T
🧪 DFIR Labs | ALPHV Ransomware Case #24952
Walk through a real intrusion where IcedID was used to deploy ScreenConnect and a custom C# streamer, ultimately leading to an ALPHV (BlackCat) ransomware event.
This lab breaks down:
️ Remote access and persistence with ScreenConnect️ Custom tooling used prior to ransomware deployment️ Operator tradecraft observed along the way
Step through the investigation and analyze attacker behavior end-to-end.
https://dfirlabs.thedfirreport.com/auth/login
Don’t just block threats — disrupt them.
Our IR-driven Threat Feed helps you:
Detect attacker infrastructure early
Hunt for active footholds
️ Reduce false positives with continuously verified intel
Built for SOCs, MSSPs, MDRs, and security vendors.
Get the edge: https://thedfirreport.com/contact/
#ThreatIntel #BlueTeam #DFIR #CyberDefense
Cat’s Got Your Files: Dive Into the Lynx Ransomware Incident!
Check out our latest DFIR Report detailing how attackers abused valid credentials to compromise an environment, create persistent high-privilege accounts, and conduct environment mapping and exfiltration before deploying Lynx ransomware.
Report: https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/
Services: https://thedfirreport.com/services/
Contact Us for pricing or a demo: https://thedfirreport.com/contact/
