π‘οΈ DFIR & Threat Intelligence Research
Defensive research repository. All malware samples are defanged. See DISCLAIMER.md before use.
Practical Digital Forensics, Incident Response (DFIR), and Threat Intelligence research β built around real-world campaigns observed in the wild.
This is not a theoretical collection. Every playbook, sample, and write-up here comes from actual threat activity.
β‘ Quick Actions
Jump straight to the most useful resources in this repo.
| Action | Link | What You'll Find |
|---|---|---|
| π¨ Respond to an incident right now | IR Playbooks β | Step-by-step containment procedures |
| π Hunt for IOCs in your environment | IOC Index β | IPs, hashes, domains, detection queries |
| 𧬠Analyze a malware sample | Sample Analysis β | Defanged PHP shells with behavior notes |
| πΊοΈ Map an attack to MITRE ATT&CK | MITRE Coverage β | Full technique index |
| ποΈ Investigate C2 infrastructure | Threat Infrastructure β | C2 patterns, RMM abuse, DNS tunneling |
| π Read a threat actor profile | Ransomware Intel β | Black Shrantac, Green Blood |
| π‘οΈ Build detection rules | Detection Queries β | SIEM/EDR queries ready to deploy |
What's in Here
π Incident Response Playbooks (/playbooks/)
Step-by-step SOC-ready response procedures aligned with NIST and SANS IR methodology. Each playbook covers Detection β Triage β Containment β Eradication β Recovery β Lessons Learned.
| Playbook | Threat Type | Severity | MITRE Coverage |
|---|---|---|---|
| Fake CAPTCHA β PowerShell Malware | Fileless Malware / Social Engineering | π΄ High | T1566, T1059.001, T1027, T1071.001 |
| Phishing Incident | Phishing / BEC | π΄ High | T1566, T1078 |
| Ransomware Response | Ransomware / Double Extortion | π΄ Critical | T1486, T1490, T1041 |
| Insider Threat | Insider / Data Exfiltration | π Medium-High | T1052, T1078, T1213 |
| Cloud Security Incident | Cloud / IAM Abuse | π΄ High | T1078.004, T1530 |
π¦ Malware Samples (/playbooks/malware-infection/)
Defanged samples collected from active campaigns. All .php files renamed to .php.sample β cannot execute in this state.
| Sample | Type | Campaign |
|---|---|---|
cache.php.sample |
PHP Web Shell (File Manager) | Mass WordPress compromise |
shadow-bot.php.sample |
PHP Web Shell + DB tool | Targeted server compromise |
cleavable.php.sample |
Obfuscated PHP loader | C2 staging |
wordfencetenp.php.sample |
Malicious WP plugin disguise | Security plugin bypass |
lkdo11-16.php.sample |
Obfuscated droppers | Payload staging |
odcat17-110.php.sample |
Obfuscated droppers | Payload staging |
See the malware-infection README for full analysis notes.
π΅οΈ Threat Intelligence & Incident Notes (/incident-notes/)
Real-world threat investigations written in analyst format.
- Fake CAPTCHA PowerShell Campaign (91.84.125.16) β Active campaign abusing Windows Run dialog to execute fileless PowerShell malware
ποΈ Threat Infrastructure (/threat-infrastructure/)
| Category | Description |
|---|---|
| C2 Patterns | Shadow C2 panel and fake CAPTCHA campaign C2 (91.84.125.16) |
| Open Directories | Exposed attacker staging servers leaking APK/EXE payloads |
| RMM Abuse | Malspam abusing GoToResolve / LogMeIn for remote access |
| DNS Tunneling | DNS-based C2 communication patterns |
π Ransomware Intelligence
- Black Shrantac β Double-extortion actor active Sep 2025βJan 2026. 30+ victims across government, healthcare, utilities, financial services.
- Green Blood Ransomware β Extension
.gblood, known SHA-256 hashes, ransom note variants.
π― IOC Quick Reference
Copy-paste ready for SIEM, firewall, or threat hunting. All IPs/domains are defanged β remove brackets before use.
