Registration for the DFIR Labs Enterprise CTF is now LIVE!
Assemble your elite SOC/IR team (up to 3 members) for a 4-hour competition to prove you're the best in the industry.
Win prizes, bragging rights, and glory! 
Register now! 
https://form.jotform.com/251605321344245
Just noticed CVE-2025-1829 an RCE in the mtkhnatEnable parameter of /cgi-bin/cstecgi.cgi on TOTOLINK devices being actively exploited.
Exploitation started since 23/03 though which is ~3 weeks after the vuln became public?
Kunai Sandbox is now live!
Curious about Kunai? Want to analyze Linux malware logs? Or share malware analysis to build detection rules? Kunai Sandbox has you covered! 
Check out what Kunai can do:
Explore Kunai's log structure without running it locally Analyze logs generated by Linux malware Share malware analysis with others to build detection rules
See an example analysis of the perfctl #linux #malware: https://sandbox.kunai.rocks/analysis/59edbf8c-41b7-4144-97e0-9b0571446c02
"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses.
The logic would rotate through the various servers until an online host was found. The malware in this case took 15 minutes to establish a successful connection to an online endpoint at hxxp://bristol-weed-martin-know[.]trycloudflare[.]com/init1234."
The above is from a recent Private Threat Brief: "Interlock-Linked Threat Actor Gains Access via Fake Teams ClickFix Lure"
Interested in receiving reports like this one? Contact us for a demo or pricing - https://thedfirreport.com/contact/
Only one week left to register for our next Cyberside Chats Live event! Join us June 11th to discuss what happens when an AI refuses to shut down—or worse, starts blackmailing users to stay online?
These aren’t science fiction scenarios. We’ll dig into two real-world incidents, including a case where OpenAI’s newest model bypassed shutdown scripts and another where Anthropic’s Claude Opus 4 generated blackmail threats in an alarming display of self-preservation.
Join us as we unpack:
What “high-agency behavior” means in cutting-edge AI How API access can expose unpredictable and dangerous model actions Why these findings matter now for security teams What it all means for incident response and digital trust
Stick around for a live Q&A with LMG Security’s experts @sherridavidoff and @MDurrin. This session will challenge the way you think about AI risk!
Register today: https://www.lmgsecurity.com/event/cyberside-chats-live-june2025/
CIRCL - Virtual Summer School (VSS) 2025
From 7 July to 18 July 2025, CIRCL will host a two-week online training event featuring hands-on sessions on various tools developed and maintained by CIRCL, as well as training in digital forensics and incident response (DFIR) techniques.
#opensource #dfir #training #cybersecurity #threatintelligence
New Open-Source Tool Spotlight 
Cortex by TheHive Project is a powerful open-source engine for observable analysis and active response. Supporting integration with MISP & TheHive, it offers 39+ analyzers to streamline DFIR tasks. Built using Scala, AngularJS, and Python for scalability. #CyberSecurity #DFIR
Project link on #GitHub https://github.com/TheHive-Project/Cortex
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— 
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 
Investigation Scenario 
While reviewing company code in Github, you discover odd javascript that downloads+executes a file from an unknown domain that is currently inaccessible.
What do you look for to investigate whether an incident occurred?
How do hackers break into your network? Find out from the pros who do it every day!
In this week’s Cyberside Chats, @tompohl, head of penetration testing at LMG Security, joins @sherridavidoff to reveal how his team gains domain admin access in over 90% of tests.
From outdated Active Directory settings to risky legacy protocols, this episode is packed with real-world insights to help you reduce your organization’s risk. We’ll share:
The hidden vulnerabilities attackers love Tips to harden your infrastructure What penetration testers see that most defenders miss
Watch the full episode: https://youtu.be/VEeWkVBDDP8
Prefer audio? Listen to the podcast: https://www.chatcyberside.com/e/unveiling-the-secrets-of-penetration-testing/?token=6b16f323d00f32474ccfe6a7952ec47a
Cybersecurity Students — This One’s for You! 
We're giving away a limited number of FREE entry passes to our CTF competition happening this Saturday, June 7, 16:30 – 20:30 UTC! 
