As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- ThinkDFIR
Cached screenshots on Windows 11 - Akash Patel
Let’s Talk About HTTP — The Backbone of the Web (And a Goldmine for DFIR Folks) - Belkasoft
Automating Digital Forensic Workflows with Belkasoft X - Christopher Eng at Ogmini
- SSD Forensics – Flex Capacity
- Expectations vs Reality – Digital Forensic Science Master’s Degree Part 8
- Windows Notepad – Recent Files (New Option)
- Windows Notepad – Find/Replace/Bing
- Windows Notepad – Revisiting Application Hive
- Windows Notepad – Revisiting Application Hive Part 2
- Microsoft Paint – Application Hive
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’
The Big Bulleted List - Forensafe
- InfoSec Write-ups
{CyberDefenders Write-up} Lespion Lab : Lespion Lab - Magnet Forensics
- Magnet Forensics
That One Artifact: The power of a text - Mat Fuchs
Chronos vs Chaos: The Art (and Pain) of Building a DFIR Timeline - Steve Whalen at Sumuri
macOS 26 (Tahoe): What Digital Forensic Examiners Should Expect - Bill Marczak and John Scott-Railton at The Citizen Lab
Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted
THREAT INTELLIGENCE/HUNTING
- Bill Stearns at Active Countermeasures
NAT and Packet Capture - Adam at Hexacorn
- Kyle Lefton & Daniel Messing at Akamai
Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability - ASEC
May 2025 Deep Web and Dark Web Trends Report - Francis Guibernau at AttackIQ
Updated Response to CISA Advisory (AA23-352A): #StopRansomware: Play Ransomware - Steve de Vera at AWS Security
AWS CIRT announces the launch of the Threat Technique Catalog for AWS - Barracuda
- Jade Brown at Bitdefender
Bitdefender Threat Debrief - BlackMamba
Leveraging Windows Event Logs for Effective Threat Hunting - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
Inside a Dark Adtech Empire Fed by Fake CAPTCHAs - CERT-AGID
- Check Point
- 9th June – Threat Intelligence Report
- May 2025 Malware Spotlight: SafePay Surges to the Forefront of Cyber Threats
- Cyber Risks Take Flight, Navigating the Evolving Threat Landscape in the Travel Industry
- CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage
- From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
- Check Point Research Warns of Holiday-Themed Phishing Surge as Summer Travel Season Begins
- CISA
Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider - Oleg at Cybercrime Diaries
From Dirty Crypto to Clean Money – The Laundering Playbook of Russophone Cybercriminals - Cyfirma
Weekly Intelligence Report – 13 June 2025 - Dark Atlas
Discord Invite Hijacking: How Fake Links Are Delivering Infostealers | Blog | Dark Atlas | Dark Web Monitoring Platform | Compromised Credentials Monitoring | Account Takeover Prevention Platform | Threat Intelligence | Buguard - Darktrace
Proactive OT security: Lessons on supply chain risk management from a rogue Raspberry Pi - Detect FYI
- Diego Perez
PurpleRepo - Disconinja
Weekly Threat Infrastructure Investigation(Week23) - DomainTools Investigations
- Elastic Security Labs
Call Stacks: No More Free Passes For Malware - Erik Hjelmvik at Netresec
Detecting PureLogs traffic with CapLoader - Esentire
- Michele Campobasso at Forescout
Ransomware Services Exposed: Behind the Screens of the LockBit Leak - Google Cloud Security Community
- Noah Stone at GreyNoise
Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats - HP Wolf Security
HP Wolf Security Threat Insights Report: June 2025 - Jonathan Johnson, Tyler Bohlmann, and Matt Anderson at Huntress
How Huntress Addresses Lateral Movement - Infoblox
Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal - Intel 471
- Interpol
20,000 malicious IPs and domains taken down in INTERPOL infostealer crackdown - Guy Korolevski at JFrog
