As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• 0xdf hacks stuff
  HTB Sherlock: Noxious

• Andrea Fortuna
  • Forensic acquisition of ChromeOS devices
  • The hidden risks of Cherry-Picking in Incident Response and Digital Forensics

• Belkasoft
  • How to Investigate Telegram Crime without Arresting the Company’s CEO
  • iOS Telegram Forensics. Part I: Acquisition and Database Analysis

• Brian Maloney
  Cracking OneDrive’s Personal Vault

• Justin Seitz at Bullsh*t Hunting
  The Evidence Carnival: The Pastor’s Hitman

• CCL Solutions
  Local Storage and Session Storage in Mozilla Firefox (Part 2)

• Krzysztof Gajewski at CyberDefNerd
  Virtual Desktops – what they are, where can we find them?

• Domiziana Foti
  LetsDefend-SOC-164- Suspicious Mshta Behavior

• Forensafe
  Investigating Android ICQ

• Forensic Science International: Digital Investigation
  Forensic Science International: Digital Investigation – Volume 50

• Hal Pomeranz at ‘Righteous IT’
  More on EXT4 Timestamps and Timestomping

• Denis Nagayuk & Francisco Dominguez at Hunt & Hackett
  Technical Curiosities of Akira Ransomware

• Joshua Hickman at ‘The Binary Hick’
  Where The Wild Tags Are & Other AirTag Stories.

• Kostas
  Telemetry on Linux vs. Windows: A Comparative Analysis

• Michael Haag, Jose Hernandez, and Nasreddine Bencherchali
  LOLRMM

• NVISO Labs
  • MEGAsync Forensics and Intrusion Attribution
  • Validate your Windows Audit Policy Configuration with KQL
  • Hunting Chromium Notifications

• System Weakness
  [HTB Sherlocks Write-up] CrownJewel-2
  

THREAT INTELLIGENCE/HUNTING

• ⌛☃❀✵Gootloader Details ✵❀☃⌛
  Gootloader C2 Sails to New Hoster (and new URL)

   

• John Lukach at 4n6ir
  Open Ports, Reputation Monitoring & Web Inspection – Oh My!

   

• Adam at Hexacorn
  • Rundll32 and Phantom DLL lolbins
  • Rundll32 and Phantom DLL lolbins, 32-bit version
  • The art of overDLLoading
  • Technical debt of C:\Windows\System path
  • The art of underDLLoading
  • This post is totally Iconic

     

• Francis Guibernau at AttackIQ
  Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware

   

• Australian Cyber Security Centre
  The silent heist: cybercriminals use information stealer malware to compromise corporate networks

   

• Axelarator
  LNK Stomping

   

• BI.Zone
  Stone Wolf employs Meduza Stealer to hack Russian companies

   

• CERT Ukraine
  Спроби кібератак на військові системи за допомогою шкідливих програм для мобільних пристроїв

   

• CERT-AGID
  • Vidar insiste in Italia con campagne via PEC
  • Sintesi riepilogativa delle campagne malevole nella settimana del 31 agosto – 6 settembre

     

• Check Point
  • 2nd September – Threat Intelligence Report
  • Hacktivists Call for Release of Telegram Founder with #FreeDurov DDoS Campaign

     

• CISA
  Russian Military Cyber Actors Target US and Global Critical Infrastructure

   

• Cisco’s Talos
  • Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads
  • The 2024 Threat Landscape State of Play

     

• CTF导航
  • 窥伺暗藏：Cobalt Strike隐秘攻击活动探析
  • SilentCryptoMiner挖矿木马攻击场景复现及技术剖析
  • APT组织Patchwork七月活动，Widnows主战远控武器BADNEWS再升级。
  • APT | Patchwork组织近期攻击活动分析

     

• Cyble
  • Iranian State-Sponsored Hackers Have Become Access Brokers for Ransomware Gangsca
  • CERT-In Advisory and WikiLoader Campaign: Comprehensive Overview of Recent Security Threats
  • FudModule Rootkit Targets Crypto, Linked to North Korean Citrine Sleet Group
  • The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government
  • Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military
  • The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis 

     

• Cyfirma
  Weekly Intelligence Report – 06 Sep 2024

   

• Cyjax
  Weekly Cyber Threat Intelligence Summary

   

• Danny’s Newsletter
  Detection Engineering and Threat Hunting: 🤝🏼

   

• Dr. Web
  Gaining persistence in a compromised system using Yandex Browser. Failed spear phishing attack on Russian rail freight operator.

