As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Investigating Google Drive for Desktop: A Forensic Guide
  • Automating Google Drive Forensics: Tools & Techniques
  • Dropbox Forensic Investigations: Logs, Activity Tracking, and External Sharing
    
    
• Belkasoft
  Lessons Learned from the Silk Road Investigation
  
  
• Brian Maloney
  OneDrive Offline Mode (Recallish vibes)
  
  
• Christopher Eng at Ogmini
  • CISSP – Study Plan
  • Diving Deep – LevelDB Part 3
  • CISA IR Training – Introduction to Log Management (IR210)
  • Diving Deep – LevelDB Part 4
  • Diving Deep – LevelDB Part 5
  • POC Malware – Part 2
  • POC Malware – Part 3
    
    
• Cyber Triage
  What Is a Jump List? Complete Guide for Users and Investigators
  
  
• Damien Attoe
  ROWID Reuse in SQLite Databases
  
  
• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #730: Sunday Funday 1/26/25
  • Daily Blog #731: Accessing multiple shadow copies at once with AIM
  • Daily Blog #732: Multiple Identity Provider Disorder
  • Daily Blog #733: Test Kitchen building cloud tools with cursor
  • Daily Blog #734: My favorite interview question
  • Daily Blog #735: Zeltser Challenge Spotlight on Argelius Labs
  • Daily Blog #736: Solution Saturday 2/1/25
    
    
• Oleg Afonin at Elcomsoft
  The Evolution of iOS Passcode Security
  
  
• Forensafe
  iOS Waze
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Please don’t delete your logs
  
  
• Ilya Kobzar
  • Diving into Master Boot Record
  • LevelDB WAL log – extracting ChatGPT conversations
    
    
• Samer Al-Bakhlul, Justus Hoffmann, and Lucas Wenzel at Insinuator.net
  Jigsaw RDPuzzle: Piecing Attacker Actions Together
  
  
• SJDC
  • Mobile Device Pattern-of-Life Data and Privacy in Significant Event Investigations
  • Capturing Android Dumpsys/Logcat Logs
    
    
• David Varghese at Source Code
  TryHackMe: MBR and GPT Analysis
  
  
• The DFIR Journal
  Prefetch Files: Identifying Files Targeted by Data Extraction, Staging and Exfiltration
  
  
• The DFIR Report
  Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
  
  
• James McGee at The Metadata Perspective
  Beyond the Logs: Using the Health App to Uncover Device Model and OS History
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Files of interest
  
  
• Adam Goss
  STIX/TAXII: A Full Guide to Standardized Threat Intelligence Sharing
  
  
• Andrew Petrus
  Exploring PowerShell Reflective Loading in Lumma Stealer
  
  
• Any.Run
  How ANY.RUN Helps Healthcare Organizations Against Ransomware: Interlock Case Study
  
  
• Shusei Tomonaga at APNIC
  • Recent cases of watering hole attacks: Part 1
  • Recent cases of watering hole attacks: Part 2
    
    
• Francis Guibernau at AttackIQ
  Emulating the Splintered Hunters International Ransomware
  
  
• Marshall Jones at AWS Security
  Testing and evaluating GuardDuty detections
  
  
• Martin Zugec at Bitdefender
  UAC-0063: Cyber Espionage Operation Expanding from Central Asia
  
  
• Black Hills Information Security
  Questions From a Beginner Threat Hunter
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2025-01-23: Fake installer leads to Koi Loader/Koi Stealer
  • 2025-01-28: Malwre infection from web inject activity
  • 2025-01-30: XLoader infection
  • 2025-01-31: Two pcaps of AgentTesla-style data exfil, one using FTP and one using SMTP
    
    
• Joseph Varghese at Cado Security
  How the Cado Platform Reveals Attacker Command Outputs: An Update
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 25 – 31 gennaio
  
  
• Check Point
  27th January – Threat Intelligence Report
  
  
• CISA
  CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware
  
  
• Cisco
  • Top Threat Tactics and How to Address Them
  • AI Cyber Threat Intelligence Roundup: January 2025
    
