As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Hexordia
  • What’s brewing with IPAs – Working with IPA files for Forensic Examiners
  • Cloud Storage & Digital Forensic Evidence
    
    
• David Spreadborough at Amped
  Closed-Box CCTV Acquisition Using Storage Media
  
  
• Emre Caglar Hosgor at Belkasoft
  Incident Response with Belkasoft by Emre Caglar Hosgor, SOC Analyst—Specially for Belkasoft
  
  
• Blake Regan
  checkm8 to SSH
  
  
• Chuan-lun (Johnson) Chou
  Finding messages in Anonymous Chat Rooms, Dating app
  
  
• Digital Forensics Myanmar
  • Browser Forensics With Commercial Tools (Myanmar Language)
  • Volatility Workbench (GUI) for the Volatility tool
    
    
• Forensafe
  • Magnet Virtual Summit – Windows 11 CTF
  • Magnet Virtual Summit – Windows Server CTF
    
    
• Kevin Pagano at Stark 4N6
  • Magnet User Summit 2023 CTF – Cipher
  • Magnet User Summit 2023 CTF – Android (Part 2)
  • Magnet User Summit 2023 CTF – Android (Part 1)
    
    
• Mailxaminer
  • Gmail Email Forensics Analysis – Explore Internet Header
  • Top 6 Digital Forensic Investigation Techniques For Effortless Investigation
  • Advanced eDiscovery Search in Office 365 to Carve Evidence by Forensic Investigators
    
    
• Revo4n6
  Meta Quest 2 Forensic Extraction (Testing)
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Matlab persistent lolbin – 2 years too late, but always…
  
  
• Adam Goss
  • Python Threat Hunting Tools: Part 2 — Web Scraping
  • 5 Reasons Why a Threat Intelligence Platform Will Improve Your Business
    
    
• Anomali
  Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions
  
  
• AttackIQ
  • Attack Graph Response to CISA Advisory AA23-129A: Hunting Russian Intelligence “Snake” Malware
  • Response to CISA Advisory AA23-131A: Malicious Actors Exploit PaperCut MF and NG
    
    
• Jeremy Fuchs at Avanan
  Creating Malicious Content Hosted on Squarespace
  
  
• Avertium
  • Ransomware – Akira and Rapture
  • Flash Notice: Secure Boot Zero-Day Exploited by BlackLotus UEFI Malware
    
    
• Marshall Jones and Deric Martinez at AWS Security
  Detect threats to your data stored in RDS databases by using GuardDuty
  
  
• Black Hills Information Security
  Auditd Field Spoofing: Now You Auditd Me, Now You Auditdon’t
  
  
• Blackberry
  SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey
  
  
• Lawrence Abrams at BleepingComputer
  Meet Akira — A new ransomware operation targeting the enterprise
  
  
• Amanda Berlin at Blumira
  How To Detect SYSVOL Enumeration Exploits
  
  
• CERT EU
  We are changing the executive summary of our quarterly CTI reports
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 6 – 12 maggio 2023
  
  
• Check Point
  • 8th May – Threat Intelligence Report
  • April 2023’s Most Wanted Malware: Qbot Launches Substantial Malspam Campaign and Mirai Makes its Return
    
    
• Yehuda Gelb at Checkmarx Security
  A new stealthier type of Typosquatting attack spotted, targeting NPM
  
  
• CISA
  Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
  
  
• Cisco’s Talos
  • New phishing-as-a-service tool “Greatness” already seen in the wild
  • Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
  • Threat Roundup for May 5 to May 12
    
    
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 30 – The man config file – man.conf
  
  
• Cyborg Security
  Art of the Hunt: Building a Threat Hunting Hypothesis List
  
  
• Cyfirma
  Weekly Intelligence Report – 12 May 2023
  
  
• Kelsey LaBelle at DomainTools
  Valuable Datasets to Analyze Network Infrastructure | Part 1
  
  
• Dragos
  • Deconstructing a Cybersecurity Event
  • New Knowledge Pack Released (KP-2023-003)
    
    
• EclecticIQ
  Creative Ransomware Extortion; Further Malware Capabilities With ChatGPT
  
  
• EQSTLab
  Check out @EQSTLab’s tweet
  
  
• Flashpoint
  • COURT DOC: Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service
  • Risk Intelligence Index: The April 2023 Cyber Threat Landscape
    
    
• Fortinet
  Ransomware Roundup – Maori
  
  
• GuidePoint Security
  GRIT Ransomware Report: April 2023
  
  
• Trevor Borden at InQuest
  100 Days of YARA: Everything You Need to Know
  
  
• Intrusion Truth
  • What’s Cracking at the Kerui Cracking Academy?
  • The Illustrious Graduates of Wuhan Kerui   
  • All roads lead back to Wuhan… Xiaoruizhi Science and Technology Company
    
