diff --git a/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/activemq_exploit_lockbit_ransomware.yml b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/activemq_exploit_lockbit_ransomware.yml
new file mode 100644
index 000000000..78f478151
--- /dev/null
+++ b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/activemq_exploit_lockbit_ransomware.yml
@@ -0,0 +1,19 @@
+author: Patrick Bareiss, Splunk
+id: 1d5e15bc-7eaf-46a2-8a92-ad9e3eb5cbb4
+date: '2026-04-28'
+description: Execution of ActiveMQ exploit and Lockbit ransomware based on the following DFIR report https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
+environment: attack_range
+directory: ActiveMQ_exploit_Lockbit_Ransomware
+datasets:
+- name: windows-sysmon
+  path: /datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- name: windows-security
+  path: /datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-security.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Security
+- name: windows-powershell
+  path: /datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-powershell.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
\ No newline at end of file
diff --git a/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-powershell.log b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-powershell.log
new file mode 100644
index 000000000..8257dd999
--- /dev/null
+++ b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-powershell.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:405c2a15b183abd9f23e22eb18ddb65b562d9b80cca7a4338ffeddc26cbb6c4c
+size 57064933
diff --git a/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-security.log b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-security.log
new file mode 100644
index 000000000..0031a053f
--- /dev/null
+++ b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55555312391cf49c51fddbbd2c19aa09d7c1469205d0f3374bec68ad4df49a78
+size 21544480
diff --git a/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-sysmon.log b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-sysmon.log
new file mode 100644
index 000000000..d816d5ed3
--- /dev/null
+++ b/datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6fb7acc46cae31504b1d8fc7b731cfcbbfc61ef9819574a72d684c8ea47e9360
+size 20699440