As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cyber 5W
  Windows Shell Items Analysis
  
  
• Derek Eiri
  Exploring UFADE to Extract Data From iOS Devices
  
  
• Forensafe
  Investigating Android Samsung Browser
  
  
• J Smith
  Solving the 13Cubed Linux Memory Forensics Challenge
  
  
• Justin De Luna at ‘The DFIR Spot’
  Lateral Movement – Remote Desktop Protocol (RDP) Event Logs
  
  
• Husam Shbib at Memory Forensic
  Inside Cridex – Memory Analysis Case Study
  
  
• Raj Upadhyay
  FeatureUsage — Evidence of Execution ?? || AppSwitched
  
  
• The DFIR Report
  Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Using Guids to guide the ID of samples’ capabilities or unique (attributable) properties…
  
  
• Ian Rogers and Francis Guibernau at AttackIQ
  Emulating the Surging Hadooken Malware
  
  
• Jade Brown at Bitdefender
  Meow, Meow Leaks, and the Chaos of Ransomware Attribution
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2024-10-03 – SmartLoader to Lumma Stealer
  • 2024-10-01 – Ukrainian language malspam pushes RMS-based malware
    
    
• Censys
  Simplify Threat Investigations: Identify Suspicious Open Directories with Censys Search
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 28 settembre – 4 ottobre
  
  
• Check Point
  • Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks
  • 30th September – Threat Intelligence Report
    
    
• Yehuda Gelb at Checkmarx Security
  Crypto-Stealing Code Lurking in Python Package Dependencies
  
  
• Tiago Pereira and Arnaud Zobec at Cisco’s Talos
  Threat actor believed to be spreading new MedusaLocker variant since 2022
  
  
• Ian Ahl at Permiso
  When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying
  
  
• Jhon Revesencio at Cofense
  From Collaboration to Deception: The Zoom Phishing Threat
  
  
• Critical Start
  DarkGate Malware Campaign: New Threat Intelligence Report
  
  
• Crowdstrike
  International Authorities Indict, Sanction Additional INDRIK SPIDER Members and Detail Ties to BITWISE SPIDER and Russian State Activity
  
  
• CTF导航
  威胁情报 | APT-Patchwork 组织测试 Badnews 新变种？
  
  
• Cybereason
  CUCKOO SPEAR Part 2: Threat Actor Arsenal
  
  
• Cyble
  • Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan
  • Silent Intrusion: Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
    
    
• Cyfirma
  Weekly Intelligence Report – 04 Oct 2024
  
  
• Cyjax
  Initial Access Broker Market Q2 Summary
  
  
• Darktrace
  Business Email Compromise (BEC) in the Age of AI
  
  
• Rohit Sadgune and Amruta Sadgune at Detect Diagnose Defeat Cyber Threat
  Threat Hunting for CloudFanta
  
  
• Detect FYI
  • Is Security Analytics the key to High-Fidelity, Context-Rich Alerts?
  • From Zero to Expert level Detection Engineering with Elastic’s Maturity Model
    
    
• Disconinja
  日本におけるC2サーバ調査(Week 39 2024)
  
  
• DomainTools
  Hostile Takeover: A History of Evil Corp after a Leader is named by Law Enforcement
  
  
• Dragos
  Why Adversaries Target VPN Appliances: The Pathway from IT to OT Cyber Attack
  
  
• Elastic
  • The 2024 Elastic Global Threat Report: Visibility enhanced
  • Elastic publishes 2024 Global Threat Report
  • The 2024 Elastic Global Threat Report: Forecasts and recommendations
    
    
• Flashpoint
  • Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election
  • FSB-Linked Star Blizzard Campaign Disrupted: What You Need to Know
    
    
• David French at Google Cloud Security Community
  Monitoring for Unexpected Rule Changes in Google Security Operations (2 of 2)
  
  
• Ron Bowes at GreyNoise Labs
  Whatchu looking for (starring SolarWinds Serv-U – CVE-2024-28995)
  
  
• HackTheBox
  Exploring the Snowflake Breach (Attack Anatomy)
  
  
• Hudson Rock
  Does the New Infostealer CAPTCHA Infection Actually Work?
  
  
• Hunt IO
  • Announcing Hunt SQL
  • Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection
    
    
• Huntress
  Hunting for M365 Password Spraying | Huntress
  
  
• Intel471
  • Detecting Malware Abusing Google for Command-and-Control
  • Are Telegram’s New Policies Spooking Cybercriminals?
    
    
• Kyosuke Nakamura at JPCERT/CC
  Event Log Talks a Lot: Identifying Human-operated Ransomware through Windows Event Logs
  
  
• Nick Rieniets at Kasada
  Exposing the Credential Stuffing Ecosystem
  
  
• Kostas
  Unintentional Evasion: Investigating How CMD Fragmentation Hampers Detection & Response
  
  
• Krebs on Security
  • Crooked Cops, Stolen Laptops & the Ghost of UGNazi
  • A Single Cloud Compromise Can Feed an Army of AI Sex Bots
    
    
• Michael Haag at MagicSword
  Announcing LOLRMM: A Unified Approach to RMM Software Tracking
  
  
• Microsoft Sentinel Blog
  • Cowrie honeypot and its Integration with Microsoft Sentinel.
  • Introducing the Use Cases Mapper workbook
    
    
• Tabitha Colter, Shiri Bendelac, Lily Wong, Christina Liaghati, & Keith Manville at MITRE-Engenuity
  Threat-Informed Defense to Secure AI
  
