As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Chris Doman at Cado Security
  DFIR with KAPE and Cado Community Edition
  
  
• Darren Lim
  Forensic Analysis of Jami for Android, a Peer-to-Peer Messaging Application
  
  
• Decrypting a Defense
  AI & Photography, NYC Council Hearing, Geofence Warrants, Search Warrant Returns, & More
  
  
• Michael Hamm at Digital Corpora
  CIRCL Forensics Exercises
  
  
• Haider at HK_Dig4nsics
  iOS Shortcuts
  
  
• InfoSec Write-ups
  BlackEnergy Memory Forensic Ananlysis
  
  
• Invictus Incident Response
  The Evolution of Business Email Compromise
  
  
• Kevin Pagano at Stark 4N6
  Gboard and Clipboard History
  
  
• Melanie Ninovic at ParaFlare
  Inetcache: Exploiting From Within
  
  
• Pieces0310
  再谈USB存储设备的使用痕迹 – Pieces0310
  
  
• Plainbit
  Sysmon 활용 가이드: Configure File 구성과 작성 방법
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Threat Hunting – architecture issues…
  • Malware – some musings about the meaning of the word…
    
    
• Adam Goss
  • Python Threat Hunting Tools: Part 1 — Why?
  • Threat Intelligence vs Threat Hunting: What is the Perfect Pipeline?
    
    
• Alex John
  Detecting and responding to ESXi compromise with Splunk
  
  
• Anomali
  Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
  
  
• Anton Chuvakin
  SIEM Content, False Positives and Engineering (Or Not) Security
  
  
• Any.Run
  Malware Analysis Digest: April 2023 
  
  
• Francis Guibernau and Ken Towne at AttackIQ
  Emulating Recent Activity from the Russian Adversary Nobelium / APT29
  
  
• Avast Threat Labs
  Avast Q1/2023 Threat Report
  
  
• Avertium
  Lazarus and the 3CX Double Software Supply Chain Attack
  
  
• Brad Duncan at Malware Traffic Analysis
  2023-05-02 – Quick post: obama259 Qakbot (Qbot) infection with Dark Cat VNC
  
  
• BushidoToken
  • Raspberry Robin: A global USB malware campaign providing access to ransomware operators
  • GreenMwizi – Kenyan scamming campaign using Twitter bots
    
    
• Censys
  Months after first GoAnywhere MFT zero-day attacks, Censys still sees ~180 public admin panels
  
  
• CERT Ukraine
  • WinRAR як “кіберзброя”. Деструктивна кібератака UAC-0165 (ймовірно, Sandworm) на держсектор України із застосуванням RoarBat (CERT-UA#6550)
  • Повернення UAC-0006: масове розповсюдження SmokeLoader з використанням тематики “рахунків” (CERT-UA#6613)
    
    
• CERT-AGID
  • Anche in Italia cresce l’utilizzo di documenti OneNote per veicolare malware
  • Sintesi riepilogativa delle campagne malevole nella settimana del 29 aprile – 5 maggio 2023
    
    
• Check Point Research
  • 1st May – Threat Intelligence Report
  • Chain Reaction: ROKRAT’s Missing Link
  • Eastern Asian Android Assault – FluHorse
    
    
• Cisco’s Talos
  • Threat Source newsletter (May 4, 2023) — Recapping the biggest headlines to come out of RSA
  • Threat Roundup for April 28 to May 5
    
    
• Cleafy
  Uncovering drIBAN fraud operations. Chapter 1: Introduction and Malspam
  
  
• Cofense
  Malicious email campaigns abusing Telegram bots rise tremendously in Q1 2023, surpassing all of 2022 by 310%
  
  
• Corelight
  New Sliver C2 Detection Released – Redteam detected | Corelight
  
  
• CTF导航
  • APT分析之Sandworm勒索攻击模拟、推演、分析
  • JSP WebShell攻防(三)之动态代理类绕过
    
    
• CyberCX
  Cyber Adviser Newsletter – April 2023
  
  
• Cyberknow
  Update 23. 2023 Russia-Ukraine War — Cybertracker. May 03.
  
