Front Page

Threat Actor Spotlight

Velociraptor Turned Weapon: Attackers Deploy DFIR's Own Framework as a RAT

In a striking reversal, threat actors exploiting SolarWinds Web Help Desk vulnerabilities have been observed deploying Velociraptor—a legitimate open-source digital forensics and incident response framework—as a remote access and data collection tool. After gaining initial entry, operators pivot through Cloudflare tunnels and Zoho infrastructure to establish covert command channels, then weaponize Velociraptor's VQL query engine to harvest system artifacts, enumerate credentials, and exfiltrate data.

DFIR teams investigating these intrusions must hunt specifically for unauthorized MSI installs, VQL script activity, and Cloudflare tunnel artifacts—while moving fast. Attackers are actively erasing traces, making volatile evidence preservation the immediate priority upon detection.

Evidentiary Challenge

Deepfakes Are Outpacing Forensics: The Coming Admissibility Crisis

Digital forensics pioneer Hany Farid warned this week that generative AI has made convincing synthetic media faster and cheaper to produce than the forensic tools available to authenticate it. Courts in New York and California, operating under new AI provenance laws enacted in January, now require verifiable cryptographic markers on AI-generated media—but enforcement depends entirely on examiner capability to detect their absence.

Farid's central concern for practitioners is a credibility gap: jurors who cannot distinguish authentic footage from sophisticated deepfakes may begin to doubt all digital evidence. The implication for forensic examiners is stark—media authentication must now be treated as a foundational competency, not a specialist skill.

Threat Bulletin

CRITICAL
CVE-2026-21510

Windows Shell SmartScreen Security Feature Bypass. Attackers trick users into opening malicious .lnk shortcut files, silently bypassing SmartScreen warnings and executing untrusted code. One of six zero-days patched in Microsoft's February Patch Tuesday. Forensic Note: Check recent items, jump lists, and prefetch for unsigned .lnk launches.

ACTIVE EXPLOIT
CVE-2026-1731

BeyondTrust Remote Support & Privileged Remote Access — Unauthenticated RCE. Internet-exposed helpdesk platforms are a primary initial-access vector. Forensic Note: Review remote support session logs and look for anomalous child processes spawned by BeyondTrust agents.

Malware Spotlight

Reynolds Ransomware

A newly disclosed ransomware family shipping with a built-in Bring Your Own Vulnerable Driver (BYOVD) module that terminates endpoint security tools before deploying encryption. Forensic Note: Look for signed-but-vulnerable driver artifacts in %TEMP% and event logs showing abrupt security service terminations.