As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• David Spreadborough at Amped
  Introduction to CCTV Acquisition
  
  
• Dany at Digitella
  Exploitation Kit Network Traffic Investigation
  
  
• Forensafe
  • Investigating Windows F-Secure
  • Investigating Windows OpenVPN
    
    
• Magnet Forensics
  Understanding Messages in Apple’s Cloud & Processing Warrant Returns
  
  
• Paolo Dal Checco at Studio d’Informatica Forense
  Manuale ENFSI per l’analisi dell’autenticità delle registrazioni digitali
  

THREAT INTELLIGENCE/HUNTING

• John Lukach at 4n6ir
  New Amazon Linux Triage Detection
  
  
• Adam Todd at TrustedSec
  BOFs for Script Kiddies
  
  
• Roman Lvovsky at Akamai
  Magecart Attack Disguised as Google Tag Manager
  
  
• Andrea Fortuna
  How to detect Sliver C2 framework activities
  
  
• Anomali
  Anomali Cyber Watch: Hospital Ransoms Pay for Attacks on Defense, Nodaria Got Upgraded Go-Based Infostealer, TA866 Moved Screenshot Functionality to Standalone Tool
  
  
• Antonio Formato
  Getting Started with ChatGPT and Jupyter Notebook
  
  
• Arjun Patel and Luke Song at AT&T Cybersecurity
  GuLoader – a highly effective and versatile malware that can evade detection
  
  
• AttackIQ
  • Democratizing the Practice of Adversary Emulation
  • Emulating the Always Persistent Cybercrime Malware Emotet
    
    
• Jeremy Fuchs at Avanan
  PhishPal: How PayPal Became a Hackers’ Haven
  
  
• Bitdefender
  • Threats Mapped to the MITRE ATT&CK Framework
  • Technical Advisory: Immediately Patch Your VMware ESXi Servers Targeted by Opportunistic Threat Actors
    
    
• Black Hills Information Security
  MITM6 Strikes Again: The Dark Side of IPv6  
  
  
• Brad Duncan at Malware Traffic Analysis
  2023-02-13 – IcedID (Bokbot) from fake Microsoft Teams page
  
  
• Mark Ellzey & Emily Austin at Censys
  The Evolution of ESXiArgs Ransomware
  
  
• CERT EU
  Sustained Activity By Specific Threat Actors
  
  
• CERT Ukraine
  Кібератака на організації та установи України з використанням програми Remote Utilities (CERT-UA#5961)
  
  
• CERT-AGID
  • Snake Keylogger riscontrato in una campagna di malspam nazionale: un caso studio su strumenti di analisi malware
  • Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 febbraio 2023
    
    
• Check Point Research
  • 13th February – Threat Intelligence Report
  • January 2023’s Most Wanted Malware: Infostealer Vidar Makes a Return while Earth Bogle njRAT Malware Campaign Strikes
  • Check Point CloudGuard Spectral detects malicious crypto-mining packages on NPM – The leading registry for JavaScript Open-Source packages
  • Check Point Research uncovers a malicious campaign targeting Armenian based targets
    
    
• Cisco’s Talos
  • New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign
  • Threat Source newsletter (Feb. 16, 2023) — Recapping what we may have missed so far this year
  • Threat Round up for February 10 to February 17
    
    
• Fabian Bader at Cloudbrothers
  Convert Sentinel Analytics Rules with PowerShell
  
  
• William Burgess at Cobalt Strike Research and Development
  Behind the Mask: Spoofing Call Stacks Dynamically with Timers
  
  
• CTF导航
  • 东南亚新APT组织持续活跃，暗石组织（Saaiwc Group）借多国外交之名进行窃密活动
  • APT-C-56（透明部落）伪装简历攻击活动分析
    
    
• Cyble
  • Increase in fake donation schemes following massive earthquake in Turkey
  • Uncovering The Dark Side of DarkBit Ransomware
  • Targeting Industrial Control Systems (ICS) via Web Enabled Industrial Input/Output Controllers
  • The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods
    
    
• Daniel Chronlund
  The Threat of Microsoft 365 Wiper Malware
  
  
• Mark Vaitzman at Deep Instinct
  No Surprise! ESXiArgs Ransomware Attacks Exploit 2-Year-Old Vulnerability
  
  
• Dragos
  Just Released – Dragos’s Latest ICS/OT Cybersecurity Year in Review Is Now Available
  