  
• Cyfirma
  Weekly Intelligence Report – 05 May 2023
  
  
• Darktrace
  Royal Ransomware: How Darktrace Contained One of the Most Prolific Ransomware Strains
  
  
• Sam Hanson at Dragos
  Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE
  
  
• EclecticIQ
  Polish Healthcare Industry Targeted by Vidar Infostealer Likely Linked to Djvu Ransomware
  
  
• Abdelwahhab Satta, Octodet,Samir Bennacer, and Octodet at Elastic
  Industrial control systems security with Elastic Security and Zeek
  
  
• Esentire
  • Threat Actors Using Fake QuickBooks Software to Scam Organizations
  • What is Malware-as-a-Service (MaaS)
  • Protecting End Users Against the Gootloader Malware Threat Using the Gootloader Operator’s Own Tactics
    
    
• Fatih Yilmaz
  • YARA Rules
  • YARA Kuralları
    
    
• Flashpoint
  COURT DOC: Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled
  
  
• IronNet
  • IronNet Monthly Global Threat
  • Investigating Undocumented Netcomms From Legitimate Chrome Extension
    
    
• Jeffrey Appel
  Block C2 communication with Defender for Endpoint
  
  
• John Hammond
  • Hunt for Hackers with Velociraptor
  • Living Off The Land – Windows Disk Cleaner Persistence
    
    
• Jonathan Johnson
  Exploring Impersonation through the Named Pipe Filesystem Driver
  
  
• Kim Zetter at Wired
  The Untold Story of the Boldest Supply-Chain Hack Ever
  
  
• Anish Bogati & Rabindra Dev Bhatta at Logpoint
  PaperCut Vulnerability CVE-2023-27350: Detecting exploitation attempts
  
  
• Mandiant
  • A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors
  • Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations
  • New Mandiant Threat Intelligence Integrations for MISP, Splunk SIEM and SOAR, and Cortex XSOAR by Palo Alto Networks
    
    
• Nextron Systems
  • How to scan Docker images using THOR – Part 1
  • How to scan Docker containers using THOR – Part 2
    
    
• Dan Sherry at Pulsedive
  Op-Ed: How to Make STIX Stickier
  
  
• Nicholas Spagnola at Rapid7
  AppDomain Manager Injection: New Techniques For Red Teams
  
  
• ReliaQuest
  • 2023 Ransomware: Detection and Prevention
  • Once Bitten: LockBit Ransomware Case Study
    
    
• SANS Internet Storm Center
  • SANS.edu Research Journal Volume 3 Released into the Wild. https://www.sans.edu/cyber-security-research @sans_edu #cybersecurity #research, (Sun, Apr 30th)
  • Deobfuscating Scripts: When Encodings Help, (Sun, Apr 30th)
  • “Passive” analysis of a phishing attachment, (Mon, May 1st)
  • VBA Project References, (Tue, May 2nd)
  • Increased Number of Configuration File Scans, (Wed, May 3rd)
  • Infostealer Embedded in a Word Document, (Thu, May 4th)
  • Exploratory Data Analysis with CISSM Cyber Attacks Database – Part 1, (Sat, May 6th)
  • Guildma is now abusing colorcpl.exe LOLBIN, (Fri, May 5th)
    
    
• Securelist
  • What does ChatGPT know about phishing?
  • Managed Detection and Response in 2022
    
    
• Securonix
  Securonix Threat Labs Monthly Intelligence Insights – April 2023
  
  
• Phil Stokes at SentinelOne
  Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram
  
  
• SOCRadar
  Dark Web Profile: BlackByte Ransomware
  
  
• Gabor Szappanos at Sophos
  A doubled “Dragon Breath” adds new air to DLL sideloading attacks
  
  
• Sucuri
  • What is Steganography? (Or, How Hackers Hide Malware On Websites)
  • What is XML-RPC? Security Risks & How to Disable
    
    
• System Weakness
  • Malware Persistence via the Windows Registry.
  • Linux Persistence Technique | Credential Harvesting | Unshadow
    
    
• Threatmon
  • Anonymous Sudan: In-Depth Analysis Beyond Hacktivist Attacks
  • Zaraza Bot: The New Russian Credential Stealer
    