   

• Elastic Security Labs
  Elastic releases the Detection Engineering Behavior Maturity Model

   

• Esentire
  LummaC2 Malware and Malicious Chrome Extension Delivered via DLL Side-Loading

   

• Flashpoint
  Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government

   

• GitGuardian
  How Popular Malware Is Stealing Credentials and What You Can Do About It

   

• Robert Wallace, Blas Kojusner, and Joseph Dobson at Google Cloud Threat Intelligence
  DeFied Expectations — Examining Web3 Heists

   

• Hunt IO
  ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

   

• Huntress
  Phishing in the Fast Lane | Huntress

   

• Intel471
  A Briefing on Malware Crypting Services

   

• Izzmier Izzuddin Zulkepli
  Mastering threat hunting with examples and simulation

   

• Andrey Polkovnichenko and Brian Moussalli at JFrog
  Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk

   

• Uma Madasamy at K7 Labs
   Luxy: A Stealer and a Ransomware in one

   

• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – August Update

   

• LangTuBongDem
  Cảnh báo chiến dịch phát tán Lumma Stealer qua từ khóa “Zalo Web”

   

• Shiva P, Christoph_Dreymann, and Abul_Azed at ‘Microsoft Security Experts’
  Hunting with Microsoft Graph activity logs

   

• Natto Thoughts
  Reconnaissance Scanning Tools Used by Chinese Threat Actors and Those Available in Open Source

   

• Palo Alto Networks
  • Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
  • Chinese APT Abuses VSCode to Target Government in Asia

     

• Positive Technologies
  Data leaks: current threats for companies in H1 2024

   

• Recorded Future
  Predator Spyware Infrastructure Returns Following Exposure and Sanctions

   

• ReliaQuest
  CAMO Unveiled: How Cybercriminals Exploit Legitimate Software for Stealthy Attacks

   

• SANS Internet Storm Center
  • Protected OOXML Text Documents, (Mon, Sep 2nd)
  • Attack Surface [Guest Diary], (Wed, Sep 4th)
  • Scans for Moodle Learning Platform Following Recent Update, (Wed, Sep 4th)
  • Enrichment Data: Keeping it Fresh, (Fri, Sep 6th)
  • Python & Notepad++, (Sat, Sep 7th)

     

• Securelist
  • Head Mare: adventures of a unicorn in Russia and Belarus
  • IT threat evolution in Q2 2024. Mobile statistics
  • IT threat evolution in Q2 2024. Non-mobile statistics
  • IT threat evolution Q2 2024
  • A deep dive into the most interesting incident response cases of last year
  • Tropic Trooper spies on government entities in the Middle East

     

• Security Investigation
  Threat Hunting Experts Share a Guide to Tracking Emerging Threats

   

• Matthew Pines at SentinelOne
  PinnacleOne ExecBrief | North Korean IT Worker Threat

   

• Simone Kraus
  Special Forces Unit 29155  — Assassination attempts, election manipulation, terrorist attacks…

   

• SOCRadar
  Dark Web Profile: Abyss Ransomware

   

• Jagadeesh Chandraiah, Xinran Wu, and Yusuf Polat at Sophos
  Atomic macOS Stealer leads sensitive data theft on macOS

   

• Splunk
  • Handala’s Wiper: Threat Analysis and Detections
  • Splunk Security Content for Threat Detection & Response: Q2 Roundup
  • The Final Shell: Introducing ShellSweepX
  • ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

     

• ThreatBreach
  [ AWS Threat Detection Part – 3 ] Detecting Attacks in AWS using CloudTrail Logs – Chapter 2

   

• Trend Micro
  • Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
  • Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command
  • TIDRONE Targets Military and Satellite Industries in Taiwan

     

• Megan Nilsen at TrustedSec
  When on Workstation, Do as the Local Browsers Do!

   

• Wietze Beukema
  Why bother with argv[0]?
  

