As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Jessica Hyde at Hexordia
  Mobile Forensic Images and Acquisition Priorities
  
  
• Belkasoft
  Android WhatsApp Forensics. Part I: Acquisition
  
  
• Cyber 5W
  Chromium based browsers Investigation
  
  
• Cyber Triage
  Windows Scheduled Tasks for DFIR Investigations
  
  
• Hendrik Eckardt at cyber.wtf
  Recovering data from broken appliance VMDKs
  
  
• Dark Data Discovery
  Data Carving vs File Carving vs Disk Carving
  
  
• Doug Metz at Magnet Forensics
  Comae Memory and Network Analysis: Beginning an Incident Investigation
  
  
• Forensafe
  Investigating iOS SMS
  
  
• Zawadi Done and Francisco Dominguez at Hunt & Hackett
  Parsing Atop log files with Dissect
  
  
• Ian Whiffin at DoubleBlak
  Apple Maps – Visited Location?
  
  
• Eden Elazar at Palo Alto Networks
  Navigating the Cloud: Exploring Lateral Movement Techniques
  
  
• Lee Jun Hyeong at Plainbit
  How to decrypt malware in MS Defender Quarantine from Forensic image files
  
  
• Salvation DATA
  • Unveiling Forensic Insights through Video Motion Analysis Techniques
  • How to extract data from Telegram?
    
    
• Chad Tilbury at SANS
  Google Chrome Platform Notification Analysis
  
  
• Scott Koenig at ‘The Forensic Scooter’
  Update to Shared with You Syndication Media & Conversation Correlation
  
  
• The DFIR Report
  SEO Poisoning to Domain Control: The Gootloader Saga Continues
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  Remote Packet Capture
  
  
• Adam at Hexacorn
  • 1 little known secret of nslookup.exe
  • 1 little known secret of explorer.exe
    
    
• Agari
  O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks
  
  
• Dean Houari at Akamai
  Learning from the LockBit Takedown
  
  
• AttackIQ
  • Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access
  • Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
    
    
• Avertium
  Everything You Need to Know About the Data Extortion Group, Snatch
  
  
• Dave Addison at BadOosb
  • Fluid Fraud Hunting – Getting Something From Nothing
  • Hunting For the ‘Contiinued’ Phish Kit
  • Havoc – Part Two – Finding Havoc C2 Team Servers
    
    
• Bitdefender
  • When Stealers Converge: New Variant of Atomic Stealer in the Wild
  • CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks
    
    
• Joff Thyer at Black Hills Information Security
  Initial Access Operations Part 2: Offensive DevOps
  
  
• Amanda Berlin at Blumira
  Real-World Examples of Detecting Attacks with Sysmon
  
  
• Cado Security
  • How to be IR Prepared in Google Cloud Platform (GCP)
  • Cado Releases H2 2023 Cloud Threat Findings Report
  • Aligning Forensic Investigations to the MITRE ATT&CK Framework
    
    
• Himaja Motheram at Censys
  ConnectWise ScreenConnect – CVE-2024-1709 & CVE-2024-1708
  
  
• CERT Ukraine
  • UAC-0149: Цільові вибіркові атаки у відношенні Сил оборони України із застосуванням COOKBOX (CERT-UA#9204)
  • АНОНС: Практичний семінар для кіберфахівців
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 24 Febbraio – 1 Marzo 2024
  
  
• Check Point
  • 26th February – Threat Intelligence Report
  • A Shadowed Menace : The Escalation of Web API Cyber Attacks in 2024
    
    
• CISA
  • SVR Cyber Actors Adapt Tactics for Initial Cloud Access
  • CISA, FBI, and HHS Release an Update to #StopRansomware Advisory on ALPHV Blackcat
  • CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities
  • #StopRansomware: Phobos Ransomware
  • Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
    