    
• Craig Chamberlain at Uptycs
  How Anomaly Detection Advances Cloud Threat Hunting – Uptycs
  
  
• Vicente Díaz at VirusTotal
  Actionable Threat Intel (I) – Crowdsourced YARA Hub
  
  
• Jacob Baines at VulnCheck
  PaperCut Exploitation – A Different Path to Code Execution
  
  
• James Shepperd at WeLiveSecurity
  APT groups muddying the waters for MSPs
  
  
• Nicolás Chiaraviglio at Zimperium
  BouldSpy: A New Android Surveillance Tool
  

UPCOMING EVENTS

• Yuri Gubanov at Belkasoft
  New Webinar! Free Belkasoft X Brute-Force Tool
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-05-08
  
  
• Cellebrite
  How to Simplify Modern Mobile Data Collection and Review
  
  
• Cyborg Security
  Threat Hunting Workshop 8: Hunting for Exfiltration
  
  
• Doug Burks at Security Onion
  Security Onion Conference 2023 Save the Date and CFP
  
  
• Magnet Forensics
  Know When to Seek Help for Memory Loss
  
  
• SANS
  • Dip a Toe in the ISC Honeypot with Dr. Johannes Ullrich | Graphs & AI with Jess Garcia | May 9, 2023
  • SANS Threat Analysis Rundown | Katie Nickels
    

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  • Recovering Deleted Files with ATRIO.
  • Easily recover deleted files with ATRIO
  • Data recovery – adding tasks to ATRIOs task queue.
  • Data recovery – additing file carving to ATRIOs task queue
    
    
• Black Hills Information Security
  • Talkin’ About Infosec News – 5/5/2023
  • Making Compliance Suck Less | John Strand | BHIS Nuggets
    
    
• BlueMonkey 4n6
  WriteBlocker from Sinabis Analytics – unboxing and review
  
  
• Brakeing Down Security Podcast
  lynsey wolf, conducting insider threat investigations, CASB and UEBA utlization to good use.
  
  
• Breaking Badness
  The Stronger Together Mini-Series
  
  
• Cyber Triage
  ResponderCon 2022 Ransomware Videos (Batch 4)
  
  
• Detections by SpectreOps
  DCP Live: Session 7
  
  
• Digital Forensic Survival Podcast
  DFSP # 376 – Zero-Day and DFIR
  
  
• Frank Victory
  Velociraptor DFIR Hunt Manager
  
  
• I Am Ironcat
  Ironcat Malware Episode 3 – Auto Defender Defeat
  
  
• John Hubbard at ‘The Blueprint podcast’
  Blueprint Podcast: The Special Season Trailer
  
  
• Magnet Forensics
  • How to Navigate Digital Evidence in Magnet REVIEW
  • Magnet and Cobwebs Partner to Leverage AI and OSINT for Investigations
  • Magnet REVIEW: Collaborate on Digital Evidence Review from Anywhere
  • Introducing Magnet AXIOM Cyber 7.0
    
    
• MSAB
  • How to extract data from iPhones with XRY’s iOS Targeted Function?
  • Forensic Fix Episode 4  – Austin Berrier
    
    
• Paraben Corporation
  Android ADB Download App Acquisitions
  
  
• RickCenOT
  BREAKING DOWN “I pwn your ICS communication processor and traverse into your Level 0 serial device”
  
  
• SANS
  • A Visual Summary of SANS ICS Summit 2023
  • Securing Your Cached Assets
  • Promoting Your Path: From Engineer to CISO
    
    
• Security Intelligence
  Expert Insights on the X-Force Threat Intelligence Index
  

MALWARE

• ASEC
  • CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers
  • RecordBreaker Stealer Distributed via Hacked YouTube Accounts
  • Qakbot Distributed via OneNote and CHM
  • ASEC Weekly Phishing Email Threat Trends (April 16th, 2023 – April 22nd, 2023)
    
    
• Zeev Hananis at Checkmarx Security
  ML Engine Detects PyPi Packages Containing “WhiteSnake” Malware Designed to Steal Your Personal…
  