UPCOMING EVENTS

• Peter Sosic at Amped
  Unlock Advanced Techniques in Video Evidence Analysis – Join Our Webinars

   

• Magnet Forensics
  • Digital forensics in the cloud: mastering ESI collection in Microsoft 365 and Google Workspace
  • Magnet Forensics Grant Assistance Program

     

• MSAB
  A New Way to Train in Mobile Forensics is on the Horizon

   

• Ryan Chapman and Aaron Rosenmund
  Ask Me Anything: Education, Training, and Certifications
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw
  CounterSurveil: The sad state of threat intelligence

   

• Black Hat
  Operation PoisonedApple: Tracing Credit Card Information Theft to Payment Fraud

   

• Breaking Badness
  Industrial Cybersecurity Explained with Lesley Carhart

   

• Cellebrite
  Tip Tuesdays – Decoding Engine Updates (Cellebrite Physical Analyzer 10.3)

   

• Desi at Hardly Adequate
  S02E35 – Chat with Julian

   

• Detections by SpectreOps
  Special Episode: Jared Atkinson and Justin Kohler at BHUSA 2024

   

• Dr Josh Stroschein – The Cyber Yeti
  Ask Me Anything: Education, Training, and Certifications

   

• InfoSec_Bret
  Challenge – Revenge RAT

   

• Intel471
  How to Comfortably Share Threat Intel with ISACs

   

• John Hammond
  Hacking Games with MelonLoader

   

• Magnet Forensics
  Ep. 20 // Focusing in on Apps In Focus: Exploring the artifacts that tell us what the user was looking at on their device

   

• MSAB
  XAMN Pro Filtering Extended

   

• MyDFIR
  • ELK Stack Introduction | Day 2
  • Elasticsearch Setup Tutorial | Day 3
  • Kibana Setup Tutorial | Day 4
  • Windows Server 2022 Installation | Day 5
  • Elastic Agent and Fleet Server Introduction | Day 6
  • Elastic Agent and Fleet Server Setup Tutorial | Day 7
  • What is Sysmon? | Day 8

     

• Nextron Systems
  THOR Cloud Quick Compromise Assessment with a Custom YARA Rule

   

• Off By One Security
  A chat about compilers, VR, malware, interviewing, etc., and Hackfest Hollywood ticket giveaway!

   

• Paraben Corporation
  Yandex Browser Artifact Processing

   

• Richard Davis at 13Cubed
  Shimcache Execution Is Back – What You Need to Know!

   

• SentinelOne
  LABScon23 Replay | They Spilled Oil in My Health-Boosting Smoothie

   

• The Defender’s Advantage Podcast
  TAG’s Work Tracking Commercial Surveillance Vendors

   

• WeLiveSecurity
  ESET Research Podcast: HotPage
  

MALWARE

• Mostafa ElSheimy at Any.Run
  AZORult Malware: Technical Analysis

• contagio
  • 2022-2024 North Korea Citrine Sleet /Lazarus FUDMODULE ( BYOVD ) Rootkit Samples
  • 2024-08-29 ASYNCRAT Samples
  • 2024-08-28 CORONA MIRAI Botnet Spreads via Zero-Day (CVE-2024-7029) – command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Samples
  • 2024-08-29 UNDERGROUND Ransomware Samples
  • 2024-08-23 ANGRY STEALER (Rage stealer variant) Telegram rat . Samples
  • 2024-08-14 OSX BANSHEE infostealer Samples
  • 2024-08-22 PEAKLIGHT Stealthy Memory-Only Malware Samples
  • 2024-08-21 MOONPEAK malware from North Korean UAT-5394 Samples
  • 2024-09-02 ABYSS Ransomware Windows and Linux Samples
  • 2024-08-30 Cicada ESXi Ransomware Sample
  • 2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples

• Matthew at Embee Research
  Advanced Cyberchef Techniques – Defeating Nanocore Obfuscation With Math and Flow Control

• Fortinet
  • Emansrepo Stealer: Multi-Vector Attack Chains
  • Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401

• Harfanglab
  Unpacking the unpleasant FIN7 gift: PackXOR

• Hex Rays
  • IDA 9.0: SDK & IDAPython porting guides
  • Unveiling IDA Pro 9.0: C++ Exceptions Support in the Decompiler

