The DFIR Report

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in …

🚨 Search for software, end up getting ransomware!

SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan.

thedfirreport.com/2025/08/05/f...

🚨 New: DFIR Labs Pro Tier is here!

🎯 Smarter investigations with:
• 🧠 AI Timeline Builder (w/ IOCs + notes)
• ⏱️ More lab time + extension credits
• 📊 Analytics dashboard w/ tailored insights

🔗 Dive in: dfirlabs.thedfirreport.com/subscription...

KongTuke FileFix Leads to New Interlock RAT Variant Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware,…

🚨 New Interlock RAT variant spotted!

Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT).

🔎 thedfirreport.com/2025/07/14/k...

#DFIR #KongTuke #InterlockRAT #FileFix

📢DFIR Labs Enterprise Forensics Challenge📢

🔹 When: Aug 30, 2025 (14:00-18:00 UTC)
🔹 SIEM: Azure Log Analytics, Elastic, or Splunk
🔹 Teams: 2-3 analysts
🔹 Prizes: Top team wins! 🏆

Limited spots available.

Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

Hide Your RDP: Password Spray Leads to RansomHub Deployment Key Takeaways Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period. Mimikatz and Nirsoft were used to harvest credential…

🌟New report out today!🌟

Hide Your RDP: Password Spray Leads to RansomHub Deployment

Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2

🔊Audio: Available on Spotify, Apple, YouTube and more!

thedfirreport.com/2025/06/30/h...

The Hive Ransomware Fail - Public Case #18364 This case is based on the public report From ScreenConnect to Hive Ransomware in 61 hours. You will investigate a domain-wide compromise that progressed through multiple stages, beginning with the abu...

Buy Now: store.thedfirreport.com/products/the... (or use your subscription token 😉)

Oh, and the dashboard?

We gave it a full UI refresh. Cleaner, faster, easier to use. Hope you enjoy it!

2/2

A New DFIR Lab is out: The Hive Ransomware Fail 🐝

A domain is under siege, can you trace the threat actor's steps? Sharpen your triage and lateral movement skills in this hands-on investigation.

➡️Difficulty: Easy

1/2

🔎 We're Hiring: Senior Security Analyst

We're looking for a full-time Senior Security Analyst with a passion for dissecting intrusions and translating technical findings into actionable insights.

Check out the full job description and apply here 👉 forms.office.com/r/87y8wAp3gA

📢DFIR Labs Enterprise Forensics Challenge📢

🔹 When: Aug 30, 2025 (14:00-18:00 UTC)
🔹 SIEM: Azure Log Analytics, Elastic, or Splunk
🔹 Teams: 2-3 analysts
🔹 Prizes: Top team wins! 🏆

Limited spots available.

Register Now: dfirlabs.thedfirreport.com/dfirchalleng...

We built these plans to make high-quality DFIR training accessible to everyone.

Ready to dive in? Check out all the details and sign up today! 👇

👉 dfirlabs.thedfirreport.com/subscription...

5/5

For Teams:

Need to level up your whole crew? Our Enterprise plans are packed with features like bulk tokens, detailed usage reporting, 7-day lab access, and priority support. Everything your team needs to sharpen their skills together!

4/5

You'll get 1 token monthly, 2-day lab access, quiz retries, and rollover — all designed for continuous growth, not just one-time learning.

3/5

For Individuals:

Ready to get hands-on with real-world intrusion labs? Our Individual plan is just $14.99/month for a limited time during launch week! Lock in this amazing discounted rate for as long as you're a member.

2/5

🎉 Huge News from DFIR Labs: Subscriptions are Here! 🎉

We're thrilled to announce that subscriptions are officially LIVE and we’re proud of what this means for the DFIR community 💙

1/5

DFIR Discussions: Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware Reports · Episode

🎉New DFIR Discussions Episode🎉

🔊Available on Spotify, Apple, & YouTube!

🎙️ We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang. Check it out and let us know what you think!

open.spotify.com/episode/1SKP...