    
• Shusei Tomonaga at JPCERT/CC
  Attack Trends Related to DangerousPassword
  
  
• Kim Zetter at ‘Zero Day’
  Timeline of the SolarWinds Hack and Investigation
  
  
• Laurie Iacono, Stephen Green, and Dave Truman at Kroll
  CACTUS Ransomware: Prickly New Variant Evades Detection
  
  
• Logpoint
  • Detecting and Responding to Compromises in Azure AD through AAD Connect
  • BCS for SAP: Enhanced security monitoring and threat detection
    
    
• Matt Suiche at Magnet Forensics
  Hunting Russian Intelligence “Snake” Malware in Memory With Magnet AXIOM Cyber
  
  
• Malwarebytes Labs
  • Ransomware review: May 2023
  • Navigating mobile malware trends: Crucial insights and predictions for MSPs
    
    
• MDSec
  Nighthawk 0.2.4 – Taking Out The Trash
  
  
• Michael Haag
  Living Off The Land Drivers 1.0 Release
  
  
• Nisos
  Trigona Ransomware Family Explained
  
  
• Doel Santos, Daniel Bunce and Anthony Galiette at Palo Alto Networks
  Threat Assessment: Royal Ransomware
  
  
• Proofpoint
  Crime Finds a Way: The Evolution and Experimentation of the Cybercrime Ecosystem
  
  
• Reason Labs
  The Super Mario Bros. Pirate
  
  
• Recon Infosec
  Emergence of Akira Ransomware Group
  
  
• Red Alert
  • 2022 Activities Summary of SectorA groups (KOR)
  • 2022 Activities Summary of SectorB groups (KOR)
  • 2022 Activities Summary of SectorD groups (KOR)
  • 2022 Activities Summary of SectorC groups (KOR)
  • 2022 Activities Summary of SectorJ groups (KOR)
    
    
• Ryan Chapman at SANS
  Ransomware: Every internet-connected network is at risk. Be prepared!
  
  
• S-RM Insights
  Cyber Intelligence Briefing: 12 May 2023
  
  
• Shaun McCullough at SANS
  What Is Threat Detection?
  
  
• SANS Internet Storm Center
  • Quickly Finding Encoded Payloads in Office Documents, (Sun, May 7th)
  • Exploratory Data Analysis with CISSM Cyber Attacks Database – Part 2, (Tue, May 9th)
  • Geolocating IPs is harder than you think, (Thu, May 11th)
  • The .zip gTLD: Risks and Opportunities, (Fri, May 12th)
    
    
• Securonix
  Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads
  
  
• Sekoia
  Overview of the Russian-speaking infostealer ecosystem: the logs
  
  
• Sophos
  • The State of Ransomware 2023
  • Akira Ransomware is “bringin’ 1988 back”
    
    
• Cody Thomas at SpecterOps
  C2 and the Docker Dance: Mythic 3.0’s Marvelous Microservice Moves
  
  
• Squiblydoo.blog
  Certified Bad
  
  
• Tom Wechsler at Microsoft
  Advanced threat hunting within Active Directory Domain Services – Knowledge is power!
  
  
• Khristian Joseph Morales and Gilbert Sison at Trend Micro
  Managed XDR Investigation of Ducktail in Trend Micro Vision One™
  
  
• Joshua St. Hilaire at Vectra AI
  Command and Control (C2) Evasion Techniques by Joshua St. Hilaire
  
  
• Bernardo.Quintero at VirusTotal
  VT Code Insight: Updates and Q&A on Purpose, Challenges, and Evolution
  
  
• VulnCheck
  Stealc: A new stealer emerges in 2023
  
  
• Jonathan McCay, Joshua Platt and Jason Reaves at Walmart
  MetaStealer: String Decryption and DGA overview
  
  
• Jean-Ian Boutin at WeLiveSecurity
  ESET APT Activity Report Q4 2022­–Q1 2023
  

UPCOMING EVENTS

• Cellebrite
  How to Simplify Modern Mobile Data Collection and Review
  
  
• Gerald Auger at Simply Cyber
  The REAL Value of Cyber Threat Intel (And How To Get It)
  
  
• Kroll
  Q1 2023 Threat Landscape Briefing: Ransomware Groups Splinter, Swarm Professional Services Sector (APAC)
  
  
• Magnet Forensics
  • Magnet AUTOMATE: Accelerate Your Digital Investigation Workflows
  • Current Cyber Security Legislation (and Why Its Important to You)
    
