Join us for a webinar on Dissect, Fox-IT’s in-house developed enterprise-scale forensics framework for data acquisition and analysis. It has enabled our IR practice to push its capabilities, increase its speed and provide more value to our customers.event.on24.com/wcc/r/3910820/…

Matthew Seyer 🇺🇦 Fox-IT Been using dissect.cstruct in projects the last two, three years. Pretty output also.

Merry Christmas 🎄! Here’s a new 13Cubed episode about Dissect -- a powerful, now open source, IR framework. Enjoy! youtube.com/watch?v=A2e203… #DFIR #forensics

In this blog post, we share our research on version identification of Citrix ADC and Gateway servers and how we measured the update adoption on the internet for CVE-2022-27510 & CVE-2022-27518, two critical CVEs with a CVSS v3 score of 9.8 blog.fox-it.com/2022/12/28/cve…

🚨Fox-IT and Dutch Institute for Vulnerability Disclosure have revealed that a exploitation campaign targeting Citrix NetScalers has backdoored approximately 2K NetScalers worldwide! Check your NetScalers for indicators of compromise, even after patching CVE-2023-3519!🔒 🔗blog: blog.fox-it.com/2023/08/15/app…

🚨IMPORTANT🚨 We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding [1/3]

🙋‍♂️Update! With Cisco IOS XE CVE-2023-20198 exploitation details now public, we're releasing our Suricata rules. These rules monitor for a percent-encoded-percent which can be used to bypass authentication on unpatched Cisco IOS XE devices. github.com/fox-it/cisco-i… [1/2]

We hypothesize that the adversary patched this authentication bypass using the implant by returning a 404 whenever the request URI contains a percent sign. In other words, the implant ensured nobody other than the initial actor would be able to compromise the Cisco device. [2/2]

Discover the latest insights on Blister malware in our new blog. We examine past payloads and delve into recent developments. 🕵️‍♂️🩹 #BlisterMythic #Blister blog.fox-it.com/2023/11/01/pop…

🚀 Our open-source Dissect project now supports reading Fortinet firmware files! 🛡️ Easily mount, browse or dump FortiGate firmware files hassle-free with Dissect. No extra steps needed! #Dissect #Fortinet #FortiGate #Firmware github.com/fox-it/dissect…

The xz package tar's were backdoored. Only discovered because the backdoor slowed down sshd enough for Andres Freund to investigate. Consider the case where the backdoor didn't cause perf issues... How long would this have gone undetected? openwall.com/lists/oss-secu…

Attention: we are sharing a one-off special report on Cactus ransomware group campaign targeting Qlik Sense (data viz & business intelligence tool): shadowserver.org/what-we-do/net… 2894 IPs found vulnerable to CVE-2023-48365 91 IPs found compromised by Cactus ransomware group

🧀 𝗡𝗲𝘄 𝗯𝗹𝗼𝗴: "𝗧𝗵𝗿𝗲𝗲 𝗟𝗮𝘇𝗮𝗿𝘂𝘀 𝗥𝗔𝗧𝘀 𝗖𝗼𝗺𝗶𝗻𝗴 𝗳𝗼𝗿 𝗬𝗼𝘂𝗿 𝗖𝗵𝗲𝗲𝘀𝗲" Read about PondRAT, ThemeForestRAT and RemotePE - three RATs we encountered during incident response involving the Lazarus group. Check the indicators and don't let them steal

"Three Lazarus RATs coming for your cheese" published by Fox-IT. #Lazarus, #PondRAT, #RemotePE, #ThemeForestRAT, #DPRK, #CTI blog.fox-it.com/2025/09/01/thr…

Thanks Fox-IT for github.com/fox-it/dissect. This project is totally underrated. I tried it once before, but it didn’t click until a few weeks ago. It’s a masterpiece that radically changed my IR workflows, enabling me to implement forensics playbooks I dreamed for years 💙💙💙

And thank you 𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 for documenting PCAP-over-IP on your blog, which is how we found out about it. It’s such an underrated method for reading pcap data!

Yun It's really great to see more tools adopting this method for streaming packet data! We're missing that feature in Suricata IDS/IPS though. Native pcap-over-ip support in Suricata would eliminate the need for this: nc localhost 57012 | suricata -r /dev/stdin redmine.openinfosecfoundation.org/issues/5499