Reports
Episodes
Apache MQ Exploit Leads to LockBit Ransomware
23 Feb 2026
Contributed by Lukas
Report: https://thedfirreport.com/2026/02/23/apache-activemq-explo...
Cat's Got Your Files: Lynx Ransomware
17 Nov 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ranso...
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
29 Sep 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-m...
Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
08 Sep 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gang...
Hide Your RDP: Password Spray Leads to RansomHub Deployment
30 Jun 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deploymentContact Us: ...
DFIR Discussions: Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
16 Jun 2025
Contributed by Lukas
We dive into our latest public report with Randy Pargman, Jake Ouellette, Kostas T., and Mangatas Tondang.Report: https://thedfirreport.com/2025/05/19...
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
19 May 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/Contact Us: ...
Navigating Through The Fog
28 Apr 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/04/28/navigating-through-the-fog/Contact Us: https://thedfirreport.com/c...
Fake Zoom Ends in BlackSuit Ransomware
31 Mar 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/Contact Us: https://thedfirreport...
Confluence Exploit Leads to LockBit Ransomware
24 Feb 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomwareContact Us: https://thedfirre...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
27 Jan 2025
Contributed by Lukas
Report: https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/ Contact Us: ...
DFIR Discussions: The Curious Case of an Egg-Cellent Resume
20 Jan 2025
Contributed by Lukas
We discuss our latest report "The Curious Case of an Egg-Cellent Resume" Host: @Kostastsale Analysts: ...
The Curious Case of an Egg-Cellent Resume
02 Dec 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/ Contact Us: https://thedfirreport.c...
Inside the Open Directory of the “You Dun” Threat Group
28 Oct 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group Contact Us: https://thedfirrep...
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
30 Sep 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware Contact Us: https://th...
BlackSuit Ransomware
26 Aug 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/08/26/blacksuit-ransomware/ Contact Us: https://thedfirreport.com/contact/ Ser...
Threat Actors' Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
12 Aug 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts Contact Us: https://thedfirreport.com/contac...
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
10 Jun 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/ Contact Us: ...
DFIR Discussions: From IcedID to Dagon Locker Ransomware in 29 Days
13 May 2024
Contributed by Lukas
We discuss our latest report "From IcedID to Dagon Locker Ransomware in 29 Days" Host: @Kostastsale Analysts: @r3...
From IcedID to Dagon Locker Ransomware in 29 Days
29 Apr 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days Contact Us: https://thedfirreport.com/contact/...
DFIR Discussions: From OneNote to RansomNote: An Ice Cold Intrusion - Part 2
15 Apr 2024
Contributed by Lukas
We discuss our latest report From OneNote to RansomNote: An Ice Cold Intrusion Host: @Kostastsale Analysts: @iiamaleks, @Irish...
DFIR Discussions: From OneNote to RansomNote: An Ice Cold Intrusion - Part 1
09 Apr 2024
Contributed by Lukas
We discuss our latest report From OneNote to RansomNote: An Ice Cold Intrusion Host: @Kostastsale Analysts: @iiamaleks, @IrishD34TH, & @M...
From OneNote to RansomNote: An Ice Cold Intrusion
01 Apr 2024
Contributed by Lukas
Full Report - https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion Feedback: https://forms.office.com/r/YY6w3gwd6A
DFIR Discussions: SEO Poisoning to Domain Control: The Gootloader Saga Continues
11 Mar 2024
Contributed by Lukas
Our first DFIR Discussions podcast on our latest report SEO Poisoning to Domain Control: The Gootloader Saga Continues Host: @Kostastsale Analysts: @_...
SEO Poisoning to Domain Control: The Gootloader Saga Continues
26 Feb 2024
Contributed by Lukas
Report - https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues Provide feedback for a chance to win free ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
29 Jan 2024
Contributed by Lukas
Report: https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ Feedback: https://forms.office.com/r/pPajTA4Vwy