    
• Fabian Bader at Cloudbrothers
  Protect your users from Device Code Flow abuse
  
  
• Allen Marin at Corelight
  Confronting Persistence Techniques | Corelight
  
  
• CTF导航
  AsukaStealer：新型信息窃取恶意软件的分析
  
  
• Cyble
  • Vulnerable Fortinet Devices: Low-hanging Fruit for Threat Actors
  • AsukaStealer, a Revamped Version of the ObserverStealer, Advertised as Malware-as-a-Service
  • Ongoing Phishing Campaign Targets Healthcare and Cryptocurrency Users via ScreenConnect 
  • Cyble Chronicles  – March 1st, 2024: Latest Findings & Recommendations for the Cybersecurity Community
    
    
• Cyfirma
  Weekly Intelligence Report – 01 Mar 2024
  
  
• DomainTools
  • Enhancing Cybersecurity Incident Response with DomainTools: A Comprehensive Guide
  • Enhancing Vulnerability Management with CISA’s Playbook and DomainTools Data
    
    
• Elastic Security Labs
  Ransomware in the honeypot: how we capture keys with sticky canary files
  
  
• Ervin Zubic
  Are You Overlooking These 6 Questions in Your Intelligence Analysis?
  
  
• Esentire
  • XRed Backdoor: The Hidden Threat in Trojanized Programs
  • LockBit Ransomware Operations Might Be Down – Now What?
  • Beware the Bait: Java RATs Lurking in Tax Scam Emails
    
    
• FBI
  Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
  
  
• Fortinet
  • Ransomware Roundup – Abyss Locker
  • FortiGuard Labs Outbreak Alerts Annual Report 2023: A Glimpse into the Evolving Threat Landscape
    
    
• g0njxa
  Profiling Трафферы: An introduction to Traffers Teams
  
  
• Nati Tal and Oleg Zaytsev at Guardio
  “SubdoMailing” — Thousands of Hijacked Major-Brand Subdomains Found Bombarding Users With Millions…
  
  
• Harfanglab
  A Comprehensive Analysis Of I-soon’s Commercial Offering
  
  
• Huntress
  • SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
  • BlackCat Ransomware Affiliate TTPs | Huntress Blog
  • Attacking MSSQL Servers, Pt. II | Huntress Blog
    
    
• Michael Zuckerman at Infoblox
  The 2024 Healthcare Cyber Trend Research Report
  
  
• Nick Chalard at InQuest
  Tools of the (Illegitimate) Trade: Mock API
  
  
• Intel-Ops
  TA577 phishing campaign uses NTLMv2 handshakes to steal user credentials/hashes.
  
  
• David Cohen at JFrog
  Data Scientists Targeted by Malicious Hugging Face ML Models with Silent Backdoor
  
  
• KELA Cyber Threat Intelligence
  Russia-Ukraine war: pro-Russian hacktivist activity two years on
  
  
• Bert-Jan Pals at KQL Query
  Detecting Post-Exploitation Behaviour
  
  
• Mandiant
  • Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
  • When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
    
    
• Rémi Pointel at MISP
  HarfangLab Use-Case with MISP
  
  
• Monty Security
  Hunting Cobalt Strike LNK Loaders
  
  
• Michael Dereviashkin at Morphisec
  Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland
  
  
• Nasreddine Bencherchali
  SigmaHQ Rules Release Highlights — r2024–02–26
  
  
• Orange Cyberdefense
  Mail in the Middle – A tool to automate spear phishing campaigns
  
  
• Ovi Liber
  RE:archive | APT37’s ROKRAT HWP Object Linking and Embedding
  
  
• Palo Alto Networks
  Today’s Attack Trends — Unit 42 Incident Response Report
  
  
• Prodaft
  Combating Insider Threats – Detection, Prevention, and Implementation
  
  
• Matthew Green at Rapid7
  How To Hunt For UEFI Malware Using Velociraptor
  
  
• Ben Webb at Recon Infosec
  The Lockbit Ransomware Group Disruption: Now What?
  
