As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Chris Doman at Cado Security
  The Cado Platform Full Export for Forensic Data Lakes
  
  
• Digital Forensics Myanmar
  CHIP OFF ( Mobile FORENSIC)
  
  
• Domiziana Foti
  LetsDefend- SOC142 — Multiple HTTP 500 Response
  
  
• Oleg Afonin at Elcomsoft
  Analyzing iPhone PINs
  
  
• Forensic Science International: Digital Investigation
  Volume 44
  
  
• Jamf
  Threat advisory: Mobile spyware continues to evolve
  
  
• Mattia Epifani at Zena Forensics
  iOS Forensics References: a curated list
  
  
• N00b_H@ck3r
  Try Hack Me: Boogeyman 1 (BlueTeam)
  
  
• Orange Cyberdefense
  From BitLocker-Suspended to Virtual Machine
  
  
• Plainbit
  • Colonial Pipeline Ransomware 공격자 주소 추적
  • AXIOM Cyber를 이용한 macOS 원격 수집
  • Sysmon 활용 가이드: 개념 및 설치 방법
  • 현장용 아티팩트 수집 도구 비교
  • Euler Finance Flash Loan Attack
  • Euler Finance Flash Loan 스마트 컨트랙트 흐름 분석
  • AXIOM Cyber를 이용한 Linux 원격 수집
    
    
• Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, and Ron Deibert at The Citizen Lab
  Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains
  
  
• Justin Vaicaro at TrustedSec
  • Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 1 – Process Overview and Preparation)
  • Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 2 – Incident Assessment and Windows Artifact Processing)
    

THREAT INTELLIGENCE/HUNTING

• 360 Threat Intelligence Center
  APT-C-36 (Blind Eagle) Group Deploys LimeRAT Components Against Columbia Region
  
  
• Adam Goss
  Hunting for Persistence with Cympire: Part IV — Startup Folder
  
  
• Andrea Fortuna
  QBot malware returns with new techniques in corporate attacks
  
  
• Ankith Bharadwaj
  Hunting & Detecting SMB Named Pipe Pivoting (Lateral Movement)
  
  
• Anomali
  Anomali Cyber Watch: Cozy Bear Employs New Downloaders, RTM Locker Ransomware Seeks Privacy, Vice Society Automated Selective Exfiltration
  
  
• Anton Chuvakin
  Reading Mandiant M-Trends 2023
  
  
• Michael Katchinskiy and Assaf Morag at Aqua
  First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
  
  
• Jeremy Fuchs at Avanan
  Phishing Links via Linktree
  
  
• Avertium
  An Avertium Case Study – LockBit
  
  
• Black Cell
  The future of industrial threat intelligence
  
  
• Blackberry
  From Google Ads Abuse to a Massive Spear-Phishing Campaign Impersonating Spain’s Tax Agency
  
  
• Lawrence Abrams at BleepingComputer
  New QBot email attacks use PDF and WSF combo to install malware
  
  
• Brad Duncan at Malware Traffic Analysis
  2023-04-19 – Quick post: Qakbot (Qbot) activity, distribution tags BB24 and obama254
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 aprile 2023
  
  
• Check Point Research
  • 17th April – Threat Intelligence Report
  • QueueJumper: Critical Unauthenticated RCE Vulnerability in MSMQ Service
  • 10th April – Threat Intelligence Report
  • Raspberry Robin: Anti-Evasion How-To & Exploit Analysis
  • Operation Silent Watch
  • March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
    
    
• CISA
  APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers
  
  
• Cisco’s Talos
  • State-sponsored campaigns target global network infrastructure
  • Threat Source newsletter (April 20, 2023) — Preview of Cisco and Talos at RSA
  • Threat Roundup for April 14 to April 21
    
    
• Curtis Brazzell
  A Practical, AI-Generated Phishing PoC
  
  
• Cyberknow
  #OpAustralia — Hacktivist Campaign Against Australia — March 2023
  
  
• Liora Ziv at CyberProof
  A look at Advanced Persistent Threats (APTs) Related to Russian Proxies
  
  
• Reza Rafati at CYBERWARZONE
  Understanding the Threat of Titan Stealer Malware
  
