...discovered share. These actions generated Windows Security Event ID 5145 object access entries referencing the delete[.]me file."

Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/

...legitimate accounts already present in the environment. For the rest of the report we will refer to these accounts as: "administratr", "Lookalike 1", and "Lookalike 2"."

Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/

2/2

...beachhead host without performing any credential access activities, indicating these credentials were also obtained prior to initial access."

Want a heads-up when we drop a new report? Sign up here: thedfirreport.com/subscribe/

3/3

...there was no indication of brute force or password spraying occurring, indicating these credentials were obtained prior to the intrusion.

The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the...

2/3

➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/

"...It's unclear why they scanned these external IPs. An interesting observation is that they scanned public IP ranges which hosted the C2 addresses used by Supper:"

➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - thedfirreport.com/contact/

The full lab from the challenge is now live, with all quiz-style questions included.
➡️ Try it via one-time access -> dfirlabs.thedfirreport.com/store
or subscription - > dfirlabs.thedfirreport.com/subscription...

And we just dropped the full report too:
📄 thedfirreport.com/2025/09/29/f...

Report: thedfirreport.com/2025/09/29/f...

Report: thedfirreport.com/2024/12/02/t...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/

Report: thedfirreport.com/2025/09/08/b...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/

Report: thedfirreport.com/2025/03/31/f...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/

Report: thedfirreport.com/2025/01/27/c...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/

Report: thedfirreport.com/2025/05/19/a...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo thedfirreport.com/contact/