  
• Recorded Future
  Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, December 2023 (ENG)
  
  
• ReliaQuest
  Browser Credential Dumping
  
  
• Robin Dimyan
  Geopolitical Cyber Risk: Cyber Operations in Modern Warfare
  
  
• SANS Internet Storm Center
  • Utilizing the VirusTotal API to Query Files Uploaded to DShield Honeypot [Guest Diary], (Sun, Feb 25th)
  • Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th)
  • Exploit Attempts for Unknown Password Reset Vulnerability, (Wed, Feb 28th)
  • [Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service., (Thu, Feb 29th)
  • Scanning for Confluence CVE-2022-26134, (Fri, Mar 1st)
    
    
• Marc Brown at Scythe
  Adversarial Emulation’s Role as Transformative Agent in Cyber Insurance
  
  
• Securelist
  The mobile malware threat landscape in 2023
  
  
• D. Iuzvyk, T. Peck, and O. Kolesnikov at Securonix
  Securonix Threat Research Knowledge Sharing Series: Batch (DOS) Obfuscation or DOSfuscation: Why It’s on the Rise, and How Attackers are Hiding in Obscurity
  
  
• Sekoia
  • The Predator spyware ecosystem is not dead
  • NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts
    
    
• SentinelOne
  • PinnacleOne ExecBrief | China’s Hacking Ecosystem
  • February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
    
    
• Simone Kraus
  Demystification 8Base- Threat Hunting and Detection Opportunities
  
  
• SOCRadar
  • Dark Web Profile: Patchwork APT
  • DarkGate Malware: Exploring Threats and Countermeasures
  • Business Email Compromise (BEC) Attacks: A Sneaky Threat to Organizations
  • What is YARA, YARA v4.5.0 and YARA-X
    
    
• Splunk
  • Beyond Logs: Navigating Entity Behavior in Splunk Platform
  • Unveiling Phemedrone Stealer: Threat Analysis and Detections
    
    
• Ben Martin at Sucuri
  New Wave of SocGholish Infections Impersonates WordPress Plugins
  
  
• Nigel Douglas at Sysdig
  Container Drift Detection with Falco
  
  
• System Weakness
  • Demystifying Incident Response in Cybersecurity: Detecting, Triage, Classify, and Respond
  • RustDoor: Unveiling the New MacOS Backdoor Crafted in Rust Linked to Ransomware Syndicates
    
    
• Teri Radichel
  How A Crash Dump Can Be An Indication of Malware
  
  
• Trend Micro
  • Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
  • Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
    
    
• Edwin David at TrustedSec
  Weaponization of Token Theft – A Red Team Perspective
  

UPCOMING EVENTS

• Black Hills Information Security
  Fun with Office Macros w/ David Fletcher
  
  
• Christa Miller at DFRWS
  Two Keynote Speakers and 8 Workshops Headline the DFRWS EU 2024 Conference
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Digital Forensics Now Podcast – Episode 13
  
  
• Anuj Soni
  Decode Malware Strings with Conditional Breakpoints
  
  
• Black Hat
  Lessons Learned from the KA-SAT Cyberattack: Response, Mitigation and Information Sharing
  
  
• Black Hills Information Security
  • Talkin’ About Infosec News – 2/28/2024
  • BHIS – Talkin’ Bout [infosec] News 2024-03-04
  • REKAST – Talkin’ Bout [infosec] News 2024-02-26 #infosecnews #cybersecurity #podcast #podcastclips
    
    
• BlueMonkey 4n6
  Windows Shortcuts tricks you may not know – especially for Digital Forensics and Incident Response
  
  
• Breaking Badness
  Breaking Badness Cybersecurity Podcast – 180. I-Sooner or Later
  
  
• Cellebrite
  How to Export Files from Cellebrite Inseyets Powered by PA?
  