  
• EclecticIQ
  • Security Service of Ukraine and NATO Allies potentially targeted by Russian State-Sponsored Threat Actor
  • Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon
    
    
• Erik Hjelmvik at Netresec
  How to Identify IcedID Network Traffic
  
  
• Esentire
  • eSentire Threat Intelligence Malware Analysis: Icarus Stealer
  • NetSupport Manager – Insecure by Default
    
    
• Financial Security Institute
  • TA505 Threat Group Profiling(English Version) – FSI Intelligence Report
  • Present and Future of Financial Mobile Malware(English Version) – FSI Intelligence Report
  • Masscan Ransomware Threat Analysis – 2022 Cyber Intelligence Report
  • Malicious APK deforming ZIP file format found under experiment in the wild(English version)
  • Voice Phishing App Distribution Group Profiling(English Version)
  • Profiling a Threat Group Targeting Korea – Campaign RIFLE(English Version)
    
    
• Alberto Segura at Fox-IT
  Threat spotlight: Hydra
  
  
• Nick Roy at GreyNoise
  Fingerprinting Attackers With IP Similarity
  
  
• GuidePoint Security
  GRIT Ransomware Report: January 2023
  
  
• Intel471
  The Trickbot-Conti Ransomware Gang Has Been Sanctioned: What Does it Mean?
  
  
• Jouni Mikkola at “Threat hunting with hints of incident response”
  Malware statistics to ELK
  
  
• Andrew Hay at Lares
  Introducing the Top 5 Purple Team Findings of 2022 Report
  
  
• Marco Ramilli
  Threat Actors Sheets: OpenAI Generated !
  
  
• Eran Nachshon at Microsoft’s ‘Security, Compliance, and Identity’ Blog
  Microsoft Defender for Identity now detects suspicious certificate usage
  
  
• Netskope
  Threat Labs News Roundup: January 2023
  
  
• Florian Roth at Nextron Systems
  How to scan ESXi systems using THOR
  
  
• Nick Morgan at Triskele Labs
  What is Redline Stealer and how did it compromise my passwords?
  
  
• Patrick Wardle at Objective-See
  Where there is love, there is …malware?
  
  
• Jessica Ellis at PhishLabs
  More than Half of All Phishing Sites Impersonate Financials in Q4
  
  
• Recorded Future
  In Before The Lock: ESXi
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, December 2022 (ENG)
  
  
• ReliaQuest
  • SocGholish: A Tale of FakeUpdates
  • Ransomware Report: Q4 2022
    
    
• Samuel Hoffman at Censys
  Follow-up on Russian “Host F”
  
  
• SANS Internet Storm Center
  • Venmo Phishing Abusing LinkedIn “slink”, (Mon, Feb 13th)
  • Apple Patches Exploited Vulnerability, (Mon, Feb 13th)
  • Spear Phishing Handlers for Username/Password, (Sat, Feb 18th)
    
    
• Ignacio Salim at Security Intelligence
  Detecting the Undetected: The Risk to Your Info
  
  
• Security Investigation
  • Understanding Microsoft Defender Threat Intelligence (Defender TI)
  • RedLine Stealer returns with New TTPS – Detection & Response
    
    
• Security Scorecard
  Info-Stealers Are on the Rise: A Look into Stealerium
  
  
• Securonix
  Insider Threat Profile Case Study: [The Accidental Insiders] A Trifecta of Data Theft, Sabotage, and Fraud
  
  
• Jim Walter at SentinelOne
  Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family
  
  
• Sean Gallagher at Sophos\\
  Fool’s Gold: dissecting a fake gold market pig-butchering scam
  
  
• System Weakness
  • netspionage: Network Forensics Utility
  • Use ATT&CK to Help Quantify Your Security Risk
  • Petya Ransomware
  • MITRE ATT&CK Enterprise – Framework | Tactics | Techniques (P1)
  • ChatGPT for Blue Teams and Analysis
  • APT Groups Introduction — Part I
    
    
• Ciarán Walsh at Tenable
  South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
  
  
• Threatmon
  APT SideCopy Targeting Indian Government Entities
  
  
• Trend Micro
  • Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
  • Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
  • Earth Zhulong: Familiar Patterns Target Southeast Asian Firms
    
    
• Matías Porolli and Fernando Tavella at WeLiveSecurity
  These aren’t the apps you’re looking for: fake installers targeting Southeast and East Asia
  
  
• Yoroi
  Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
  
  
• OSArmor
  Google Translate Used in Phishing Attack to Bypass Antispam Filters
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-02-20
  
  
• Dragos
  Why is OT Incident Response Different than IT?
  
