As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Amnesty International Security Lab
Journalists targeted with Pegasus spyware - Andrew Malec
Generate custom profile using btf2json - Belkasoft
Windows Registry Forensics: Analysis Techniques - Christopher Eng at Ogmini
- Expectations vs Reality – Digital Forensic Science Master’s Degree Part 6
- GaslitPad – DNS Communication
- David Cowen Sunday Funday Challenge – SSH Artifacts in Windows 11
- SSH Artifacts in Windows 11 – Part 1
- SSH Artifacts in Windows 11 – Part 2
- SSH Artifacts in Windows 11 – Part 3
- Reverse Engineering Rewrite API
- David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
- Daily Blog #786: Sunday Funday 3/23/25
- Daily Blog #787: Things not to do when creating test clouds part 1
- Daily Blog #788: Things not to do when creating test clouds part 2
- Daily Blog #789: Things not to do when creating test clouds part 3
- Daily Blog #790: Is your new contractor from North Korea?
- Daily Blog #791: Can google gemini 2.5 pro write forensic training materials?
- Daily Blog #792: Solution Saturday 3/29/25
- Forensafe
Android Gettr - Kevin Pagano at Stark 4N6
Magnet Virtual Summit 2025 CTF – Android Takeout - Lionel Notari
Don’t Trust the Clock: Timestamp Discrepancies in iOS Unified Logs - Vamsi Krishna Chinta at Paraben Corporation
Windows Log Analysis: From Raw Data to Forensic Insights
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Unmasking the Hackers: A Complete Guide to Threat Actors - Akamai
Detecting and Mitigating an Authorization Bypass Vulnerability in Next.js - Akash Patel
- Why Code Injection is a Hacker’s Favorite Trick and How to Detect It through Memory forensic
- Part 3 Code Injection : How to detect it and Finding Evil in Memory with MemProcFS FindEvil Plugin
- Equifax to WazirX: Lessons in Cybersecurity Failures
- Identifying Malicious Software: A Guide for Incident Responders
- Apophis
CryptBot v3 PowerShell - ASEC
- Attack the SOC
Using KQL to Detect Gaps in your Conditional Access Strategy - Martin Zugec at Bitdefender
RedCurl’s Ransomware Debut: A Technical Deep Dive - Lawrence Abrams at BleepingComputer
Microsoft Trusted Signing service abused to code-sign malware - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
When Getting Phished Puts You in Mortal Danger - Cado Security
- CERT-AGID
- Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati
- Policlinico Gemelli di Roma preso di mira da attori malevoli
- Nuova ondata malevola via PEC: MintsLoader ora distribuisce AsyncRat
- Sintesi riepilogativa delle campagne malevole nella settimana del 22 – 28 marzo
- Chainalysis
United States DOJ and FBI Seize Cryptocurrency in Major Disruption of Hamas Terrorist Financing Scheme - Check Point
- Guilherme Venere at Cisco’s Talos
Gamaredon campaign abuses LNK files to distribute Remcos backdoor - CloudSEK
- Part 2: Validating the Breach Oracle Cloud Denied – CloudSEK’s Follow-Up Analysis
- YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks
- Beyond the Scanner: How Phishers Outsmart Traditional Detection Mechanisms
- How SVigil Prevented a Massive Supply Chain Breach in Banking Infrastructure?
- How an Exposed Jenkins Instance Led to a Full-Scale Infrastructure Compromise
- Coalition, Inc.
Inside the Ransomware Playbook: How Threat Actors Gain Network Access - Cofense
- Keith J. Jones at Corelight
Leveraging Map-Reduce & LLMs for Network Detection | Corelight - Covertshell
VeePN Chrome Extension: A Deep Dive into Security Risks and Privacy Concerns - Cyble
- FizzBuzz to FogDoor: Targeted Malware Campaign Exploits Job-Seeking Developers
- Cyble Sensors Detect Exploit Attempts on Ivanti, AVTECH IP Cameras
- TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
- Hacktivists Increasingly Target France for Its Diplomatic Efforts
- Cyfirma
Weekly Intelligence Report – 28 Mar 2025 - Cyjax
- Datadog Security Labs
Understanding CVE-2025-29927: The Next.js Middleware Authorization Bypass Vulnerability - Detect FYI
- Disconinja
日本におけるC2サーバ調査(Week 12 2025) - Daniel Schwalbe at DomainTools
March 2025 DTI Newsletter: I Like Newsletters and I Cannot Lie - Dosxuz
- Dylan Tran and Jimmy Bayne at IBM
Fileless lateral movement with trapped COM objects - Justin Higdon at Elastic
Hunting with Elastic Security: Unmasking concealed artifacts with Elastic Stack insights - Esentire
The Long and Short(cut) of It: KoiLoader Analysis - F5 Labs
- Falco
Blog: Detecting Supply Chain Attacks with Falco Actions - g0njxa
Approaching stealers devs: a brief interview with EncryptHub (Fickle Stealer) - Google Cloud Security Community
New to Google SecOps: Cast-ing a Wider Net: True or False? - GreyNoise
Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers - Group-IB