• SangRyol Ryu at McAfee Labs
  New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

• Michael Gorelik at Morphisec
  Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis

• OALABS Research
  Zharkbot Strings

• Security Onion
  Quick Malware Analysis: GULOADER and REMCOS RAT pcap from 2024-08-26

• Pedro Tavares at Segurança Informática
  Unveiling a Target and Multi-Stage Malware Attack

• Gaetano Pellegrino at ZScaler
  BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar
  

MISCELLANEOUS

• Brett Shavers
  Today, I rant

• Critical Start
  Finding the Right Candidate for Digital Forensics and Incident Response: What to Ask and Why During an Interview

• Fabian Mendoza at DFIRDominican
  DFIR Jobs Update – 09/02/24

• Digital Forensics Myanmar
  Bento DFIR Portable Tools Kit

• Elan at DFIR Diva
  Free & Affordable Training News Monthly: Aug – Sept, 2024

• Forensic Focus
  • Forensic Focus Survey Closing: Last Chance To Have Your Say!
  • The Built In Translator: Translate Digital Data With Oxygen Forensic Detective
  • Passware Kit Mobile 2024v3 Decrypts Android Second Space Data
  • Digital Forensics Round-Up, September 04 2024
  • Forensic Focus Digest, September 06 2024

• Krebs on Security
  • Owners of 1-Time Passcode Theft Service Plead Guilty
  • Sextortion Scams Now Include Photos of Your Home

• Namit Ranjan
  • Day 2: An Introduction to the ELK Stack
  • Day-4-MYDFIR-SOC-Analyst-Challenge : Kibana Setup
  • Day -3 of the 30-Day MYDFIR SOC Analyst Challenge: Spinning Up an Elastic Search Instance
  • Day-5 of MYDFIR-SOC-Analyst-Challenge: Windows Server 2022 Installation
  • Day-6 of MYDFIR-SOC-Analyst Challenge: Understanding Elastic Agent and Fleet Server
  • Day-7-MYDFIR-SOC-Analyst-Challenge:Setting Up Fleet Server and Enrolling Elastic Agents
  • Day-8 of MYDFIR-SOC-Analyst Challenge:Understanding Sysmon – A Key Tool for Enhanced Endpoint…

• Mario Daigle at OpenText
  Building a threat hunting team

• SANS
  • How to Prepare for Your Upcoming SANS Live Training Event
  • Why SANS Live Training? What’s in It for You and Your Career?
  • You’ve Taken a SANS Course – Now What?
  • What to Expect at SANS Live Training Events

• Security Intelligence
  Cost of a data breach: Cost savings with law enforcement involvement

• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.100!

• Team Cymru
  The Evolution of Threat Hunting

• James McGee at The Metadata Perspective
  Hexordia’s Mobile Data Structures: Honing Your Digital Forensic Edge

• David Broggy at Trustwave SpiderLabs
  Your Money or Your Data: Ransomware Readiness Planning
  

SOFTWARE UPDATES

• Northloop Forensics
  Bitlocker_Key_Finder v3.3

• C.Peter
  UFADE 0.9.2

• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.44

• Digital Sleuth
  winfor-salt v2024.13.5

• Elcomsoft
  iOS Forensic Toolkit 8.61 expands support for iOS versions and devices

• Eric Zimmerman
  ChangeLog

• Erik Hjelmvik at Netresec
  CapLoader 1.9.7 Released

• Kathryn Hedley
  parseusbs

• Mazars Tech
  AD_Miner v1.6.0

• Martin Willing
  MemProcFS-Analyzer v1.1.0

• MISP
  MISP 2.4.197 released with many bugs fixed, a security fix and improvements.

• Passmark Software
  OSForensics – V11.0 build 1010 6th September 2024

• Passware
  Passware Kit Mobile 2024 v3 Now Available

• Phil Harvey
  ExifTool 12.96

• Security Onion
  Security Onion 2.4.100 Hotfix 20240903 now available!

• Sigma
  Release r2024-09-02

• SigmaHQ
  pySigma v0.11.13

• Thiago Canozzo Lahr
  uac-3.0.0-rc2

• Xways
  • X-Ways Forensics 21.2 SR-5
  • X-Ways Forensics 21.3 Preview 3
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!