  
• Cyble
  • CrossLock Ransomware Emerges: New GoLang-Based Malware On the Horizon
  • Al-Aqsa Mosque incident Ignites #OpIsrael
  • DAAM Android Botnet being distributed through Trojanized Applications
  • Qakbot Malware Continues to Morph
    
    
• Cyfirma
  Weekly Intelligence Report – 21 Apr 2023
  
  
• David Bianco at Splunk
  Introducing the PEAK Threat Hunting Framework
  
  
• Dragos
  • Analyzing the Russian Vulkan Files Leak for Impacts to ICS/OT Operations 
  • Dragos Industrial Ransomware Attack Analysis: Q1 2023 
    
    
• EclecticIQ
  Exposed Web Panel Reveals Gamaredon Group’s Automated Spear Phishing Campaigns
  
  
• Fortra
  Summary of the Investigation Related to CVE-2023-0669
  
  
• Billy Leonard at Google Threat Analysis Group
  Ukraine remains Russia’s biggest cyber focus in 2023
  
  
• Gov.PL
  Espionage campaign linked to Russian intelligence services
  
  
• GuidePoint Security
  • Quarterly GRIT Ransomware Report – Q1 2023
  • The Next Step: The GRIT Threat Feed is here
    
    
• Haircutfish
  TryHackMe Brim — Task 7 Exercise: Threat Hunting with Brim | Crypto Mining & Task 8 Conclusion
  
  
• Denis Nagayuk & Francisco Dominguez at Hunt & Hackett
  The Definitive Guide To Process Cloning on Windows
  
  
• Huntress
  Critical Vulnerabilities in PaperCut Print Management Software
  
  
• Darren Spruell at InQuest
  Credential Caution: Exploring the New Public Cloud File-Borne Phishing Attack
  
  
• Jumpsec Labs
  Butting Heads with a Threat Actor on an Engagement
  
  
• Sudeep at K7 Labs
  MuddyWater Back with DarkBit
  
  
• Kevin Beaumont at DoublePulsar
  Russian hackers exfiltrated data from Capita over a week before outage
  
  
• Kim Zetter at ‘Zero Day’
  • Software Maker 3CX Was Compromised in First-of-its-Kind Threaded Supply-Chain Hack
  • Updates and Timeline for 3CX and X_Trader Hacks
    
    
• Kostas Sale
  EDR Telemetry Project: A Comprehensive Comparison
  
  
• Logpoint
  • A comprehensive guide to detecting Ransomware-as-a-Service using Logpoint
  • Microsoft Sentinel – When free becomes expensive
  • RedLine Stealer Malware Outbreak: A Comprehensive Guide to Anatomy, Detection, and Response
    
    
• Malwarebytes Labs
  • Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight
  • QBot changes tactic, remains a menace to business networks
    
    
• Mandiant
  • M-Trends 2023: Cybersecurity Insights From the Frontlines
  • 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
    
    
• Microsoft Security
  • Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
  • Microsoft shifts to a new threat actor naming taxonomy
    
    
• Palo Alto Networks
  • Unit 42 Unveils Most ‘Expansive’ Cloud Threat Research Yet: Cloud Threat Report Volume 7 Examines the Expanding Attack Surface
  • Threat Actors Rapidly Adopt Web3 IPFS Technology
    
    
• Eric Capuano at Recon Infosec
  Audit Active Directory Attack Paths with Bloodhound
  
  
• Recorded Future
  Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan
  
  
• Red Alert
  Phishing Attack Activities: Threat Actors in Sheep’s Clothing (ENG)
  
  
• Red Canary
  Intelligence Insights: April 2023
  
  
• Miles Arkwright and James Tytler at S-RM Insights
  Cyber Intelligence Briefing: 21 April 2023
  
  
• SANS Internet Storm Center
  • The strange case of Great honeypot of China, (Mon, Apr 17th)
  • UDDIs are back? Attackers rediscovering old exploits., (Tue, Apr 18th)
  • Taking a Bite Out of Password Expiry Helpdesk Calls, (Wed, Apr 19th)
  • YARA v4.3.1 Release, (Sat, Apr 22nd)
    