    
• Cisco’s Talos
  • New TorNet backdoor seen in widespread campaign
  • Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike
    
    
• Cofense
  • Malware Alert: Fake Judicial Review Emails Deliver SapphireRAT Targeting Latin American Victims
  • Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns
    
    
• Vasilis Orlof at Cyber Intelligence Insights
  Keeping up with the Infostealers
  
  
• Cybereason
  Phorpiex – Downloader Delivering Ransomware
  
  
• Cyble
  DeepSeek’s Growing Influence Sparks a Surge in Frauds and Phishing Attacks
  
  
• Cyfirma
  Weekly Intelligence Report – 31 Jan 2025
  
  
• Cyjax
  • Importance of Speed in Threat Intelligence
  • A New Amazonian? Data-Leak Site Emerges for New Extortion Group GD LockerSec
  • The Ultimate Guide To Ransomware: Understanding, Identifying and Preventing Attacks
  • Babuk Ba-back? Potential Return of the Infamous RaaS Group
  • 2024 Year in Review: ransomware groups, hacktivists, and IABs targeting the Middle East
  • New year’s reconnaissance resolutions! 
    
    
• Disconinja
  日本におけるC2サーバ調査(Week 4 2025)
  
  
• Steve Behm at DomainTools
  Automated Discovery of Chenlun Domains – Splunk Enterprise Security
  
  
• Elastic Security Labs
  • Announcing the Elastic Bounty Program for Behavior Rule Protections
  • Linux Detection Engineering – A Continuation on Persistence Mechanisms
    
    
• Esentire
  Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG Privilege Escalation Tool
  
  
• Farnsworth Intelligence
  North Korean IT Farms IoC Document and Recommendations
  
  
• Flashpoint
  Unmasking FleshStealer: A New Infostealer Threat in 2025
  
  
• Google Cloud Security Community
  Strategic Threat Intelligence for Financial Institutions
  
  
• Google Cloud Threat Intelligence
  • Adversarial Misuse of Generative AI
  • ScatterBrain: Unmasking the Shadow of PoisonPlug’s Obfuscator
    
    
• GreyNoise
  • Hackers Actively Exploiting Fortinet Firewalls: Real-Time Insights from GreyNoise
  • Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891)
    
    
• Ron Bowes at GreyNoise Labs
  How-To: Linux Process Injection
  
  
• Group-IB
  Cat’s out of the bag: Lynx Ransomware-as-a-Service
  
  
• GuidePoint Security
  • GRIT 2025 Report: Post-Compromise Detection Strategies
  • Ongoing report: Babuk2 (Babuk-Bjorka)
    
    
• Hacking Articles
  • Diamond Ticket Attack: Abusing kerberos Trust
  • Credential Dumping: AD User Comment
  • AD Recon: Kerberos Username Bruteforce
    
    
• HackTheBox
  How Mustang Panda collects sensitive intelligence with multi-stage attacks (Attack Anatomy)
  
  
• hasherezade’s 1001 nights
  Process Hollowing on Windows 11 24H2
  
  
• Hunt IO
  • How SSL Intelligence and SSL History Can Supercharge Threat Hunting
  • SparkRAT: Server Detection, macOS Activity, and Malicious Connections
    
    
• Renée Burton at Infoblox
  Pushed Down the Rabbit Hole
  
  
• Intel 471
  Remote Monitoring and Management (RMM) Abuse
  
  
• KELA Cyber Threat Intelligence
  Is GDLockerSec Really Targeting AWS?
  