⚔️Registration for the DFIR Labs Enterprise CTF is now LIVE! ⚔️

Assemble your elite SOC/IR team (up to 3 members) for a 4-hour competition to prove you're the best in the industry.

Win prizes, bragging rights, and glory! 🏆

Register now! 👉https://form.jotform.com/251605321344245

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware Key Takeaways The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this access…

Haven't read the report yet?
➡️ thedfirreport.com/2025/05/19/a...

🎙️ New Podcast Episode Dropping Soon!

We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.

Stay tuned for deep insights, behind-the-scenes analysis, and expert commentary from the front lines of DFIR. 🔍

RansomHub Leads to Domain Compromise – Private Case #33490 This case is based on a Private Threat Brief. You’ll get to investigate a domain-wide compromise involving a multi-stage intrusion that started with a password spraying attack. The threat actor establ...

If you missed the CTF or want to relive the madness:

➡️ RansomHub Leads to Domain Compromise Lab : store.thedfirreport.com/products/ran...

Same 6-day intrusion. Same host sprawl. Same telemetry.

Take your time, pivot your way through, and sharpen those investigation skills.

Huge thanks to everyone who participated, helped organize, and supported this event. We hope you had as much fun as we did — and we can't wait to see you at the next one!

And now… the lab that powered the whole event is live and available 🔥

🚨 That CTF finale was wild. Only 300 points between 1st and 3rd — it stayed neck-and-neck till the very last minute.

Big congrats to our winners!

🥇 @Friffnz — 5100 pts
🥈 snail — 4840 pts
🥉 forynsics — 4800 pts

🚨 CTF is starting soon!🚨

Don't Miss the DFIR Labs CTF - Registration Still Open!

➡️When: Today, June 7th | 16:30–20:30 UTC
➡️➡️Register: dfirlabs.thedfirreport.com/ctf

/1
🚨 𝐂𝐓𝐅 𝐤𝐢𝐜𝐤𝐬 𝐨𝐟𝐟 𝐢𝐧 𝐥𝐞𝐬𝐬 𝐭𝐡𝐚𝐧 48𝐡 - 𝐚𝐧𝐝 𝐭𝐡𝐢𝐬 𝐨𝐧𝐞’𝐬 𝐛𝐢𝐠.
One of the most involved cases we’ve ever made available to the public.

You’ll be diving into an intrusion that hit 18 hosts, including:
➡️ Domain Controllers
➡️ Backup Servers
➡️ Hypervisors
➡️ RDP Servers (Guess the initial access gonna be? 😏)

Contact Us PGP Key

➡️ The above is from a recent Private Threat Brief: "Interlock-Linked Threat Actor Gains Access via Fake Teams ClickFix Lure"

➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/

3/3

The malware in this case took 15 minutes to establish a successful connection to an online endpoint at hxxp://bristol-weed-martin-know[.]trycloudflare[.]com/init1234."

2/3

"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses.

The logic would rotate through the various servers until an online host was found.

1/3

#dfir #CyberSecurity #cyberthreatintelligence #cti #interlock #ransomware

🎯 THIS SATURDAY: DFIR Labs CTF 🎯

⏰ June 7 | 1630–2030 UTC
🔗 Register Now → dfirlabs.thedfirreport.com/ctf

🚀 DFIR Labs CTF is back!
💥 Only $9.99 to join
💥 Choose Elastic or Splunk
💥 Access a brand-new, unreleased case
💥 Top 5 get invited to join The DFIR Report team!

We had a blast speaking at the Ransomware Summit! 🎤💥
Huge thanks to everyone involved!

🎥 Missed our keynote? No worries — you can catch the full session here:

👉 www.youtube.com/live/nhB-xkm...

🔥 DFIR Labs is Evolving! Have You Seen What's New? 🔥

Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience!

➡️ Check it out now! dfirlabs.thedfirreport.com

Interested in receiving private reports similar to this report? Contact us for pricing - thedfirreport.com/contact/

4/4