  
• MSAB
  What’s New in XRY 10.4 & XAMN 7.4
  

PRESENTATIONS/PODCASTS

• Ali Hadi
  • Fixing a Corrupted MBR Drive – Case #1
  • Fixing a Corrupted GPT Drive – Case #3
  • Fixing a Corrupted GPT Drive – Case #2
  • Fixing a Corrupted GPT Drive – Case #1
    
    
• ArcPoint Forensics
  Easily find a drive serial number with ATRIO.  #dfir #forensics #sheriff #police #specialforces
  
  
• Black Hills Information Security
  • Azure Console Pivoting 101 w/ Steve Borosh | 1-Hour
  • Talkin’ About Infosec News – 2/13/2023
  • BHIS – Talkin’ Bout [infosec] News 2023-02-13
  • Part 2-Networking for Pentesters: Beginner | Serena DiPenti
  • Part 3-Networking for Pentesters Beginner | Serena DiPenti
  • Talkin’ About Infosec News – 2/17/2023
    
    
• BlueMonkey 4n6
  Tips and Tricks – NVMe imaging tricks
  
  
• Breaking Badness
  148. What Not To Ransomware
  
  
• Cloud Security Podcast by Google
  EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting
  
  
• Cyborg Security
  Episode 7
  
  
• Day Cyberwox
  Attack & Detect Capital One’s AWS Cloud Security Breach w/ @0xd4y  [AWS CloudTrail Lake + CloudGoat]
  
  
• Digital Forensic Survival Podcast
  DFSP # 365 – CVSS Triage
  
  
• Gerald Auger at Simply Cyber
  • Do Entry-Level Cyber Security Jobs Exist? (Where to get Started)🔥
  • How to Get Cybersecurity Experience (No Cyber Job Needed!)
    
    
• Hacker Valley Blue
  • What if the Super Bowl was a cybersecurity incident? #superbowlcommercials #shorts
  • Hacker Valley Versus Chat GPT
    
    
• I Am Ironcat
  Ransomware Creation, Detection, and Response RSAC 2021
  
  
• InfoSec_Bret
  X_x It Came From Reddit x_X – Bad Batch Files
  
  
• Insane Forensics
  • IR Plan, Policy & Procedures Part 3: How To Write a Cybersecurity Incident Response Procedures
  • IR Plan, Policy & Procedures Part 2: How To Write a Cybersecurity Incident Response Policy
    
    
• Richard Davis at 13Cubed
  I finally did it! The first 13Cubed Training Course is here!
  
  
• RickCenOT
  Breakdown Bad USB HID Injection Attack against a Beckhoff Industrial Control System CX9001 PLC
  
  
• The Defender’s Advantage Podcast
  Frontline Stories: A CISO’s Perspective on Managing a Breach
  

MALWARE

• Alon Shekalim & Michael Dereviashkin at Morphisec
  ProxyShellMiner Campaign Creating Dangerous Backdoors
  
  
• Arch Cloud Labs
  Analyzing Shellcode with GPT
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 – February 4th, 2023)
  • Web Page Disguised as a Naver Login Page
  • AsyncRAT Being Distributed as Windows Help File (*.chm)
  • Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
  • PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator
  • Qakbot Being Distributed via OneNote
  • Continuous Distribution of LockBit 2.0 Ransomware Disguised as Resumes
  • Malware Disguised as Normal Documents (Kimsuky)
  • Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation
  • ASEC Weekly Malware Statistics (February 6th, 2023 – February 12th, 2023)
  • Tracking Distribution Site of Magniber Ransomware Using EDR
  • Overview of AhnLab’s Response to Joint Cybersecurity Advisory Between South Korea and the United States on North Korean Ransomware
  • Hangeul (HWP) malware using steganography: RedEyes (ScarCruft)
    
    
• C3rb3ru5d3d53c
  • [54] LiveStream – Reversing The DUMBEST HACK I’ve Ever Seen (Redline Stealer Part 4)
  • [55] Shorts – Detect it Easy Signature Debugging
  • [54] LiveStream – Reversing The DUMBEST HACK I’ve Ever Seen (Redline Stealer Part 4)
  • [58] Shorts – Quick YARA Signatures in Ghidra
  • [57] Shorts – Cleaning up Ghidra Listing View Columns
  • [56] Shorts – Where to Start to be a Malware Analyst
    
