Have you heard the news? The Cyberbit team got bigger with the acquisition of RangeForce! Here’s the announcement in case you missed it. 

We welcome the new season with fresh content right out of the oven and a promise for even more ground-breaking research and experiences for the months and years to come. With the combined forces of the Cyberbit and RangeForce teams, this will be a piece of cake! 

For now, let’s dig into this month’s content release. 

Ymir Rusty Stealer LFE with Defender — Part I  

In this month’s LFE, we are going all in on the Ymir ransomware.   

A user downloads a seemingly innocent piece of software — a fake “Audio Driver 2” — unknowingly triggering a sophisticated multi-stage attack.   

The execution chain quietly unfolds: a Rust-based stealer exfiltrates sensitive data and keys, followed by a targeted exploitation of the mRemoteNG configuration tool to dump credentials from memory.   

The attacker then pivots to network enumeration, scanning for additional targets and preparing for lateral movement.   

Defenders must now trace the attacker’s every step, analyze real-world malware artifacts, and uncover the full scope of the breach, all within a familiar Windows environment where trust is the greatest vulnerability.  

The scenario is based on a real-world attack carried out in Colombia. 

This month’s release is Part I for this great LFE, available with Defender. Stay tuned for Part II in the next releases! 

New Linux Memory Forensics course 

Time to unlock the power of RAM analysis for Linux investigations and expose the evidence attackers try hardest to hide.  

Using LiME and Volatility, participants will capture and dissect memory images to uncover hidden processes, injected code, malicious libraries, suspicious network traffic, and stealthy rootkits.  

The hands-on labs that are part of this course simulate real attack flows, covering acquisition, process and network forensics, file system artifacts in RAM, and advanced kernel-level rootkit detection.  

By the end of the course, trainees gain cutting-edge skills to hunt threats that evade traditional logs and disk forensics, sharpening their ability to respond to modern, memory-resident attacks. 

New macOS Investigation lab — Invisible Malware (Beta) 

This is the first ever live macOS forensics lab in the world, a groundbreaking moment in experience-based cyber training!  

Trainees will investigate a stealthy macOS malware case, using native tools and forensic techniques to expose hidden processes, subtle IOCs, and advanced evasion tactics. This unit sets a new global standard, giving analysts hands-on experience with macOS forensics at a level the industry has never seen before. 

Campaign of the month: CVE-2025-8088 WinRAR RCE 

In this month’s campaign, we feature a spotlight that examines an actively exploited zero-day vulnerability in WinRAR that allows remote code execution through crafted archive files.  

By abusing path traversal during extraction, attackers can drop malicious files (e.g., DLLs or LNKs) outside the intended directory, including the Windows Startup folder. From there, they achieve persistence, load secondary payloads, and expand access. The campaign highlights how a simple file extraction can become the entry point for compromise. 

Access this month’s campaign here.  

Leaves may fall, but your defenses shouldn’t 

Fall is the season of change, and if you ought to change something this time around, it should be an upward investment in your cyber readiness!  

Book your next Live-Fire Exercise today, and if you’re not a Cybebit customer already, now is your chance to embrace change and book a demo to see what hyper-realistic, experience-based readiness looks like.