- Hudson Rock
Arkana Ransomware Group Hacks WideOpenWest Using Data from an Infostealer Infection - Hunt IO
A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io - Infoblox
A Phishing Tale of DoH and DNS MX Abuse - InfoSec Write-ups
- Intrinsec
From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025 - Jeffrey Bellny at CatchingPhish
You’ve got mail: Hiding behind a “Locked” Webpage - Hayato Sasaki at JPCERT/CC
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup - Neil Cohen at Kasada
CAPTCHA’s Demise: Multi-Modal AI is Breaking Traditional Bot Management - Adam Goss at Kraven Security
Unmasking the Hackers: A Complete Guide to Threat Actors - Nischal Khadgi and Ujwal Thapa at Logpoint
ClickFix: Another Deceptive Social Engineering Technique - m41-carbine
Making Detections Great Again - Marcus Hutchins
The US Needs A New Cybersecurity Strategy: More Offensive Cyber Operations Isn’t It - Nisos
DPRK IT Worker Scam: Mitigation Steps for Hiring Teams - Oleg Skulkin at ‘Know Your Adversary’
- Orange Cyberdefense
Browser Cache Smuggling: the return of the dropper - OSINT Team
- Nathaniel Quist at Palo Alto Networks
Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration - Patrick Wardle at Objective-See
TCCing is Believing: Apple finally adds TCC events to Endpoint Security! - Adithya Vellal at Petra Security
Unmasking A Slow and Steady Password Spray Attack - Tony Lambert, Susannah Clark Matt, and Stef Rand at Red Canary
2025 Threat Detection Report: Practitioner playbook - Resecurity
Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor’s Infrastructure - ReversingLabs
- S-RM
Ransomware in focus: Meet NightSpire - Sandfly Security
Detecting Bincrypter Linux Malware Obfuscation - SANS Internet Storm Center
- Let’s Talk About HTTP Headers., (Sun, Mar 23rd)
- Privacy Aware Bots, (Mon, Mar 24th)
- [Guest Diary] Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest, (Wed, Mar 26th)
- X-Wiki Search Vulnerability exploit attempts (CVE-2024-3721), (Tue, Mar 25th)
- Sitecore “thumbnailsaccesstoken” Deserialization Scans (and some new reports) CVE-2025-27218, (Thu, Mar 27th)
- A Tale of Two Phishing Sites, (Fri, Mar 28th)
- Securelist
- Silent Push
- New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players
- Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks
- Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
- SOCRadar
Dark Web Market: Russian Market - Sophos
- Chris Thompson at SpecterOps
Do You Own Your Permissions, or Do Your Permissions Own You? - Splunk
- SquareX Labs
- Peter Djordjevic at Sublime Security
Tycoon 2FA credential phishing with cloned internal employee login - Puja Srivastava at Sucuri
Hidden Malware Strikes Again: Mu-Plugins Under Attack - Sygnia
- Adarsh Pandey at System Weakness
Deep Dive into KQL Queries for Threat Hunting: Real-World Applications - Thinkst Thoughts
Detect Identity Compromise with SAML IdP App Canarytokens - Third Eye intelligence
“Who Did It? Unmasking Threat Actors in Cyber Intelligence (The 5W Sequel)” - THOR Collective Dispatch
- Threatmon
How to Detect and Respond to Stealer Log Incidents: 10 Tips - Trend Micro
- Kenneth Kinion at Valdin
Pulling the Threads on the Phish of Troy Hunt - Wietze Beukema
Bypassing Detections with Command-Line Obfuscation - Wiz
IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX - Блог Solar 4RAYS
Расширение арсенала: Shedding Zmiy использует Puma-руткит в новых атаках
UPCOMING EVENTS
- Arman Gungor at Metaspike
Forensic Email Collector — OneDrive & SharePoint Technology Showcase - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-03-24 #livestream #infosec #infosecnews - Cellebrite
- Cyber5W
Threat Actor Desktop – Kali Linux - John Hammond
we’re hosting a conference - Magnet Forensics
- Silent Push
Webinar – The Evolving Web of Scattered Spider
PRESENTATIONS/PODCASTS
- Adam Svoboda
Demystifying Endpoint Detection and Response (Conference Talk) - Adversary Universe Podcast
Meet LUNAR SPIDER: The Inner Workings of an eCrime Adversary - Black Hills Information Security
- BrakeSec Education Podcast
March23: buy browser extensions, attackers don’t need exploits, socvel CTI quiz - Breaking Badness
From ValleyRAT to Silver Fox: How Graph-Based Threat Intel is Changing the Game - BSides Cape Town
BSides Cape Town 2024 - BSidesROC
BSidesROC 2025 - Cellebrite
Tip Tuesday: Media Classification - Cloud Security Podcast by Google
EP216 Ephemeral Clouds, Lasting Security: CIRA, CDR, and the Future of Cloud Investigations - HackTheBox
From Theory to Action: How dynamic benchmarking transforms cybersecurity readiness - Huntress
- Credential Access 101 – How Threat Actors Target Sensitive Data | Tradecraft Tuesday