Malicious IPs
91.84.125[.]16 # Fake CAPTCHA PowerShell C2 β payload host (/big.txt)
5.9.228[.]188:5000 # Shadow C2 admin panelMalicious Domains
wertg-rewe[.]com # cleavable.php loader C2 (obfuscated in octal)
stepmomhub[.]com # cache.php WordPress mass-compromise receiverFile Hashes (SHA-256)
365f2f4de5ac872ce5a1fe6fbbf382b936c1defc6d767a37f69b5df4188d9522 # shadow-bot PHP shell
05294c9970f365c92e0b0f1250db678dc356dbf418dba27bdd5eeb68487a7199 # Green Blood ransomware sampleRansomware File Extensions
.gblood # Green Blood RansomwareRansomware Note Filenames
RESTORE_FILES.txt
README.txt
DECRYPT_INSTRUCTIONS.txt
IMPORTANT_README.txt
HOW_TO_RECOVER_FILES.txtπ Detection Quick Reference
Ready-to-adapt queries for common SIEM/EDR platforms.
PowerShell / Fileless Malware
# Windows Event Log β ScriptBlock Logging (Event ID 4104)
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "Invoke-Expression|iex\b|-enc\b|91\.84\.125\.16" }
# Sysmon / EDR β suspicious PowerShell launch
CommandLine contains "-enc" AND ParentProcess in ("outlook.exe","chrome.exe","msedge.exe","firefox.exe")Web Shell Detection
# Search for web shell indicators in web root
grep -rn "eval(base64_decode\|shell_exec\|system(\|passthru(\|root@xshikata\|create_wp_admin" /var/www/
# Alert on PHP process spawning shell
ParentProcess == "php-fpm" AND ChildProcess in ("bash","sh","cmd.exe","powershell.exe")C2 Network Hunting
# SIEM β outbound to known bad IPs
dst_ip IN ("91.84.125.16", "5.9.228.188") AND direction == "outbound"
# Proxy logs β suspicious path
http.uri_path == "/big.txt" AND http.method == "GET"
# Alert on port 5000 outbound from servers
dst_port == 5000 AND src_zone == "server_dmz"DNS Tunneling
# High-entropy subdomain detection
dns.query.name MATCHES "^[a-z0-9]{25,}\\..*$"
AND dns.query.count > 50 WITHIN 5m
AND dns.query.domain NOT IN (whitelist)Ransomware Indicators
# File extension monitoring
file.extension IN (".gblood") OR
file.name IN ("RESTORE_FILES.txt","DECRYPT_INSTRUCTIONS.txt","HOW_TO_RECOVER_FILES.txt")
# Mass file modification (ransomware encryption behavior)
file.write_count > 500 WITHIN 60s AND process.name NOT IN (backup_tools_whitelist)πΊοΈ MITRE ATT&CK Coverage
| Tactic | Technique | ID | Covered In |
|---|---|---|---|
| Initial Access | Phishing | T1566 | Phishing Playbook, Fake CAPTCHA |
| Execution | PowerShell | T1059.001 | Fake CAPTCHA Playbook |
| Execution | User Execution | T1204 | RMM Abuse, Phishing |
| Persistence | Web Shell | T1505.003 | All PHP samples |
| Persistence | Remote Access Software | T1219 | RMM Abuse write-up |
| Defense Evasion | Obfuscated Files/Info | T1027 | cleavable, lkdo, odcat samples |
| Defense Evasion | Masquerading | T1036.005 | wordfencetenp sample |
| Defense Evasion | Deobfuscate/Decode | T1140 | shadow-bot sample |
| Credential Access | Valid Accounts | T1078 | cache.php, Insider Threat |
| Discovery | Remote System Discovery | T1018 | Insider Threat Playbook |
| Lateral Movement | Remote Services | T1021 | Ransomware Playbook |
| Exfiltration | Exfil Over C2 Channel | T1041 | Ransomware, Insider Threat |
| Exfiltration | DNS Tunneling | T1048.003 | DNS Tunneling write-up |
| Impact | Data Encrypted for Impact | T1486 | Ransomware Playbooks |
| Impact | Inhibit System Recovery | T1490 | Black Shrantac, Green Blood |
| Command & Control | Web Protocols | T1071.001 | Fake CAPTCHA C2 |
| Command & Control | Application Layer Protocol: DNS | T1071.004 | DNS Tunneling write-up |
| Command & Control | Remote Access Software | T1219 | RMM Abuse |
π Live Threat Map
Visualizing active campaigns, C2 infrastructure, and attacker geography documented in this repo.
Design Principles
- Real campaigns, not hypotheticals
- Defender-first β detection queries and response steps are the priority
- MITRE ATT&CK mapped across all playbooks
- SOC-ready structure for Tier 1β3 analysts
β οΈ Disclaimer
All samples are defanged and stored for defensive research only. See DISCLAIMER.md.
Regan Temudo | DFIR & Threat Intelligence
LinkedIn Β· GitHub