  
• KQL Query
  Monitor For New Actions In Sentinel And MDE
  
  
• Brian Krebs at Krebs on Security
  • A Tumultuous Week for Federal Cybersecurity Efforts
  • Infrastructure Laundering: Blending in with the Cloud
  • FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang
    
    
• Jérôme Segura at Malwarebytes
  Microsoft advertisers phished via malicious Google ads
  
  
• Maverits
  APT28, the long hand of Russian interests
  
  
• Mohammed AlAqeel
  DFIR Investigation Tip : Investigate the exploits of LLMNR Poisoning and SMB Relay Attacking
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 026. Threat Actors Abuse Printui.exe for DLL Search Order Hijacking
  • 027. SANS Cyber Threat Intelligence Summit 2025: My Picks (Day 1)
  • 028. SANS Cyber Threat Intelligence Summit 2025: My Picks (Day 2)
  • 029. Babuk or not Babuk?
  • 030. Ransomware Gangs Use SSH Tunneling for Stealthy Persistence in VMware ESXi infrastructure
  • 031. What’s Hex Staging and How to Detect It
  • 033. Free Google Threat Intelligence Course
  • 032. DarkGate Delivery via ClickFix Attack: Detection and Hunting Opportunities
    
    
• Sebastian Kandler at OSINT Team
  Testing SIEM Detections Against Ransomware Using PsExec
  
  
• Palo Alto Networks
  • CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia
  • Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek
    
    
• Ariel Ropek and Remy Kullberg at Panther
  Sigma Rules: Your Guide to Threat Detection’s Open Standard
  
  
• Positive Technologies
  Cyberthreats to industrial IoT in the manufacturing sector
  
  
• Proofpoint
  • Security Brief: Threat Actors Take Taxes Into Account
  • HTTP Client Tools Exploitation for Account Takeover Attacks
    
    
• Christiaan Beek at Rapid7
  The 2024 Ransomware Landscape: Looking back on another painful year
  
  
• Raymond Roethof
  Microsoft Defender for Identity Recommended Actions: Reversible passwords found in GPOs
  
  
• Recorded Future
  TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base
  
  
• SANS Internet Storm Center
  • An unusual “shy z-wasp” phishing, (Mon, Jan 27th)
  • Fileless Python InfoStealer Targeting Exodus, (Tue, Jan 28th)
  • From PowerShell to a Python Obfuscation Race!, (Wed, Jan 29th)
  • To Simulate or Replicate: Crafting Cyber Ranges, (Fri, Jan 31st)
  • PCAPs or It Didn’t Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary], (Thu, Jan 30th)
    
    
• Evgeny Goncharov at Securelist
  Threat predictions for industrial enterprises 2025
  
  
• Security Scorecard
  Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign
  
  
• SentinelOne
  • Cloud Ransomware Developments | The Risks of Customer-Managed Keys
  • X Phishing | Campaign Targeting High Profile Accounts Returns, Promoting Crypto Scams
    
    
• Silent Push
  Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech
  
  
• SOCRadar
  • Dark Web Profile: FunkSec
  • Dark Web Profile: Termite Ransomware
  • Dark Web Profile: RA World
    
    
• Sophos
  Update: Cybercriminals still not fully on board the AI train (yet)
  
  
• SquareX Labs
  Browser Syncjacking: How Any Browser Extension can Be Used to Takeover Your Device
  
  
• Aiden Mitchell at Sublime Security
  Credential phishing Charles Schwab account holders with 2FA bypass
  
  
• THOR Collective Dispatch
  • A DEATHCON Thrunting Workshop Overview Part 2: Exploring Data Sources
  • Welcome to the THOR Collective Dispatch
  • A DEATHCON Thrunting Workshop Overview Part 1: Helloooooooo thrunters. 👋
    
    
• Tyler Hudak at Inversion6
  We Need to Talk About Microsoft Quick Assist: An IT Security Primer
  
  
• Kenneth Kinion at Valdin
  X Phishing: 6 Pivoting Techniques for Threat Hunting
  
  
• VMRay
  From analysis to action: Enhancing government threat models with malware insights
  
  
• watchTowr Labs
  Get FortiRekt, I am the Super_Admin Now – FortiOS Authentication Bypass CVE-2024-55591
  
  
• Zolder
  Phishing for Refresh Tokens 
  
  
• ZScaler
  7 Ransomware Predictions for 2025: From AI Threats to New Strategies
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-02-05 #livestream #infosec #infosecnews
  