    
• Kristen Cotten at Scythe
  Threat Emulation: APT27
  
  
• Secureworks
  Bumblebee Malware Distributed Via Trojanized Installer Downloads
  
  
• Jonathan Reed at Security Intelligence
  Triple Extortion and Erased Data are the New Ransomware Norm
  
  
• Security Investigation
  • Threat Hunting Playbooks For MITRE TACTICS
  • Wireshark Filters for Security Analyst
    
    
• Den Iuzvyk, Tim Peck, and Oleg Kolesnikov at Securonix
  Securonix Threat Labs Security Advisory: New OCX#HARVESTER Attack Campaign Leverages a Modernized More_eggs Suite to Target Victims
  
  
• Simone Kraus
  • Rorschach Ransomware Analysis with Attack Flow
  • Incident Rapid Triage with TrusteSec’s advice and an Attack Flow playbook for the ransomware group…
    
    
• Sophos
  • ‘AuKill’ EDR killer malware abuses Process Explorer driver
  • New QakBot C2 servers detected with Sophos NDR
    
    
• Ben Martin at Sucuri
  Massive Abuse of Abandoned Eval PHP WordPress Plugin
  
  
• Symantec Enterprise
  • Play Ransomware Group Using New Custom Data-Gathering Tools
  • Daggerfly: APT Actor Targets Telecoms Company in Africa
  • X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
    
    
• Julien Egloff at Synacktiv
  Windows secrets extraction: a summary
  
  
• Team Cymru
  AllaKore(d) the SideCopy Train
  
  
• Vicente Díaz at VirusTotal
  APT43: An investigation into the North Korean group’s cybercrime operations
  
  
• Dana Behling at VMware Security
  Bring Your Own Backdoor: How Vulnerable Drivers Let Hackers In
  

UPCOMING EVENTS

• Cyacomb forensics
  Rapid Digital Triage Tools Drop-In Session
  
  
• X1
  X1 Social Discovery v7.0 Product Tour
  

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  • Data Recovery by Carving
  • Bulk process multiple E01 or RAW (DD) images!
    
    
• Black Hills Information Security
  • Backdoors & Breaches – Introducing the HUNTRESS Expansion Deck | Jason Blanchard & Huntress
  • Talkin’ About Infosec News – 4/18/2023
  • BHIS – Talkin’ Bout [infosec] News 2023-04-24
  • Your First Three Linux Commands | John Strand | BHIS Nuggets
    
    
• Cloud Security Podcast by Google
  EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?
  
  
• Cyber Security Interviews
  #126 – Douglas Brush (Part 4): Dollars and Cents, Not Bytes
  
  
• Cyberwarcon
  CYBERWARCON 2022
  
  
• Digital Forensic Survival Podcast
  DFSP # 374 – SRUM
  
  
• Dump-Guy Trickster
  IDA Memory Snapshot – Amadey Malware Unpacking & Initterm Poisoning
  
  
• Eric Conrad
  Atlantic Security Conference 2023 – Threat Hunting via Sysmon 14
  
  
• Hacker Valley Blue
  Is Paying Ransomware Ethical? #cybersecurity #cyberdefense #shorts
  
  
• Hornet Security
  We Used ChatGPT to Create Ransomware
  
  
• InfoSec_Bret
  IR – SOC176-126 – RDP Brute Force Detected
  
  
• John Hammond
  • What SECRETS are in your Clipboard?
  • Quick Forensics of Windows Event Logs (DeepBlueCLI)
    
    
• Magnet Forensics
  • Exploring the New User Interface Features in Magnet REVIEW 5.0
  • Privileged Materials Workflow in AXIOM Cyber
  • Supporting eDiscovery With Email Relationship Linking in AXIOM Cyber Load Files
  • Comae Memory Analysis Capabilities Integrated Into AXIOM Cyber
  • Accelerating Access to Your Endpoints With Shared Agents In AXIOM Cyber
  • Magnet User Summit 2023: Another One for the Books
  • Get to the Evidence Quickly with Magnet AUTOMATE
    
    
• MSAB
  How to Take Advantage of the New & Improved MSAB Customer Forum?
  