  
• Cyble
  • BlackBit Ransomware: A Threat from the Shadows of LokiLocker
  • New KEKW Malware Variant Identified in PyPI Package Distribution
  • Sophisticated DarkWatchMan RAT Spreads Through Phishing Sites
    
    
• Dr Josh Stroschein
  Memory Dump Unpacking – Finding Redline Stealer
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #139: License borrowing
  
  
• Lab52
  New Mustang Panda’s campaing against Australia
  
  
• Mayank Malik
  Malware Analysis and Triage : DeathNote Infostealer
  
  
• Yashvi Shah at McAfee Labs
  Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
  
  
• Michael Maltsev
  Leveraging XFG to help with reverse engineering
  
  
• Moath Maharmeh at C99.sh
  Utilizing Morse Code to Evade Signature Based Detection Systems
  
  
• Gustavo Palazolo at Netskope
  Netskope Threat Coverage: CrossLock Ransomware
  
  
• OALABS Research
  Satacom (LegionLoader)
  
  
• Mark Lim, Daniel Raygoza and Bob Jung at Palo Alto Networks
  Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
  
  
• Charles Coggins at Phylum
  Bad Beat Poetry
  
  
• Dmitry Kalinin at Securelist
  Not quite an Easter egg: a new family of Trojan subscribers on Google Play
  
  
• Lee Dale at System Weakness
  Malware Analysis. Looking for Keyloggers on Windows
  
  
• Ted Lee and Hara Hiroaki at Trend Micro
  Attack on Security Titans: Earth Longzhi Returns With New Tricks
  

MISCELLANEOUS

• Kevin Ripa at SANS
  The Banana Incident
  
  
• Belkasoft
  • Case of Casey Anthony: Extraneous Digital Evidence
  • Belkasoft Offers a Free Brute-Force Tool
    
    
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 05/06/2023
  
  
• DFRWS
  DFRWS Implementation Guidance for U.S. National Cybersecurity Strategy
  
  
• Joe St Sauver at DomainTools
  Introduction to IPFS
  
  
• Forensic Focus
  • Preventing Data Leaks With Git Guardian
  • Digital Forensics Round-Up, May 04 2023
    
    
• John Hollenberger at Fortinet
  A Guide to Incident Response Plans, Playbooks, and Policy
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (5/1/2023)
  
  
• MuSecTech
  Embracing Automation to Unlock New Innovations
  
  
• Oleg Afonin at Elcomsoft
  • Low-level Extraction for iOS 15
  • iOS Forensic Toolkit and Open Source
    
    
• Alisha Cales at Paraben Corporation
  E3:Universal Top Performer Spring 2023
  
  
• Adam Ostrich at Red Canary
  The Validated Canary: Our validation philosophy
  
  
• SANS
  • Cybersecurity Jobs: Incident Response Team Member (Japanese)
  • Cloud-Powered DFIR: Harnessing the cloud to improve investigator efficiency
  • The Vulnerability Assessment Framework: Stop Inefficient Patching Now and Transform Your Vulnerability Management
    
    
• SUMURI
  Web 3.0 The futures so bright you gotta wear (VR) shades
  
  
• War Room
  • Back to Basics: Phishing
  • The Monarchy Lives On – BECs are alive and well
    

SOFTWARE UPDATES

• ANSSI
  DFIR-ORC v10.2.0
  
  
• Brian Maloney
  OneDriveExplorer v2023.05.05
  
  
• Didier Stevens
  Update: oledump.py Version 0.0.75
  
  
• Elcomsoft
  Full low-level extraction for the entire iOS 15 range
  
  
• ExifTool
  ExifTool 12.62
  
  
• Federico Lagrasta
  PersistenceSniper v1.11.0
  
  
• Kevin Pagano
  SQLiteWalker – v0.0.3
  
  
• OpenCTI
  5.7.4
  
  
• Passware
  Passware Kit Mobile 2023 v3 Now Available
  
  
• radare2
  5.8.6
  
  
• Three Planet Software
  Apple Cloud Notes Parser v0.12.3
  
  
• Ulf Frisk
  MemProcFS Version 5.6
  
  
• Xways
  X-Ways Forensics 20.9 Preview 1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!