⃣ Leads to a BSOD-style recovery screen
3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands

This variant leans into a more convincing multi-step user flow compared to typical ClickFix lures.

Curious if others are seeing similar activity?

#infosec #DFIR #threatintel

Threat Actors are "Bringing Their Own Forensics"

In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (https://vol.py) directly on victim machines.

Commonly a tool for defenders, the threat actors are using it to:

➡️Dump RAM: Capturing mem.raw from the infected host.
➡️Extract Hashes: Using windows.hashdump to pull NTLM hashes.
➡️Steal Credentials: Using windows.cachedump to extract cached creds.

"The IP address 195.211.190[.]189 was hosted on infrastructure from Railnet LLC — a legal front for the Russia-based bulletproof hosting provider Virtualine, as reported by Intrinsec."

In this Lynx ransomware case, the threat actor leveraged infrastructure tied to a known bulletproof hosting provider.

Report: https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
Services: https://thedfirreport.com/services/
Contact Us for pricing or a demo: https://thedfirreport.com/contact/

"On the Exchange email server, the threat actor used a legitimate Windows executable, SystemSettingsAdminFlows.exe, which allows users to customize or configure the system settings to user’s preference. This LOLBIN was used to disable Windows Defender settings on the server. "

Report: https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

Low noise. High signal.

That’s not marketing language — it’s how we built our Threat Feed.

If you get an alert in your environment from our feed — ping us. We’ll help triage it. That’s how much we trust the signal.

We built this for defenders who are tired of chasing ghosts and burning cycles on low-fidelity alerts. When it fires, it’s worth your time.

🔎 Real context
🎯 High-confidence detections
⚡ Built for response, not dashboards

Learn more about the Threat Feed:
https://thedfirreport.com/products/threat-feed/

"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389. We assess that these commands were included in the batch file."

Link to the report ⬇️

"Around 50 minutes after the connection to this second domain controller the ransomware propagation began. Deployment of ransomware consisted of creating remote services on domain joined endpoints, and included distributing the files via SMB."

➡️ The above is from a Private Threat Brief: "Fake RVTools Installer Leads to PipeMagic, CLFS Exploit, and Ransomexx"

"SoftPerfect NetScan was used extensively during the intrusion… evidence from Security Event ID 4688 logs showed mstsc.exe /v:<IP address> being launched by netscan.exe, confirming the use of NetScan’s Remote Desktop functionality."

Report: https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
Products: https://thedfirreport.com/products/
Contact Us for pricing or a demo: https://thedfirreport.com/contact/