//
sign in
Profile
by @danabra.mov
Profile
by @dansshadow.bsky.social
Profile
by @jimpick.com
AviHandle
by @danabra.mov
AviHandle
by @dansshadow.bsky.social
AviHandle
by @katherine.computer
EventsList
by @katherine.computer
ProfileHeader
by @dansshadow.bsky.social
ProfileHeader
by @danabra.mov
ProfileMedia
by @danabra.mov
ProfilePlays
by @danabra.mov
ProfilePosts
by @danabra.mov
ProfilePosts
by @dansshadow.bsky.social
ProfileReplies
by @danabra.mov
Record
by @atsui.org
Skircle
by @danabra.mov
StreamPlacePlaylist
by @katherine.computer
+ new component
Profile
Loading...
Real Intrusions by Real Attackers, the Truth Behind the Intrusion. https://thedfirreport.com
The DFIR Report
Loading...
RDP bitmap cache artifacts revealed the threat actor opening the Veeam Backup & Replication console, reviewing backup jobs, tape & storage infrastructure — and removing backups from the configuration database. Full report 👇 thedfirreport.com/2025/12/17/c...
"The threat actor also ran the command netstat -t, which displays active connections; however, -t is not a documented option for netstat on Windows." Report:https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
"On some hosts, Microsoft Defender antivirus was active. On these systems, Defender detected and blocked execution of the service creation and Powershell execution..." Report:https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
"The ransom note did not follow the normal LockBit format directing victims to a Tor leak site or TOX/Jabber communications; instead, it instructed them to download and use the Session private messaging application... Report: thedfirreport.com/2026/02/23/a...
We’re seeing a “Missing Font” ClickFix chain in the wild. Flow: 1️⃣ Fake “Missing Font” prompt 2️⃣ Leads to a BSOD-style recovery screen 3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands #infosec #DFIR #threatintel
Day 9: Ransomware deployment. The threat actor RDP’d from the beachhead to backup & file servers and dropped the Lynx payload “w.exe” using a compromised Domain Admin account. Full breakdown 👇 thedfirreport.com/2025/12/17/c... #DFIR #Ransomware #ThreatHunting #BlueTeam #CyberSecurity
Report: thedfirreport.com/2025/12/17/c... Services: thedfirreport.com/services/ Contact Us for pricing or a demo: thedfirreport.com/contact/
2mo
2mo
2mo
1mo
1mo
2mo
2mo
thedfirreport.com
The DFIR Report
The DFIR Report
The DFIR Report
The DFIR Report
The DFIR Report
The DFIR Report
The DFIR Report
This Diamond Model from our “Cat’s Got Your Files: Lynx Ransomware” report illustrates the four core elements of the intrusion. See how all four vertices aligned for full-domain compromise 👇 thedfirreport.com/2025/12/17/c... #DFIR #ThreatIntel #Ransomware #BlueTeam #CyberSecurity
2mo
The DFIR Report