- Lateral Movement Simplified | How Threat Actors Pivot Across Networks | Tradecraft Tuesday
- Brute Force Attacks: Why Hackers Still Use Them | Tradecraft Tuesday
- SOC Incident Walkthrough: How a Simple Brute Force Attack Led to Credential Theft
- John Hammond
this MP3 file is malware - LaurieWired
ghidraMCP: Now AI Can Reverse Malware - Magnet Forensics
- MSAB
- MyDFIR
I Got a Suspicious Sponsorship Offer… Here’s What I Discovered - OALabs
Reverse Engineering Process Tokens Part 1 - PowerShellConferenceEU
Echoes of Intrusion: Demystifying commonly used MS Graph API Attacks – Miriam Wiesner – PSConfE… - SentinelOne
LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware - The Cyber Mentor
- The Microsoft Security Insights Show
The Microsoft Security Insights Show Episode 254 – WIC Month, Ritu Lamba - Three Buddy Problem
SignalGate and ID management hiccups, PuzzleMaker and Chrome 0days, Lab Dookhtegan returns
MALWARE
- Adam at Hexacorn
Malware Source code string extraction - Mohamed Talaat at Any.Run
GorillaBot: Technical Analysis and Code Similarities with Mirai - Nick Cerne at Bishop Fox
Rust for Malware Development - CISA
CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure - Cybereason
The Curious Case of PlayBoy Locker - Dark Atlas
Delivering Trojans Via ClickFix Captcha - Deep Instinct
RaaS Evolved: LockBit 3.0 vs LockBit 4.0 - Dr. Web
- Elastic Security Labs
The Shelby Strategy - Flashpoint
IOCONTROL Malware: A New Threat Targeting Critical Infrastructure - Chris Campbell at Inde
I Am Not A Robot - Jack’s Substack
Malicious Ukrainian themed DELTA Android Application Analysis - Suresh Reddy at K7 Labs
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads - Lordx64
First Pump.Fun Malware Identified: A Threat Leading to XWorm malware infection - Dexter Shin at McAfee Labs
New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI - Phil Stokes & Raffaele Sabato at SentinelOne
ReaderUpdate Reforged | Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants - Kush Pandya at Socket
Obfuscation 101: Unmasking the Tricks Behind Malicious Code - Brett Stone-Gross at ZScaler
CoffeeLoader: A Brew of Stealthy Techniques - Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
MISCELLANEOUS
- Alex Teixeira
Becoming a Detection Engineering Contractor, Part II— The Preparation - Anton Chuvakin
The Return of the Baby ASO: Why SOCs Still Suck? - Brett Shavers
Coming in 2025: Placing the Suspect Behind the Keyboard: DF/IR Investigative Strategies, Volume 3 - Brett Shavers at DFIR.Training
You Took a Tool Course, Not a Forensics Course. Stop Confusing the Two - Cellebrite
Navigating the Challenges of Modern Digital Investigations - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 03/24/25 - Doug Metz at Baker Street Forensics
Zen & the Art of Digital Forensics - Forensic Focus
- Oxygen Remote Explorer v.1.8 Is Now Available
- What’s Happening At Techno Security Wilmington, June 03 – 05 2025
- Digital Forensics Round-Up, March 26 2025
- Leica Geosystems Public Safety & Forensics Conference 2025
- Enhancing Border Security With Detego Global’s Cutting-Edge Digital Forensics Technology
- Forensic Data Collections 2.0: A Selection Of Trusted Digital Forensics Content, Third Edition
- Debbie Garner at Hexordia
The ROI of Digital Forensics: Demonstrating the Value to Law Enforcement Leadership and Justifying Your Request for Digital Forensics Tools and Training - Kaido Järvemets
- Lesley Carhart
BlueSky InfoSec News List - Mansi Joshi at Mailxaminer
Memory Forensics- The Key to Detect Malicious Activities - malwr4n6
PowerToys for Windows DFIR and Malware Analysis - Marius Sandbu
Setting up MCP Server to Entra ID / Graph with Lokka - Nextron Systems
Protecting Outdated and Unsupported Systems - Oxygen Forensics
- Salvation DATA
Digital Forensics Certifications Help Guide 2025: Pathways to a Thriving Cybersecurity Career - Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.4.140! - Taz Wake
Cybersecurity Certifications – are they valuable?
SOFTWARE UPDATES
- Amped
Amped FIVE Update 36648: Multistream Video Loading, New CTU Filter, Error Handling for Audio, Advanced Options for Video Writer, Invert Annotations, and Much More - ANSSI
DFIR-ORC v10.2.7 - Digital Sleuth
winfor-salt v2025.4.2 - Eric Zimmerman
ChangeLog - Erki Suurjaak
Skyperious v5.8 - OpenCTI
6.5.10 - OpenText
Elevating digital forensics for enterprise cybersecurity - Rapid7
Velociraptor 0.74.1 - Security Onion
Security Onion 2.4.140 now available including Suricata 7.0.9, Zeek 7.0.6, and much more! - Mark Baggett
Srum-Dump 3.0 BETA#3 - Xways
X-Ways Forensics 21.5 Preview 6
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
One thought on “Week 13 – 2025”