  
• Cyber5w
  IoT Forensics Webinar: Investigating Crime Caught on Camera
  
  
• Doug Metz at Baker Street Forensics
  Upcoming talks at Magnet Virtual Summit 2025
  
  
• Gerald Auger at Simply Cyber
  • SOC Operations and Metrics with Hayden Covington | S2 E4: Simply Defensive
  • From Navy Red Team to Blue Team – David Perez’s Cybersecurity Journey | S2 E5: Simply Defensive
    
    
• Kevin Pagano at Stark 4N6
  Magnet Virtual Summit 2025 CTF Workshop
  
  
• Magnet Forensics
  Cyber Unpacked S1:E4 // Return of the AI: A new hope (or a new threat)
  
  
• SANS
  Ask the Authors: The Foundations and Future of ICS/OT Security
  

PRESENTATIONS/PODCASTS

• Belkasoft
  Alexis Brignoni “Analysis of SEGB Files: Commercial Tools, Open-Source Tools, and Custom Scripts”
  
  
• Black Hills Information Security
  REKAST – Talkin’ Bout [infosec] News 2025-01-27 #infosecnews #cybersecurity #podcast #podcastclips
  
  
• Breaking Badness
  Leveling Up Mental Health: Tackling Gaming Toxicity and Cybersecurity Burnout 
  
  
• Cellebrite
  Tip Tuesday – Chat Capture Part Three
  
  
• Cyber Secrets
  Graphics Metadata – EXIF XMP IPTC-IIM DICOM – XnView
  
  
• Eclypsium
  BTS #44 – Network Appliances: A Growing Concern
  
  
• Gerald Auger at Simply Cyber
  From Marine to Mandiant with Ryan Rath | Cybersecurity Mentors Podcast S2 E4
  
  
• InfoSec Deep Dive
  Incident Response: Behind the Scenes
  
  
• Intel 471
  How threat actors are using artificial intelligence
  
  
• John Hammond
  the FBI gottem
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Binary Refinery URL extraction of Multi-Layered PoshLoader for LummaStealer
  
  
• Magnet Forensics
  • Banish your mobile device backlogs and bottlenecks with Magnet Graykey Fastrak and Magnet Automate
  • Mobile Unpacked S3:E1 // ADB: It’s easy as ABC – Understanding the power of ADB commands
    
    
• MSAB
  MSAB RAMalyzer Deepscan
  
  
• MyDFIR
  CyberDefenders SOC Analyst Lab – Memory Analysis (Reveal)
  
  
• SANS
  • SANS Threat Analysis Rundown in Review: SANS CTI Summit Preview
  • A Visual Summary of SANS CTI Summit 2025
  • Series One Roundup
    
    
• SentinelOne
  LABScon24 Replay | Follow the Money: Uncovering the Incorporation and the CCP’s Ownership of Chinese Firms Investing in the USA
  
  
• The Cyber Mentor
  LIVE: Blue Teaming | Sherlocks 🔎 | Cybersecurity | HackTheBox | AMA
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 244 – Experts Live Denmark is sold out!
  

MALWARE

• Kyle Lefton & Larry Cashdollar at Akamai
  Active Exploitation: New Aquabot Variant Phones Home
  
  
• Tonmoy Jitu at Denwp Research
  Analyzing a Fully Undetectable (FUD) macOS Backdoor
  
  
• Dr Josh Stroschein
  Analyzing Shellcode – Finding the Entry Point Based Off Position Independence
  
  
• Dr. Web
  • Doctor Web’s review of virus activity on mobile devices in 2024
  • Doctor Web’s annual virus activity review for 2024
    
    
• Cara Lin at Fortinet
  Coyote Banking Trojan: A Stealthy Attack via LNK Files
  
  
• M4shl3
  Malware Analysis – Javascript Deobfuscation
  
  
• Patrick Wardle at Objective-See
  The Mac Malware of 2024
  
  
• RevEng.AI Blog
  One ClickFix and LummaStealer reCAPTCHA’s Our Attention – Part 1
  
