➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion" ➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing -

We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. All files involved in the initial access phase were signed with valid certificates.

Extracting VNC screenshots and keylog data from #Latrodectus 🕷️ BackConnect https://t.co/GIAcl9Dfit

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. https://t.co/5atl6q2ke0

Why guess when you can know?

🎉 BLACK FRIDAY DEAL IS LIVE! 🎉 Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last! 🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers! Don’t miss it — once it’s gone, it’s gone. https://t.co/5atl6q2ke0

➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion" ➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing -

"...It's unclear why they scanned these external IPs. An interesting observation is that they scanned public IP ranges which hosted the C2 addresses used by Supper:"

High-performance GPU Clusters for frontier models - spin up NVIDIA Hopper GPUs and ramp up to NVIDIA Blackwell GPUs 💻

"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities..."

@TheDFIRReport has been a huge resource throughout my DFIR journey, so it’s a real highlight to finally contribute to one of their reports. Really excited to share this one, hope you enjoy! :)

@Friffnz @MittenSec Report:

🐈 Cat’s Got Your Files: Lynx Ransomware 🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉 Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.

@Friffnz @MittenSec ...and hosts were successfully enumerated using the domain admin credentials during scanning." Want a heads-up when we drop a new report? Sign up here: https://t.co/oPX1ir9O13 2/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains... 1/2

@Friffnz @MittenSec ...discovered share. These actions generated Windows Security Event ID 5145 object access entries referencing the delete[.]me file." Want a heads-up when we drop a new report? Sign up here:

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each... 1/2

@Friffnz @MittenSec ...legitimate accounts already present in the environment. For the rest of the report we will refer to these accounts as: "administratr", "Lookalike 1", and "Lookalike 2"." Want a heads-up when we drop a new report? Sign up here: https://t.co/oPX1ir9O13 2/2

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic... 1/2

@Friffnz @MittenSec ...beachhead host without performing any credential access activities, indicating these credentials were also obtained prior to initial access." Want a heads-up when we drop a new report? Sign up here: https://t.co/oPX1ir9O13 3/3

@Friffnz @MittenSec ...there was no indication of brute force or password spraying occurring, indicating these credentials were obtained prior to the intrusion. The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the... 2/3

🚀 $MSTR is up over 5% We posted about the $1M+ in Calls bought on $MSTR. We took this trade locking in $369 as $MSTR surged 5%. Sign-up for our 7-day free trial to see data like this!

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and... 1/3