A great opportunity to test your skills, learn, and compete with others in the infosec community.
Professors/Teachers: Have interested students? DM us or get in touch!
Students: Drop a comment below for a chance to win free entry!
Register Here - https://dfirlabs.thedfirreport.com/ctf
We had a blast speaking at the Ransomware Summit! 
Huge thanks to everyone who joined us live as well as Ryan Chapman, Mari DeGrazia, and SANS Institute for putting this free conference together!
Missed our keynote? No worries — you can catch the full session here:
https://www.youtube.com/live/nhB-xkmbSbY?si=2VT0OmWSD2ZrwnAS&t=1379
New Blog Post: Kunai vs io_uring (https://why.kunai.rocks/blog/kunai-vs-io_uring)
Ever wondered how io_uring revolutionizes I/O operations in the Linux kernel? Inspired by Armo's blog post (https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/) about a PoC rootkit using io_uring, we explored this feature's security implications and how tools like Kunai can monitor these operations.
Key Takeaways:
io_uring boosts I/O performance by reducing system call overhead and enabling asynchronous operations Security tools struggle to monitor io_uring due to its unique handling of operations Kunai now provides visibility into io_uring operations, though blocking malicious activities remains challenging Recent kernel versions have introduced auditing and security controls for io_uring, but these are still limited
Remembering the forensics and accident reconstruction experts testifying in the Karen Read trial is going to run 24/7 in my head if I ever have to testify again.
"Answer the question posed"
"Do not offer additional response"
"I don't know is a full answer"
"Do not be arrogant, seriously, don't"
Mini Digital Forensic Diaries story: got sent to a university in London to investigate a case where a student, who bragged of hacker prowess openly, was suspected of introducing malware to a machine and stealing a lecturers password.
“We don’t know how, but we know they logged into the account, and sent emails - and this is the only machine the lecturer uses,” came the brief.
Imaged the machine suspected of being targeted.
While giving the lecturer their laptop back post imaging I observed, via projector, the lecturer entering in their password to the username field on the login screen.
“Whoops, I’m always doing that - at least this time it wasn’t in front of the students,” they said.
Sure enough, there was no evidence of anything untoward on the laptop, but I had a good theory as to what may have occurred.
Check out more, less mini, stories like this at https://infosecdiaries.com.
We are pleased to announce the official publication of new and updated Neolea training materials. The Neolea initiative is dedicated to providing high-quality, open-source educational resources designed to assist law enforcement agencies (and others) in enhancing their digital forensic and investigative capabilities.
https://www.misp-lea.org/news/2025/05/30/Neolea-training-materials-published.html https://github.com/neolea/neolea-training-materials
Copilot ist das ultimative Einbruchswerkzeug für Sharepoint/Teams in MS-lastigen Unternehmen. Accountübernahme während eines Phishing-Incidents genügt, um selbst auf Dokumente zuzugreifen, für die dem Account die Permissions fehlen würden. Und zwar ohne Spuren zu hinterlassen!
https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/
ransomware.live offers a free API that allows you to keep track of current ransomware groups
DFIR Labs is Evolving! Have You Seen What's New?
Big things are happening at DFIR Labs! We've been hard at work implementing a wave of exciting changes and improvements, all designed to enhance your experience!
But we're not stopping there – even more updates are on the horizon!
Check it out now! https://dfirlabs.thedfirreport.com
"Analysis of command-line activity reveals the threat actor’s use of specific PowerShell cmdlets for discovering and interacting with virtual machines. They initiated powershell.exe with the -ExecutionPolicy Bypass flag to execute sequences such as Get-VM for VM enumeration, followed by Get-VHD to identify associated virtual disk files.
The pipeline further extended to Get-DiskImage -ImagePath $_.Path and Dismount-DiskImage, suggesting a process of accessing and then unlinking VHD contents. Commands to halt virtual machine operations (Get-VM | Stop-VM) were also noted as."
Interested in receiving private reports similar to this report? Contact us for pricing - https://thedfirreport.com/contact/
Read more: 