    
• Mila at Contagio
  Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples)
  
  
• Greg Day at Cybereason
  Ransomware Shifting to the Cloud
  
  
• Doug Burks at Security Onion
  Quick Malware Analysis: FAKEBAT, REDLINE STEALER, and GOZI/ISFB/URSNIF pcap from 2023-02-03
  
  
• James Slaughter at Fortinet
  Ransomware Roundup – CatB Ransomware
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #128: Strings list
  
  
• InfoSec Write-ups
  • Reverse Engineering — An Overview
  • Banking Trojan Analysis
  • TypoSquatting Malware Analysis
    
    
• Nicole Fishbein at Intezer
  Malware Reverse Engineering for Beginners – Part 2
  
  
• Malwarebytes Labs
  • WordPress sites backdoored with ad fraud plugin
  • Mortal Kombat ransomware forms tag team with crypto-stealing malware
    
    
• Melissa at Sketchymoose’s Blog
  A Ridiculous Method of Parsing OneNote Files
  
  
• Natalie Zargarov at Minerva Labs
  Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware
  
  
• OALABS Research
  SoulSearcher Worm
  
  
• Chao Lei, Zhibin Zhang, Cecilia Hu and Aveek Das at Palo Alto Networks
  Mirai Variant V3G4 Targets IoT Devices
  
  
• Phylum
  Phylum Discovers Go-Based RAT “Spark” Being Distributed on PyPI
  
  
• Robert Giczewski
  • TrueBot Analysis Part I – A short glimpse into packed TrueBot samples
  • TrueBot Analysis Part II – Static unpacker
    
    
• Victor Sergeev at Securelist
  IoC detection experiments with ChatGPT
  
  
• Security Intelligence
  • Reverse Tabnabbing
  • What are the Duties of a Malware Analyst?
    
    
• Aleksandar Milenkoski, Collin Farr, and Joey Chen, in collaboration with QGroup at SentinelLabs
  WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks
  
  
• Tawan S. at Skynet_Cyber
  Malware Types and the Fundamentals of Malware Analysis
  
  
• Symantec Enterprise
  Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor
  
  
• Zhassulan Zhussupov
  Malware AV/VM evasion – part 11: encrypt payload via DES. Simple C++ example.
  

MISCELLANEOUS

• Belkasoft
  Automation with Belkasoft X: Putting the pieces together
  
  
• Cellebrite
  Cellebrite Announces Fourth Quarter 2022 Results
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Junk Mail
  
  
• Forensic Focus
  • Deepfake Videos And Altered Images – A Challenge For Digital Forensics?
  • One Week Left Until Magnet Virtual Summit Starts! Join Us February 21-March 2
  • Digital Forensics Round-Up, February 16 2023
    
    
• Peri Storey at OpenText
  • Introducing the OpenText Tableau Forensic TD4 Duplicator 
  • Digital forensic device duplication – the next step
    
    
• Zack Fink at Red Canary
  Tip of the CAP: Getting started with Conditional Access Policies
  

SOFTWARE UPDATES

• Amped
  Amped Replay Update 27707: Audio Redaction, Program Options and More!
  
  
• Cellebrite
  Now Available: Cellebrite Digital Collector 3.5
  
  
• Costas K
  JumplistBrowser
  
  
• Datadog Security Labs – GuardDog
  v1.1.0
  
  
• Didier Stevens
  • Update: pdf-parser.py Version 0.7.8
  • Update: xor-kpa.py Version 0.0.7
  • Update: file-magic.py Version 0.0.6
  • Update: cut-bytes.py Version 0.0.16
  • Update: process-binary-file Version 0.0.9
    
    
• DissectMalware
  pyOneNote
  
  
• IntelOwl
  v4.2.1
  
  
• Manabu Niseki
  Mihari v5.0.0
  
  
• MISP
  MISP 2.4.168 released with bugs fixed, security fixes and major improvements in STIX support.
  
  
• Rapid7
  Velociraptor 0.6.8 Release
  
  
• ADF
  ADF Solutions Releases iOS 16 Screenshot Capabilities for Digital First Responders
  
  
• WithSecure Labs
  Chainsaw v2.5.0
  
  
• Xways
  X-Ways Forensics 20.8 Preview 1b
  
  
• Yamato Security
  Hayabusa v2.2.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!