As always, thanks to those who give a little back for their support!

Lee Whitfield has announced the finalists for this years Forensic 4cast awards. Thanks for everyone that nominated this site for Resource of the Year.
Forensic 4:cast Awards 2023 – Voting is now open!

FORENSIC ANALYSIS

• ThinkDFIR
  CPY JMP
  
  
• Brian Maloney at Malware Maloney
  OneDrive Evolution
  
  
• Forensafe
  Investigating Remote Desktop Connection Event Logs
  
  
• ForensicXlab
  📦 Volatility3 Windows Plugin : KeePass
  
  
• Invictus Incident Response
  Importing Windows Event Log files into Splunk
  
  
• Mailxaminer
  Guide On Apple Mail Forensics: Detailed Analysis
  
  
• Revo4n6
  Path of a Murderer: Location & Device Data
  
  
• Paritosh at System Weakness
  Windows Event Analysis: Unlocking the Hidden Insights in Event Logs
  

THREAT INTELLIGENCE/HUNTING

• Adam Goss
  • Python Threat Hunting Tools: Part 3 — Interacting with APIs
  • Learn 10 ways to use ChatGPT for Threat Hunting Right Now!
    
    
• Anomali
  Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
  
  
• AttackIQ
  Attack Graph Response to CISA Advisory (AA23-136A): #StopRansomware: BianLian Ransomware Group
  
  
• Avertium
  A Deeper Look into the PaperCut Vulnerabilities
  
  
• Black Cell
  Global Vulnerability Trends | Infographic
  
  
• Lawrence Abrams at BleepingComputer
  MalasLocker ransomware targets Zimbra servers, demands charity donation
  
  
• Bobby Rauch
  The Dangers of Google’s .zip TLD
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-05-17 – Knock knock… Guess who? It’s Pikabot!
  • 2023-05-10 – obama262 Qakbot (Qbot) infection with Cobalt Strike and Dark Cat VNC
  • 2023-05-10 – IcedID (Bokbot) infection with Cobalt Strike and Keyhole VNC
    
    
• BushidoToken
  Fake Steam Desktop Authenticator App distributing DarkCrystal RAT
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 maggio 2023
  
  
• Check Point Research
  • The Dragon Who Sold His Camaro: Analyzing Custom Router Implant
  • 15th May – Threat Intelligence Report
  • Malicious VSCode extensions with more than 45K downloads steal PII and enable backdoors
    
    
• Tzachi(Zack) Zorn at Checkmarx Security
  PyPi on Hold: Suspends New Users’ and Projects Creations Due to A High Volume of Malicious Activity
  
  
• CISA
  #StopRansomware: BianLian Ransomware Group
  
  
• Chetan Raghuprasad at Cisco’s Talos
  Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code
  
  
• William Burgess at Cobalt Strike Research and Development
  Cobalt Strike and YARA: Can I Have Your Signature?
  
  
• Cofense
  • Top Malware Trends of April
  • Threat Actors Impersonate Email Security Providers to Steal User Credentials
    
    
• Daniel Fonseca Yarochewsky at Confiant
  BadTrip: A chain of fake travel sites abuses search ads to commit fraud and credential theft
  
  
• CTF导航
  APT-C-28（ScarCruft）组织利用恶意文档投递RokRat攻击活动分析
  
  
• Cyble
  • Cisco Routers Exploited by Russian State-Sponsored Attackers
  • Ducktail Malware Focuses on Targeting HR and Marketing Professionals
  • AndoryuBot’s DDOS Rampage
  • CapCut Users Under Fire
    
    
• Cyborg Security
  • Unleashing the Serpent: Navigating the Threat of Snake Malware
  • Cactus Ransomware: A Thorny New Threat on the Horizon
  • Rapture Ransomware: A Deep Dive into the Silent Cyber Storm
  • Guarding the Gates: The Intricacies of Detection Engineering and Threat Hunting
    
    
• Cyfirma
  Weekly Intelligence Report – 19 May 2023
  
  
• DCSO CyTec
  Andariel’s “Jupiter” malware and the case of the curious C2
  
  
• Emiliano Martinez at VirusTotal
  VirusTotal += Mandiant Permhash: Unearthing adversary infrastructure and toolkits by leveraging permissions similarity
  
  
• Paul Lawrence And Roger Studner at Expel
  Customer context: beware the homoglyph
  
