Real Intrusions by Real Attackers, The Truth Behind the Intrusion.
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion
- From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akiraby editor on August 5, 2025 at 12:00 pm
Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery … Read More
- KongTuke FileFix Leads to New Interlock RAT Variantby editor on July 14, 2025 at 12:50 am
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware, a shift … Read More
- Hide Your RDP: Password Spray Leads to RansomHub Deploymentby editor on June 30, 2025 at 12:20 am
Key Takeaways Case Summary This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted … Read More
- Another Confluence Bites the Dust: Falling to ELPACO-team Ransomwareby editor on May 19, 2025 at 12:05 am
Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP … Read More
- Navigating Through The Fogby editor on April 28, 2025 at 12:03 am
Key Takeaways An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence…
- Fake Zoom Ends in BlackSuit Ransomwareby editor on March 31, 2025 at 12:01 am
Key Takeaways Case Summary This case from May 2024 started with a malicious download from a website mimicking the teleconferencing application Zoom. When visiting the website and downloading a file … Read More
- Confluence Exploit Leads to LockBit Ransomwareby editor on February 24, 2025 at 12:06 am
Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More
- Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomwareby editor on January 27, 2025 at 1:42 am
Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as … Read More
- The Curious Case of an Egg-Cellent Resumeby editor on December 2, 2024 at 1:50 am
Key Takeaways Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from … Read More
- Inside the Open Directory of the “You Dun” Threat Groupby editor on October 28, 2024 at 1:05 am
Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More