    
• MSAB
  Unique Exploits and Solutions in XRY & XRY Pro
  
  
• SANS
  • Stay Ahead of Ransomware Livestream Series – Episode 2
  • Blog – The 2023 SANS Spring Cyber Solutions Fest Is Right Around the Corner
  • Strategy 2: Give the SOC the Authority to Do Its Job
  • SANS Cybersecurity Leadership Summit 2023
  • Navigating the Future of SOC: Opportunities and Risks, with John Hubbard | May 16, 2023
  • Aligning Cyber Across the Enterprise
    
    
• Paolo Dal Checco at Studio d’Informatica Forense
  Seminario “OSINT In Law” per Università di Foggia su Digital Forensics
  

PRESENTATIONS/PODCASTS

• Academia de Forense Digital
  Arsenal Tools, A Ferramenta Forense Poderosa de Exploração! Com o Prof. Renan Cavalheiro
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2023-05-15
  • Talkin’ About Infosec News – 5/11/2023
  • How to Be a criminal: More surveillance, less privacy?
  • Layer 2 Attacks with Responder | John Strand | BHIS Nuggets
    
    
• BlueMonkey 4n6
  Magnet User Summit – Capture The Flag – May 2023 – Cipher
  
  
• Cellebrite
  • Digital Forensics Tools: Accessing the Cellebrite Notebook
  • How to Parse Single Applications with Digital Forensics Tools in Physical Analyzer
  • Digital Forensics Tools: How to Filter Images in Physical Analyzer ULTRA
    
    
• Detection: Challenging Paradigms
  Episode 32: Casey Smith (Part 1)
  
  
• Digital Forensic Survival Podcast
  DFSP # 377 – Interview with Yugal Pathak
  
  
• Gerald Auger at Simply Cyber
  $0 Budget SOC Analyst: Master the Art of Free Learning #cybersecurity
  
  
• InfoSec_Bret
  X_x It Came From Reddit x_X – windowsactivator
  
  
• John Hammond
  • PowerShell CRYPTOSTEALER through DNS
  • How To Setup ELK | Elastic Agents & Sysmon for Cybersecurity
  • Getting Started in Firmware Analysis & IoT Reverse Engineering
  • Hide a Hacker’s Reverse Shell in ONE Command
    
    
• John Hubbard at ‘The Blueprint podcast’
  • Strategy 1: Know What You Are Protecting and Why
  • 11 Strategies of a World-Class Security Operations Center: Fundamentals
    
    
• Magnet Forensics
  Know When to Seek Help for Memory Loss
  
  
• Malwarebytes Labs
  The rise of “Franken-ransomware,” with Allan Liska: Lock and Code S04E11
  
  
• MSAB
  • How to Remove Duplicates in XAMN PRO?
  • XRY: XRY Pro
  • XRY Pro: Cutting-edge software for the most challenging phones
    
    
• RickCenOT
  I pwn your Beckhoff CX9001 ICS with a Bad USB HID Injection Attack in less than 30 sec
  
  
• SANS
  • Memory Forensics Acquisition Cloud
  • What You Will Learn in SEC406: Linux Security for InfoSec Professionals
  • SANS New2CyberSummit 2023 – Reskilling Edition
  • Improve Your Cyber Security Culture
  • 2023 RSA Conference Live Streams
  • SANS Neurodiversity in Cybersecurity Summit 2023 Graphic Illustrations
    
    
• Sumuri
  • Export Triage Results to an Image!
  • SUMURI Podcast Episode 017 – Cloud Research
    
    
• The Defender’s Advantage Podcast
  Threat Trends: Bonus Episode – How Will AI Impact Threat Intelligence?
  
  
• Carlos Perez at TrustedSec
  Learning Sysmon – Videos 1-10
  

MALWARE

• 0x70RVS
  Packing and Unpacking study notes Pt-1
  
  
• Adam at Hexacorn
  • PE Section names – re-visited, again, in 2023
  • An Elf walks into the bar…
  • Da Li’L World of DLL Exports and Entry Points, Part 6
    
    
• ASEC
  • AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT
  • Tracking 3CX Supply Chain Breach Cases using AhnLab EDR
  • ASEC Weekly Malware Statistics (April 24th, 2023 – April 30th, 2023)
  • ASEC Weekly Phishing Email Threat Trends (April 23rd, 2023 – April 29th, 2023)
    
    
• Erik Pistelli at Cerbero
  • OneNote Malware With ISO File
  • PowerShell Malware with x64 Shellcode
    
    
• Michał Praszmo at CERT Polska
  Malspam campaign delivering PowerDash – a tiny PowerShell backdoor
  
  
• CISA
  Hunting Russian Intelligence “Snake” Malware
  
  
• Cofense
  The Art of Deception: Microsoft Phish Redirects Victims to a Catering Voice Recording
  