  
• Flashpoint
  • COURT DOC: Ransomware Charges Unsealed Against Russian National
  • COURT DOC: Man Pleads Guilty to Conspiracy to Sell Stolen Financial Information on Dark Web
    
    
• Michael Zuckerman at Infoblox
  Black Basta: Anatomy of the Attack
  
  
• InfoSec Write-ups
  Attacking Active Directory & Kerberoasting
  
  
• Michael DeBolt at Intel471
  Gaining the Intelligence Advantage with Cyber HUMINT – Part Two
  
  
• Intrusion Truth
  • Trouble in Paradise 
  • Introducing Cheng Feng 
  • MiSSing links 
    
    
• Kela
  Delving Into The Emerging Infostealers Of 2023 – Report
  
  
• Kim Zetter at ‘Zero Day’
  How Volexity Discovered the SolarWinds Hacking Campaign
  
  
• Bill Cozens at Malwarebytes Labs
  APT attacks: Exploring Advanced Persistent Threats and their evasive techniques
  
  
• Mandiant
  • Permhash — No Curls Necessary
  • SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
  • A Requirements-Driven Approach to Cyber Threat Intelligence
    
    
• Michael Koczwara
  Hunting Malicious Infrastructure using JARM and HTTP Response
  
  
• Vasu Jakkal at Microsoft Security
  Cyber Signals: Shifting tactics fuel surge in business email compromise
  
  
• Nasreddine Bencherchali
  • LOLBINed — Finding “LOLBINs” In AV Uninstallers
  • SIGMA Rule Repository Enhancements— New Folder Structure & Rule Types
    
    
• Netskope
  • InterPlanetary File System: A Decentralized Place to Host Phishing Content
  • Netskope Threat Labs Stats for April 2023
  • Cloud Threats Memo: More Details on Long-Lasting Campaigns Targeting Eastern Europe
    
    
• Oleg Skulkin at BI.ZONE
  BI.ZONE sheds light on data breaches caused by Leak Wolf’s malware-free attacks
  
  
• Palo Alto Networks
  It’s All in the Name: How Unit 42 Defines and Tracks Threat Adversaries
  
  
• Viren Chaudhari at Qualys
  New Strain of Sotdas Malware Discovered
  
  
• Recorded Future
  • OilAlpha: A Likely Pro-Houthi Group Targeting Entities Across the Arabian Peninsula
  • I Have No Mouth, and I Must Do Crime
    
    
• Rob van Os
  Why your detections may be failing (and what to do about it)
  
  
• Ryan Fetterman at Splunk
  Model-Assisted Threat Hunting (M-ATH) with the PEAK Framework
  
  
• Miles Arkwright and James Tytler at S-RM Insights
  Cyber Intelligence Briefing: 19 May 2023
  
  
• SANS Internet Storm Center
  • DShield Sensor Update, (Sun, May 14th)
  • VMware Aria Operations addresses multiple Local Privilege Escalations and a Deserialization issue, (Sun, May 14th)
  • Ongoing Facebook phishing campaign without a sender and (almost) without links, (Mon, May 15th)
  • Increase in Malicious RAR SFX files, (Wed, May 17th)
  • Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th)
  • When the Phisher Messes Up With Encoding, (Fri, May 19th)
  • A Quick Survey of .zip Domains: Your highest risk is running into Rick Astley., (Thu, May 18th)
  • Phishing Kit Collecting Victim’s IP Address, (Sat, May 20th)
    
    
• Kristen Cotten at Scythe
  Threat Emulation: Agent Tesla
  
  
• Securelist
  • The nature of cyberincidents in 2022
  • Minas – on the way to complexity
    
    
• Security Intelligence
  • Today’s Biggest Threats Against the Energy Grid
  • Are Ransomware Attacks Declining, or Has Reporting Worsened?
    
    
• Izzmier Izzuddin Zulkepli at Security Investigation
  Threat Hunting Hypothesis Examples: Start For a Good Hunt!
  