Multi-Stage Malware Attack on PyPI: “chimera-sandbox-extensions” Malicious Package Threatens Chimera Sandbox Users - Bert-Jan Pals at KQL Query
Hunting Through APIs - LCSC-IE
APT-Q-27’s Silver Fox Operations: Additional Technical Hunt and Infrastructure Correlation - Eugenio Benincasa at Natto Thoughts
Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry - Nextron Systems
From THOR Scan to Timeline: Correlating Findings in Timesketch - Oleg Skulkin at ‘Know Your Adversary’
- 160. Detecting Recent Kimsuky Campaign
- 161. Adversaries Leverage DNS over HTTPS (DoH) to Evade Detection
- 162. That’s How Threat Actors Steal Cryptocurrency Wallet Credentials and Seed Phrases
- 163. A Curious Case of Iediagcmd.exe Abuse
- 164. Ransomware Gang Abuses Legitimate Employee Monitoring Software
- 165. FIN6 Abuses IE Per-User Initialization Utility
- Orange Cyberdefense
Depscanner: Find orphaned packages before the bad guys do - Palo Alto Networks
- Jared Elder at Permiso
Announcing Permiso Discover: Identity Inventory & Visibility – for free - John Stawinski, Mason Davis, and Matt Jackoski at Praetorian
Introducing: GitHub Device Code Phishing - Proofpoint
Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool - Recorded Future
GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT - Resecurity
APT 41: Threat Intelligence Report and Malware Analysis - Rick Martin
- SANS Internet Storm Center
- 
OctoSQL & Vulnerability Data, (Sun, Jun 8th)
- Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th)
- Automated Tools to Assist with DShield Honeypot Investigations [Guest Diary], (Wed, Jun 11th)
- [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th)
- More Steganography!, (Sat, Jun 14th)
- Securelist
- Quentin Bourgue and Grégoire Clermont at Sekoia
Global analysis of Adversary-in-the-Middle phishing threats - Aleksandar Milenkoski & Tom Hegel at SentinelOne
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets - Silent Push
GhostVendors Exposed: Silent Push Uncovers Massive Network of 4000+ Fraudulent Domains Masquerading as Major Brands - Simone Kraus
- Socket
- hotnops at SpecterOps
Update: Dumping Entra Connect Sync Credentials - Joe at Stranded on Pylos
Attribution With A Pinch of Salt (Typhoon) - Brandon Murphy at Sublime Security
AITM phishing with Russian infrastructure and detection evasion from a lapsed domain - Symantec Enterprise
Fog Ransomware: Unusual Toolset Used in Recent Attack - System Weakness
50 Threat Hunting Queries (Splunk + KQL) Every Analyst Should Know - THOR Collective Dispatch
- Jambul Tologonov at Trellix
Inside the LockBit’s Admin Panel Leak: Affiliates, Victims and Millions in Crypto - Jean-Francois Gobin at Truesec
The Ransomware That Was Not - Drew Kirkpatrick at TrustedSec
Dragging Secrets Out of Chrome: NTLM Hash Leaks via File URLs - István Márton at Wordfence
33,000 WordPress Sites Affected by Privilege Escalation Vulnerability in RealHomes WordPress Theme - Victor M. Alvarez at YARA-X
YARA-X just got smarter - Genians
김수키 그룹의 3단 콤보 위협 분석
UPCOMING EVENTS
- Brian Carrier, Quinnlan Varcoe, and Greg Kutzbach
No Telemetry, No Problem: Inside a $1.7M Intrusion Investigation - Cellebrite
DFU Decoded : Deep dive into Snapchat - Magnet Forensics
AI Unpacked #3 : Digital crossroads — the intersection of AI and the law - Manny Kressel at BitMindz
Crush Your Caseload! Uncover the Game-Changing Impact of Expertly Designed Hardware and Software
PRESENTATIONS/PODCASTS
- Belkasoft
Isochrones in Action: How Forensic Investigators Pinpointing Crime Scenes with Precision - BlueMonkey 4n6
How to create a persistence partition for a live boot USB for Sumuri PALADIN version 9 - Breaking Badness
Inside Ransomware’s Supply Chain: Attribution, Rebrands, and Affiliate Betrayal - Cellebrite
Tip Tuesday: Default Dashboard View – PA 10.6 - Clint Marsden at the TLP – Digital Forensics Podcast