  
• Cyble
  • Unraveling Akira Ransomware
  • Dissecting Rancoz Ransomware
  • BlackSuit Ransomware Strikes Windows and Linux Users
    
    
• Matthew at Embee Research
  • AgentTesla – Full Analysis – Resolving API Hashing Using x32Dbg
  • Curated List of Malware Writeups
    
    
• Fatih Yilmaz
  • Yamalama(Patching)
  • Patching
    
    
• Fortinet
  • AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)
  • RapperBot DDoS Botnet Expands into Cryptojacking
    
    
• Jacob Pimental at GoggleHeadedHacker
  OneNote Analysis
  
  
• Hex Rays
  • Plugin focus: NtRays
  • Igor’s Tip of the Week #140: Loading PDB types
    
    
• Matthew Brennan at Huntress
  Advanced CyberChef Tips: AsyncRAT Loader
  
  
• Sarang S at InfoSec Write-ups
  Using Python for Malware Analysis — A Beginners Guide
  
  
• Jai Minton
  Remcos RAT – Malware Analysis Lab
  
  
• Baran S at K7 Labs
  SpyNote targets IRCTC users
  
  
• Lab52
  Let’s talk about the malware used by Mustang Panda
  
  
• Mandiant
  IRONGATE ICS Malware: Nothing to See Here…Masking Malicious Activity on SCADA Systems
  
  
• Max Kersten at Trellix
  Trucking on with DotDumper
  
  
• McAfee Labs
  • New Wave of SHTML Phishing Attacks
  • GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader
    
    
• OALABS Research
  • StrelaStealer
  • Metastealer
    
    
• Sansec
  Postponed Exfiltration Evades Detection
  
  
• Alex Delamotte at SentinelOne
  Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers
  
  
• Stairwell
  Jasper the unfriendly loader
  
  
• Denis Sinegubko at Sucuri
  Xjquery Wave of WordPress SocGholish Injections
  
  
• Zhassulan Zhussupov
  Malware development trick – part 28: Dump lsass.exe. Simple C++ example.
  

MISCELLANEOUS

• ADF Solutions
  • Mac Triage Made Easy: Using the Mac Remote Agent with ADF
  • Memory Forensics 101: The Basics You Need to Know for Effective Digital Forensics Investigations
    
    
• Ahmed Ali
  The Silk Road Aftermath: An In-Depth Analysis of United States v. Ulbricht
  
  
• Brett Shavers
  DFIR is a mindset, not a skillset.
  
  
• Cado Security
  • Breach Notifications and Forensics in Regulated Industries
  • Supercharging Your XDR for Investigations With Cado
    
    
• Forensic Focus
  • Forensics Europe Expo (FEE) 2023
  • Rapid Digital Forensics Investigations On The Move With Detego Global’s Mobile Deployment Kits
  • Modern Digital Forensic Tools: How New Tools Cut through The Noise To Find Evidence
  • Digital Forensics Round-Up, May 11 2023
    
    
• Félix Guyard at ForensicXlab
  🔦 Debunking the Expert Witness Compression Format (EWF)
  
  
• David Kovar at Kovar & Associates
  What types of domestic malicious UAV operations pose the greatest threat, and what is the likelihood of these operations?
  
  
• Kristian Lars Larsen at Data Narro
  The Litigation & E-Discovery Timeline
  
  
• Dr. Mike Cohen & Carlos Canto
  The Velociraptor 2023 Annual Community Survey
  
  
• Revo4n6
  Cloud Storage & Digital Forensic Evidence
  
  
• SANS
  • Cybersecurity Jobs: Cybersecurity Analyst/Engineer (Japanese)
  • Blog – Stronger Together: Recapping RSA Conference 2023
    
    
• Roy Bray at SentinelOne
  Mastering the Art of SoC Analysis Part 3 | Secrets of Communication and Growth for Aspiring SOC Analysts
  

SOFTWARE UPDATES

• Cyber Ark
  White Phoenix
  
  
• DeTTECT
  v1.9.0
  
  
• Digital Sleuth
  WIN-FOR v6.2.0
  
  
• EclecticIQ
  Introducing EclecticIQ Intelligence Center 3.0
  
  
• Harel Segev
  INDXRipper 5.2.8
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 3.87.0.6
  
  
• Passmark Software
  V10.0 Build 1011 12th May 2023
  
  
• SigmaHQ
  pySigma v0.9.9
  
  
• Rapid7
  Velociraptor 0.6.9 Release
  
  
• Xways
  X-Ways Forensics 20.9 Preview 2
  
  
• Yamato Security
  Hayabusa v2.5.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!