  
• Sekoia
  APT28 leverages multiple phishing techniques to target Ukrainian civil society
  
  
• SentinelOne
  • Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
  • Inside the Mind of a Cyber Attacker | Tactics, Techniques, and Procedures (TTPs) Every Security Practitioner Should Know
    
    
• SOCRadar
  Unlock Industry-Specific Cyber Insights: Industry Threat Landscape Report
  
  
• Sean Gallagher at Sophos
  The Phantom Menace: Brute Ratel remains rare and targeted
  
  
• Riley Kilmer at Spur
  Identifying The Nexus Of Scaled Ad Fraud
  
  
• Ben Martin at Sucuri
  • Websites Defaced with Belarusian Bottled Water Company Content
  • Vulnerability in Essential Addons for Elementor Leads to Mass Infection
    
    
• Sumuri
  DarkSide attack? You’re gonna need more than the Justice League!
  
  
• Symantec Enterprise
  Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
  
  
• Team Cymru
  Visualizing QakBot Infrastructure
  
  
• Teri Radichel
  Solar Winds Breach
  
  
• Justin Elze at TrustedSec
  Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams
  
  
• Vikas Singh
  Chrome Extensions – Forensics
  
  
• Yelisey Bohuslavskiy
  Check out Yelisey Bohuslavskiy’s post
  

UPCOMING EVENTS

• Celeste Bishop and Himanshu Verma at AWS Security
  Your guide to the threat detection and incident response track at re:Inforce 2023
  
  
• Cellebrite
  How to Simplify Modern Mobile Data Collection and Review
  
  
• Exterro
  How Barry Bonds Influenced Forensic Investigations
  
  
• Magnet Forensics
  Mobile Unpacked With Chris Vance Ep. 5 // Getting Mixed Messages: Making Sense of Android Messaging Data
  
  
• SANS
  Exploring the Evolution of Cybersecurity Certifications, with Megan Roddie | May 23, 2023
  

PRESENTATIONS/PODCASTS

• Ali Hadi
  New PowerShell Plugin – Adversary Simulation
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2023-05-22
  • Talkin’ About Infosec News – 5/17/2023
    
    
• Digital Forensic Survival Podcast
  DFSP # 378 – SVCHOST Revisited
  
  
• Grzegorz Tworek
  Using “format” command to sideload DLL and launch an arbitrary application
  
  
• InfoSec_Bret
  IR – SOC186-132 – Multiple User Login Failures Detected on Same Machine
  
  
• John Hubbard at ‘The Blueprint podcast’
  Strategy 2: Give the SOC the Authority to Do Its Job
  
  
• Magnet Forensics
  • Magnet and AWS Partner to Accelerate Digital Forensic Investigations With Cloud Technology
  • How to Make Digital Case Notes
  • Magnet AUTOMATE: Accelerate Your Digital Investigation Workflows
  • Current Cyber Security Legislation (and Why Its Important to You)
    
    
• Mostafa Yahia
  • DFIR (Windows Forensics) Course: The difference between Digital Forensics and Incident Response
  • DFIR (Windows Forensics) Course: Data Acquisition
    
    
• MSAB
  • How to access broad BFU support for Unisoc chipsets with XRY Pro?
  • XRY: Unique exploits and decoding
  • XRY: Rapid Hash Matching
    
    
• Paraben Corporation
  Tor Browser Processing
  
  
• SANS
  • A Visual Summary of SANS Small Business Cyber Summit 2023
  • Tactical Tripwires
    
    
• SentinelOne
  • LABScon Replay | Malshare: 10 Years of Running a Public Malware Repository
  • LABScon Replay | Does This Look Infected 2 (APT41)
    
    
• Sumuri
  SUMURI Podcast Episode 018 – Essentials of Digital Forensics for Litigation
  

MALWARE

• 0x70RVS
  • $tealer Challenge Walkthrougth
  • Chapter-18 PMA Write-up
    
    
• Any.Run
  Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting 
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (April 30th, 2023 – May 6th, 2023)
  • LokiLocker, a Ransomware Similar to BlackBit Being Distributed in Korea
  • Chinese Hacker Group Stealing Information From Korean Companies
  • RecordBreaker Infostealer Disguised as a Well-known Korean Software
  • SparkRAT Being Distributed Within a Korean VPN Installer
  • Infostealer Being Distributed to Japanese Users
  • ASEC Weekly Malware Statistics (May 8th, 2023 – May 14th, 2023)
    
    
• Erik Pistelli at Cerbero
  Extreme PowerShell Obfuscation
  
  
• CTF导航
  Cobalt Strike的DLL Stager分析
  
  
• Embee Research
  • Quasar Rat Analysis – Identification of 64 Quasar Servers Using Shodan and Censys
  • Amadey Bot Infrastructure
  • Laplas Clipper Infrastructure
    