  
• Fareed Radzi at Securelist
  No need to RSVP: a closer look at the Tria stealer campaign
  
  
• Kirill Boychenko and Peter van der Zee Socket
  North Korean APT Lazarus Targets Developers with Malicious npm Package
  
  
• Buddy Tancio, Fe Cureg, and Jovit Samaniego at Trend Micro
  Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response
  
  
• Fernando Ortega at Zimperium
  Hidden in Plain Sight: PDF Mishing Attack
  
  
• ZScaler
  Technical Analysis of Xloader Versions 6 and 7 | Part 1
  

MISCELLANEOUS

• John Lukach at 4n6ir
  Artifacts – BLAKE3
  
  
• AboutDFIR
  • DFIR Jobs Updated!
  • 2025 DFIR Conferences Updated
    
    
• Brett Shavers
  How Mistakes Shape DF/IR Investigations
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 01/27/25
  
  
• David Hope at Elastic
  Realizing the business value of OpenTelemetry-native observability
  
  
• Erik Hjelmvik at Netresec
  Blocking Malicious sites with a TLS Firewall
  
  
• Flare
  Flare Academy is Here!
  
  
• Forensic Focus
  • Exterro Launches INFORM: A Ground-Breaking Global Webinar Series To Advance Digital Forensics
  • UK Government Seeks Expert Views On Computer Evidence
  • UPCOMING WEBINAR – From Data To Evidence In Record Time: See Detego’s Advanced Analytics In Action
  • Digital Forensics Round-Up, January 29 2025
  • Oxygen Forensics CEO Lee Reiber: The Digital Forensics Landscape In 2025 – What Lies Ahead? 
    
    
• InfoSec Write-ups
  Splunk Series: Creating a Dashboard to Visualize Your Data (Part 4)
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (2/1/2025)
  
  
• Nextron Systems
  Why Prevention Isn’t Enough: How a Second Line of Defense Protects Your Business
  
  
• Jelle Aerts at NVISO Labs
  Backups & DRP in the ransomware era
  
  
• Oxygen Forensics
  • Customer Story: A versatile tool built for optimum investigator experience
  • How Oxygen Analytic Center provides real-time collaboration anytime you need it
    
    
• Patrick Siewert at ‘The Philosophy of DFIR’
  The Pyramid of DF/IR Expertise
  
  
• Security Onion
  CentOS Stream 9 and other Unsupported Network Installations
  
  
• Sygnia
  How to Run Incident Response Tabletop Exercises in 2025
  
  
• Quentin Roland at Synacktiv
  Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayx
  
  
• Teri Radichel
  What Can An Attacker View in TLS Encrypted Traffic?
  
  
• Gal Nagli at Wiz
  Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History
  

SOFTWARE UPDATES

• Alexis Brignoni
  iLEAPP v2.0.4
  
  
• Apache Tika
  Release 3.1.0 – 01/28/25
  
  
• Brian Maloney
  OCRMe
  
  
• Digital Sleuth
  winfor-salt v2025.3.5
  
  
• k1nd0ne
  VolWeb v3.13.3
  
  
• Magnet Forensics
  • Magnet Axiom Cyber 8.9: Improving email threads in Email Explorer and Magnet Review integration enhancements
  • Magnet Axiom 8.9: Added Magnet Review integration for even faster evidence sharing and collaborating
    
    
• Martin Willing
  Microsoft-Analyzer-Suite v1.3.0
  
  
• OpenCTI
  6.4.10
  
  
• Passcovery
  Passcovery 25.01 – GPU-Accelerated Password Recovery Software Update
  
  
• Passmark Software
  OSForensics V11.1 build 1000 30th January 2025
  
  
• Phil Harvey
  ExifTool 13.17
  
  
• Sandfly Security
  Sandfly 5.3 – Detailed Host Forensics and Microsoft Sentinel Integration
  
  
• Xways
  X-Ways Forensics 21.4 Beta 3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!