  
• CYBERWOX
  Redline InfoStealer Malware Analysis: Dynamic Analysis with Wireshark & ANY.RUN
  
  
• Digital Forensic Survival Podcast
  DFSP # 419 – What the Flux
  
  
• Hacker Valley Blue
  Types of Attack Surfaces
  
  
• Hardly Adequate
  Hardly a Week 8 February 27, 2024
  
  
• Hasherezade
  PE-sieve/HollowsHunter with custom signatures (SigFinder)
  
  
• InfoSec_Bret
  Challenge – PCAP Analysis
  
  
• John Hammond
  • Tracking Cybercriminals on Telegram
  • Sweet New Threat Intel Just Dropped
  • Free Coding Tool Distributes Malware
    
    
• Lee Whitfield at MacAdemia
  • User Interface – Part 2
  • User Interface – Part 3
  • What I do when I start a Mac for the first time – Part 1
    
    
• Magnet Forensics
  • Reviewing Email Evidence with Email Explorer in Magnet AXIOM Cyber
  • Tell the Story of your Evidence with Magnet Exhibit Builder
  • Animated Map Routes in Magnet AXIOM
  • Triaging Mobile Devices with Magnet OUTRIDER
    
    
• Microsoft Threat Intelligence Podcast
  Throwing Darts in the Dark With Microsoft Incident Response
  
  
• Mostafa Yahia
  DFIR (Windows Forensics) Course: Collecting system info from Registry hives
  
  
• MSAB
  Automating Python Scripts in XRY
  
  
• MyDFIR
  • How I Study for Exams (CERTIFICATIONS)
  • Cybersecurity SOC Analyst Lab – Malware Analysis (RTF Document)
    
    
• Paraben Corporation
  • Social Media and Smartphones Amber Schroader Paraben CACC 2020
  • E3 Processing of Email
    
    
• Richard Davis at 13Cubed
  Where’s the 4624? – Logon Events vs. Account Logons
  
  
• SalvationData
  Professional Smartphone Forensics Tools – SPF Pro
  
  
• Sandfly Security
  Sandfly Agentless Linux Security Quickstart
  
  
• SANS
  • Thinking DFIRently From Entry to Specialty
  • FOR528: Ransomware & Cyber Extortion Course Overview
    

MALWARE

• Any.Run
  DCRat: Step-by-Step Analysis in ANY.RUN
  
  
• Arda Büyükkaya
  Unpacking RC4 Encrypted Malware – REvil ransomware
  
  
• ASEC
  • Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant)
  • Phishing Malware That Sends Stolen Information Using Telegram API
    
    
• Jan Vojtěšek at Avast Threat Labs
  Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
  
  
• Guilherme Venere, Jacob Finn, Tucker Favreau, Jacob Stanfill, and James Nutland at Cisco’s Talos
  TimbreStealer campaign targets Mexican users with financial lures
  
  
• Cyber 5W
  Pikabot Loader Detailed Analysis
  
  
• Dr Josh Stroschein
  Building a VM for Reverse Engineering and Malware Analysis! Installing the FLARE-VM
  
  
• ElementalX
  SpockStealer: Technical analysis of a Golang-based credential stealer.
  
  
• Matthew at Embee Research
  Advanced CyberChef Techniques for Configuration Extraction – Detailed Walkthrough and Examples
  
  
• Fortra’s PhishLabs
  DarkLoader Leads Malware Attacks in Q4
  
  
• Ron Bowes at GreyNoise Labs
  Code injection or backdoor: A new look at Ivanti’s CVE-2021-44529
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #177: Unused argument attribute
  
  
• Shusei Tomonaga at JPCERT/CC
  New Malicious PyPI Packages used by Lazarus
  
  
• Malwarebytes
  • One year later, Rhadamanthys is still dropped via malvertising
  • PikaBot malware on the rise: What organizations need to know 
    
    
• McAfee Labs
  • GUloader Unmasked: Decrypting the Threat of Malicious SVG Files
  • Rise in Deceptive PDF: The Gateway to Malicious Payloads
    
    
• NVISO Labs
  Covert TLS n-day backdoors: SparkCockpit & SparkTar
  
  
• Anmol Maurya and Siddharth Sharma at Palo Alto Networks
  The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users
  