    
• Fortinet
  More Supply Chain Attacks via Malicious Python Packages
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #141: Parsing C files
  
  
• Igal lytzki at Toxin Labs
  Kraken – The Deep Sea Lurker Part 1
  
  
• John Hammond
  ChatGPT Analyzes Fake ChatGPT Malware
  
  
• Mellvin S at K7 Labs
  AMOS (MacOS Stealer)
  
  
• Karlo Licudine at AccidentalRebel
  Classifying More With Less: New VGL4NT Update
  
  
• Kyle Cucci at SecurityLiterate
  Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”
  
  
• Lucija Valentić at ReversingLabs
  RATs found hiding in the npm attic
  
  
• S2W Lab
  Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in Golang
  
  
• Leonid Bezvershenko, Georgy Kucherin, and Igor Kuznetsov at Securelist
  CloudWizard APT: the bad magic story goes on
  
  
• Trend Micro
  • Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules
  • 8220 Gang Evolves With New Strategies
  • Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices
  • Rust-Based Info Stealers Abuse GitHub Codespaces
    

MISCELLANEOUS

• Andrew Rathbun and Eric Zimmerman at Kroll
  KAPE Quarterly Update – Q1 2023
  
  
• Adam at Hexacorn
  Blue teaming – it’s DATa complicated…
  
  
• ADF Solutions
  3 Ways Digital Forensic Software Can Improve Your Forensic Lab Operations
  
  
• Belkasoft
  • Vote for Belkasoft in the Forensic 4:cast Awards!
  • [On-demand Сourse] Maximizing DFIR Results with YARA, Sigma, and Belkasoft X
    
    
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update – 05/20/2023
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  An IP Theft Case With A Difference
  
  
• Oleg Afonin at Elcomsoft
  NVIDIA RTX 40 Series Graphics Cards: The Faster and More Efficient Password Recovery Accelerators
  
  
• Forensic Focus
  • How To Start A Career In Digital Forensics
  • Amped Replay – Video Evidence Made Easy. And Safe!
  • Forensic Focus Attends Forensics Europe Expo 2023
  • Digital Forensics Round-Up, May 18 2023
  • UPCOMING WEBINAR – Deepfake Detection And Authenticity Analysis In Amped Authenticate
    
    
• Christa Miller at Forensic Horizons
  Third Party Electronic and DNA Evidence in Property Crimes
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Volume names, mount points and normalisation
  
  
• Magnet Forensics
  CSAM: Arming Investigators With Tools and Tips to Combat Child Sexual Abuse Material
  
  
• Mailxaminer
  Current Challenges in Digital Forensics Investigations
  
  
• Matt Zorich at Microsoft Sentinel 101
  Have a JSON headache in KQL? Try mv-expand or mv-apply
  
  
• Mike at ØSecurity
  Plaso Windows Build
  
  
• Revo4n6
  • Follow Up: Cloud Storage & Digital Evidence (AWS Data Migration)
  • EARN IT Act (2023) – Privacy Concerns or the Greater Good?
    
    
• SANS
  Cybersecurity Jobs: OSINT investigator/Analyst (Japanese)
  
  
• The Leahy Center for Digital Forensics & Cybersecurity
  Capstone Chronicles: Journal File Justice
  

SOFTWARE UPDATES

• ADF Solutions
  ADF Solutions Releases Revolutionary iOS Screen Recording Feature
  
  
• Alexis Brignoni
  • ALEAPP v3.1.8
  • iLEAPP v1.18.6
    
    
• Apache
  Tika – Release 2.8.0 – 5/11/2023
  
  
• Elcomsoft
  Elcomsoft Distributed Password Recovery 80% faster with NVIDIA GeForce RTX 40 Series graphics cards
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Magnet Forensics
  • Automating Cloud Acquisitions With Magnet AUTOMATE Enterprise
  • Magnet AXIOM 7.1 is Now Available!
  • Magnet AXIOM Cyber 7.1 Is Now Available
    
    
• Malcat
  New release: 0.9.1
  
  
• Manabu Niseki
  Mihari v5.2.2
  
  
• May Alsaif
  AutoParser 2.0.0
  
  
• MISP
  MISP 2.4.171 released with a long list of fixes, a dashboard rework, STIX 2.1 improvements and more
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!