  
• OALabs
  Well it finally happened… infected myself with Emotet lel
  
  
• RickCenOT
  BREAKING DOWN “I will pwn your Schneider Electric modicon M221 ICS with open Source Tools”
  
  
• SANS Cloud Security
  • BeDazzled Identity as a Service (IDaaS) for GCP
  • BeDazzled Identity as a Service (IDaaS) for Azure
  • BeDazzled Identity as a Service (IDaaS) for AWS
  • The Case of the Cloudy Deception: A Sherlock Holmes Story
    

MALWARE

• Adam at Hexacorn
  Using Detect It Easy to… detect it easy
  
  
• Any.Run
  PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader 
  
  
• ASEC
  • Trigona Ransomware Attacking MS-SQL Servers
  • Additional Activities of the Tick Group That Attacks with a Modified Q-Dir and Their Ties with Operation Triple Tiang
  • February 2023 Threat Trend Report on Kimsuky Group
  • Shadow Force Group’s  Viticdoor and CoinMiner
  • ASEC Weekly Malware Statistics (April 10th, 2023 – April 16th, 2023)
  • ASEC Weekly Phishing Email Threat Trends (April 2nd, 2023 – April 8th, 2023)
  • January 2023 Threat Trend Report  on Kimsuky Group
  • BlackBit Ransomware Being Distributed in Korea
  • 8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner
    
    
• Martin Zugec at Bitdefender
  Technical Advisory: Why LockBit Ransomware on macOS Is Not a Significant Threat (Yet)
  
  
• Christophe Tafani-Dereeper
  Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB
  
  
• CISA
  CISA Releases Malware Analysis Report on ICONICSTEALER
  
  
• Dr. Brian Carrier at Cyber Triage
  Sandboxing Malicious Files: Recorded Future Triage Integration
  
  
• David Burkett at Signalblur
  ImpELF: Unmasking Linux Malware with a Novel Imphash Approach for ELF Binaries
  
  
• Flashpoint
  • COURT DOC: Buffalo Man Arrested as Part of Global Takedown of ‘Criminal Online Marketplace’
  • Threat Actors and APTs Target Australia, Stealing Over 50 Million Credentials
  • Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama
    
    
• Cara Lin at Fortinet
  EvilExtractor – All-in-One Stealer
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #137: processor modes and segment registers
  
  
• InfoSec Write-ups
  • Malicious Excel Document Analysis
  • Analyzing Malware using FREE Online Tools
  • PMAT — Bonus Malware Lab Writeup
    
    
• Ferdous Saljooki and Jaron Bradley at Jamf
  BlueNoroff APT group targets macOS with RustBucket Malware
  
  
• Kengo Teramoto at JPCERT/CC
  Activity Targeting Crypto Asset Exchangers for Parallax RAT Infection
  
  
• Karlo Licudine at AccidentalRebel
  Classifying Malware Packers Using Machine Learning
  
  
• Dexter Shin at McAfee Labs
  Fakecalls Android Malware Abuses Legitimate Signing Key
  
  
• Arnold Osipov and Michael Dereviashkin at Morphisec
  in2al5d p3in4er is Almost Completely Undetectable
  
  
• NCSC
  Malware analysis reports – Jaguar Tooth
  
  
• OALABS Research
  • XORStringsNet
  • CryptNET Ransomware
    
    
• Patrick Wardle at Objective-See
  The LockBit ransomware (kinda) comes for macOS
  
  
• Phylum
  Attackers Repurposing existing Python-based Malware for Distribution on NPM
  
  
• Victoria Vlasova, Andrey Kovtun, and Darya Ivanova at Securelist
  QBot banker delivered through business correspondence
  
  
• Phil Stokes at SentinelOne
  LockBit for Mac | How Real is the Risk of macOS Ransomware?
  
  
• Mandeep Singh at Sonatype
  Protecting Software Developers from Malware with AI/ML Insights
  
  
• Splunk
  Threat Update: AwfulShred Script Wiper
  
  
• Threatmon
  APT Blind Eagles Malware Arsenal Technical Analysis
  
  
• Don Ovid Ladores at Trend Micro
  An Analysis of the BabLock (aka Rorschach) Ransomware
  
  
• Tejaswini Sandapolla at Uptycs
  Cyber Espionage in India: Decoding APT-36’s New Linux Malware Campaign
  
  
• Vincent Van Mieghem
  Process injection in 2023, evading leading EDRs
  
  
• VMRay
  Beyond Hashes: YARA’s Impact on Malware Detection
  
  
• Zhassulan Zhussupov
  Malware AV/VM evasion – part 16: WinAPI GetProcAddress implementation. Simple C++ example.
  