  
• Patrick Wardle at Objective-See
  Apple Gets an ‘F’ for Slicing Apples
  
  
• Petikvx
  • How to find samples with VT
  • Albabat effect
  • Frivinho effect
  • Caddy Wiper
    
    
• Pulsedive
  Balada Injector
  
  
• Richard Christopher
  Strela Stealer [IR/Malware Analysis]
  
  
• Sonatype
  • The curious case of ‘csrf-magic’: A case study in supply chain poisoning
  • npm packages spread ‘Bladeroid’ crypto-stealer, hijack your Instagram
    
    
• Melusi shoko at System Weakness
  Malicious Document Analysis using oletools — python tools to analyze Microsoft Office files
  
  
• Sudeep Singh and Roy Tay at ZScaler
  European diplomats targeted by SPIKEDWINE with WINELOADER
  

MISCELLANEOUS

• Marco Fontani at Amped
  Introducing DeepPlate, Amped’s Investigative Tool for AI-Powered License Plate Reading
  
  
• Brian Yonek
  Part 1 of Understanding the Incident Response Lifecycle: Preparing for the Storm
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  COPA v Wright – An Animated End to Craig Wright’s Satoshi Claims??
  
  
• Elan at DFIR Diva
  Free & Affordable Training News Monthly: Feb – Mar 2024
  
  
• Marvin Ngoma at Elastic
  A game of nations — How nation-states prepare for cyber threats with Locked Shields (part 2)
  
  
• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 03/01/2024
  
  
• Forensic Focus
  • Lionel Notari, Senior Consultant, Swiss FTS
  • Congress ‘Moving Too Slowly’ on Fake Child Sexual Abuse Material
  • Digital Forensics Round-Up, February 28 2024
  • Shwetha Krishna Panayapallil Sudhi, MSc Digital Forensic Graduate, Cranfield University
  • Forensic Focus Digest, March 01 2024
    
    
• Hex Rays
  IDA 8.4: Qt 5.15.2 sources & build scripts
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (3/1/2024)
  
  
• Magnet Forensics
  • Moving in the Right Direction with Animated Maps
  • MAG24 Hashing and Matching for Triage with VICS and CAID in Magnet OUTRIDER
  • Elevate Your Digital Forensics Reports with Magnet Exhibit Builder
    
    
• Matt Linton
  You can’t Incident Command an email thread
  
  
• SANS
  • A Visual Summary of SANS OSINT Summit 2024
  • A Tale of the Three *ishings: Part 02 – What is Smishing?
    
    
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.50!
  
  
• Teri Radichel
  I Created a Fake Entry In AWS VPC Flow Logs
  
  
• David González Cuautle at WeLiveSecurity
  Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses
  

SOFTWARE UPDATES

• Belkasoft
  What’s new in Belkasoft X v.2.4
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.5
  
  
• Costas K
  LNK & Jumplist Browser
  
  
• CyberYom
  Expanding your Toolkit: MFTAnalyzer
  
  
• Digital Sleuth
  winfor-salt v2024.3.5
  
  
• Magnet Forensics
  • Magnet AXIOM Cyber 7.10: AWS Sign-in Improvements & Animated Maps
  • Magnet AXIOM 7.10: Animated Maps, Email Explorer, New License Packages, and So Much More
    
    
• Manabu Niseki
  Mihari v7.4.0
  
  
• MasterParser
  MasterParser-v2.4
  
  
• OpenCTI
  6.0.3
  
  
• Oxygen Forensics
  • Oxygen Remote Explorer v.1 Updates
  • Oxygen Forensic® Detective v.16 Updates
    
    
• Passmark Software
  OSForensics – V11.0 build 1005 28th February 2024
  
  
• Regipy
  4.0.0
  
  
• Security Onion
  Security Onion 2.3.290 now available including Suricata and Zeek updates!
  
  
• Sigma
  r2024-02-26
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!