Episode 21: How IRCO is Changing DFIR: The AI Copilot for Real-Time Cyber Investigations - Cloud Security Podcast by Google
EP229 Beyond the Hype: Debunking Cloud Breach Myths (and What DBIR Says Now) - Cyber Social Hub
AI-Enhanced eDiscovery: Streamlining Data Exploration and Analysis for Forensic Professionals - Deepanshu Khanna
- InfoSec_Bret
Challenge – Python Stealer - John Hammond
- Magnet Forensics
- Simplify digital evidence sharing and review with Magnet Review
- Essential mobile data for violent crime and homicide investigations
- Mobile Unpacked S3:E5 // Talking about Times: Deeper diving file timestamps
- Leveraging Magnet Solutions for DLP investigations
- APAC virtual session: Why organizations need digital forensics and incident response (Corporate)
- Microsoft Threat Intelligence Podcast
A Peek Inside Microsoft’s Global Fight Against Cyber Threats - MSAB
MM XAMN Tagging - MyDFIR
Red Team vs Blue Team: What Is The Difference? - Off By One Security
How to Have Lucid Dreams, a Hacker’s Experience - Paraben Corporation
- Parsing the Truth: One Byte at a Time
Breaking into Digital Forensics - Richard Davis at 13Cubed
New Course! Investigating macOS Endpoints - SANS
The Cyber Battlefield with Max Smeets - Security Unlocked
Ignore Ram Shankar Siva Kumar’s Previous Directions - The Cyber Mentor
Threat Hunting in 3 Easy Steps! - The Security Insights Show
The Microsoft Security Insights Show Episode 264 – Adam Brewer - The Weekly Purple Team
Ghosting AMSI and Taking Win10 and 11 to the DarkSide - Three Buddy Problem
Cyber flashpoints in Israel-Iran war, the ‘magnet of threats’, Mossad drone swarms
MALWARE
- ASEC
Ransomware Disguised as Password Cracker (Extension Changed to .NS1419) - Dr Josh Stroschein
Unraveling a Multi-Stage Downloader with Binary Refinery – Guest Jesko Hüttenhain - Uma Madasamy at K7 Labs
The Spectre of SpectraRansomware - Palo Alto Networks
- Tyler McGraw at Rapid7
BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict - Shubho57
Analysis of a ScreenConnect, RMM Tool (ConnectWise products) - Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles at Trend Micro
Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper - Jason Reaves at Walmart
Amos hiding in GitHub - Zhassulan Zhussupov
Linux hacking part 5: building a Linux keylogger. Simple C example - ZScaler
DanaBleed: DanaBot C2 Server Memory Leak Bug - Блог Solar 4RAYS
LuckyStrike Agent: покерный блеф от Erudite Mogwai
MISCELLANEOUS
- Atola Technology
Top DFIR Courses on LinkedIn Learning and Udemy - Dr. Erdal Ozkaya at Binalyze
DFIR in the Age of Automation: Why SOCs Need to Rethink Their Approach - Cellebrite
Cellebrite to Acquire Corellium - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 06/09/25 - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Bellingcat Challenge – May 2025 (Back in Time) - Forensic Focus
- Kevin Pagano at Stark 4N6
Techno Security Conference 2025 - Ann Johnson at Microsoft Security
Cyber resilience begins before the crisis - Oxygen Forensics
Using the Timeline Feature - Salvation DATA
How to Master Mobile Forensics with AFA9500: A Step-by-Step Guide to Digital Investigations - SOC Fortress
Validate Your Security Detection Rules - Ryan G. Cox at The Cybersec Café
Tuning Detections isn’t Hard Unless You Make it Hard - John Patzakis at X1 Discovery
X1 Search Version 10: A Game-Changer for Modern Enterprise Search
SOFTWARE UPDATES
- Andrew Rathbun
Sync-EZTools - Arkime
v5.7.0 - Didier Stevens
- Digital Sleuth
winfor-salt v2025.9.2 - OpenCTI
6.6.17 - Passmark Software
OSForensics V11.1 build 1008 11th June 2025 - Stephen Fisher-davies
BitLocker VMK Carving Tool - Vound
Intella 3.0 Release Notes - Xorhex
mlget v3.4.2 - Xways
X-Ways Forensics 21.5 SR-0+
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 