  
• Nico Chiaravio & Gianluca Braga at Zimperium
  Kimsuky: Infamous Threat Actor Churns Out More Advanced Malware
  
  
• Shatak Jain and Meghraj Nandanwar at ZScaler
  Introducing DevOpt: A Multifunctional Backdoor Arsenal
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  Trojan.Win32.RisePro
  

MISCELLANEOUS

• Abhiram Kumar
  Incident Response Essentials & Tips – My Two Cents
  
  
• Brett Shavers
  This is an evidence storage device.
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 04/22/2023
  
  
• CISA
  CISA to Continue and Enhance U.K.’s Logging Made Easy Tool
  
  
• Forensic Focus
  • Winning New Contracts With Unmatched Speed: How Detego Transformed A Consultancy’s Capabilities
  • Digital Image Authenticity And Integrity With Amped Authenticate
  • Endpoint Inspector From Cellebrite Enterprise Solutions
  • Digital Forensics Round-Up, April 20 2023
    
    
• Magnet Forensics
  • Review and Tagging in Magnet AXIOM & Magnet REVIEW
  • Thorn’s CSAM Image Classifier Now Integrated With Magnet AXIOM
  • Supporting eDiscovery With Email Relationship Linking in Magnet AXIOM Cyber Load Files
  • All the Action from Magnet User Summit 2023 
    
    
• MSAB
  • MSAB´s annual report for 2022 published
  • Amendment: MSAB´s annual report for 2022 published
    
    
• Lisa Forte at Red Goat
  How to write an effective ransomware playbook
  
  
• Salvation DATA
  What does a Forensic Video Analyst do in Law Enforcement?
  
  
• SANS
  • What are Sock Puppets in OSINT
  • Keeping your boat afloat
  • Be Dazzled by Identity-as-a-Service (IDaaS)
  • Your Security Awareness Program Can Do More Than You Think: Fulfilling the Promise of “Training for All”
  • Cybersecurity Jobs: Blue Teamer (Japanese)
  • Cloud Agnostic or Devout?
    
    
• SentinelOne
  • Mastering the Art of SOC Analysis Part 1 | Fundamental Skills for Aspiring Security Operations Center Analysts
  • Avoiding the Storm | How to Protect Cloud Infrastructure from Insider Threats
    
    
• Teri Radichel
  • S3 Bucket for S3 Access Logs
  • S3 Bucket for CloudTrail
    
    
• John Patzakis at X1
  Social Media Evidence Proves Essential in Recent High-Stakes Trademark Infringement Matters
  

SOFTWARE UPDATES

• ANSSI
  DFIR-ORC v10.1.7
  
  
• Cellebrite
  • Now Available: Cellebrite Endpoint Inspector 1.7
  • Now Available: Cellebrite Inspector 10.7.2
    
    
• Crowdstrike
  Falconpy Version 1.2.14
  
  
• Doug Burks at Security Onion
  Security Onion 2.3.230 now available including CyberChef 10.2.0, Grafana 9.2.15, nginx 1.22.1, Redis 6.2.11, Suricata 6.0.11, Zeek 5.0.8, and more!
  
  
• Federico Lagrasta
  PersistenceSniper v1.9.3
  
  
• GMDSoft
  GMDSOFT Q1 MD-Series Release Note Highlights
  
  
• Manabu Niseki
  Mihari v5.2.1
  
  
• OpenCTI
  5.7.2
  
  
• Sandfly Security
  Sandfly 4.4.0 – Agentless Linux Password Auditing and Data De-Duplication
  
  
• Sebdraven
  Yeti 2.0
  
  
• SpecterOps
  Introducing BloodHound 4.3 — Get Global Admin More Often
  
  
• Ulf Frisk
  MemProcFS Version 5.5
  
  
• Xways
  • X-Ways Forensics 20.7 SR-9
  • X-Ways Forensics 20.8 Beta 4
    
    
• Yamato Security
  Hayabusa v2.4.0 🦅
  
  
• YARA
  v4.3.1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!