  
• Natto Thoughts
  Chinese Threat Groups That Use Ransomware and Ransomware Groups That Use Chinese Names
  
  
• Palo Alto Networks
  • Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning
  • No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection
    
    
• Proofpoint
  Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
  
  
• Akshat Pradhan at Qualys
  Threat Brief: Understanding Akira Ransomware
  
  
• Rapid7
  Ransomware Groups Demystified: CyberVolk Ransomware
  
  
• Watson Brown at Recon Infosec
  SigmaHQ Essentials – Building Robust Detection Capabilities – Part 2
  
  
• SANS Internet Storm Center
  • Tool update: mac-robber.py and le-hex-to-ip.py, (Mon, Sep 30th)
  • Security related Docker containers, (Wed, Oct 2nd)
  • Kickstart Your DShield Honeypot [Guest Diary], (Thu, Oct 3rd)
  • Survey of CUPS exploit attempts, (Fri, Oct 4th)
    
    
• Sansec
  Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns
  
  
• Securelist
  • Key Group: another ransomware group using leaked builders
  • Finding a needle in a haystack: Machine learning at the forefront of threat hunting research
  • Scam Information and Event Management
    
    
• Doug Bonderud at Security Intelligence
  Spooky action: Phantom domains create hijackable hyperlinks
  
  
• Securonix
  SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia
  
  
• Sekoia
  • Why it’s time to replace your legacy SIEM with a SOC platform
  • Hadooken and K4Spreader: The 8220 Gang’s Latest Arsenal
  • Bulbature, beneath the waves of GobRAT
  • Hunting for IoCs: from singles searches to an automated and repeatable process
  • Getting started with Detection-as-Code and Sekoia Platform
    
    
• SentinelOne
  • PinnacleOne ExecBrief | Financially-Motivated Threats
  • Adaptive Threat Hunting | Adopting a Multi-Directional Approach
    
    
• Silent Push
  FIN7 hosting honeypot domains with malicious AI DeepNude Generators – New Silent Push research
  
  
• SOCRadar
  Dark Web Profile: UserSec
  
  
• SonicWall
  A look into Embargo Ransomware, another Rust-based ransomware
  
  
• Splunk
  • My CUPS Runneth Over (with CVEs)
  • A Case Study in Vulnerability Prioritization: Lessons Learned from Large-Scale Incidents
    
    
• Kate Lee at Stairwell
  Introducing the Stairwell browser extension: Bringing threat hunting directly to your browser
  
  
• Symantec Enterprise
  Stonefly: Extortion Attacks Continue Against U.S. Targets
  
  
• Sysdig
  • Detecting and Mitigating Remote Code Execution Exploits in CUPS
  • Understand AI Threats with MITRE ATLAS
    
    
• Anne An at Trellix
  Cyber Threats Targeting the US Government During the Democratic National Convention
  
  
• Ryan Soliven, Maria Emreen Viray, Fe Cureg at Trend Micro
  MDR in Action: Preventing The More_eggs Backdoor From Hatching
  
  
• Jesse Kimbrel at at Vectra AI
  Now Playing: 2024 State of Threat Detection and Response by Jesse Kimbrel
  
  
• Romain Dumont at WeLiveSecurity
  Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
  

UPCOMING EVENTS

• Belkasoft
  Trusting AI in DFIR: Where It Shines and Fails
  
  
• Magnet Forensics
  • Save your spot for Magnet User Summit 2025 in Nashville! 
  • Generative AI – taking discovery by storm and the impact on digital investigations
  • AI-powered media investigation in Magnet Griffeye: Get to the vital evidence faster
    

PRESENTATIONS/PODCASTS

• 0day in {REA_TEAM}
  Empowering Malware Analysis with IDA AppCall Feature
  
  
• Adversary Universe Podcast
  Small But Mighty: The Kernel’s Essential Role in Cybersecurity Defense
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast – S2 E2
  
  
• Ali Hadi
  How to Use Windows Volume Shadow Copies in Digital Forensics | ShadowMe Webinar
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2024-09-30 Patched Update #livestream #infosec #infosecnews
  • REKAST – Talkin’ Bout [infosec] News 2024-09-30 #infosecnews #cybersecurity #podcast #podcastclips
    
    
• Breaking Badness
  Defending Your Digital Domain: AI, Ransomware, and the Power of Reputation
  
  
• Cellebrite
  Tip Tuesday – 2024 Cellebrite CTF Registration
  
  
• Cybereason
  Malicious Life Podcast: Operation Snow White, Part 1
  
  
• Cyberwox
  • How To Become A Splunk Cybersecurity Defense Analyst (SPLK 5001)
  • First 90 Days as a Cybersecurity Engineer or Analyst (how to succeed)
    
    
• Dr Josh Stroschein
  • Learn About Evasive Malware with Threat Researcher and Author Kyle Cucci
  • 06 – Finding Functions from the Export Directory and Using Seeds to Compute Checksums
  • What’s New in Security Onion? Join Creator Doug Burks to Learn the Latest!
  • Mac Malware with L0Psec – Triage, reversing and ARM64
    
    
• Endace
  Packet Forensic Files Ep 58 Stephen Donnelly
  
  
• Hacker Valley Blue
  How Adversaries Are Living Off The Dark Web
  
  
• Huntress
  • What Cyber Threats Can You Detect With SIEM? | Huntress Product Lab
  • Burning the Cookies: Unmasking OceanLotus Credential Harvesting | Tradecraft Tuesday
    
    
• InfoSec_Bret
  Challenge – Log Analysis With Sysmon
  
  
• John Hammond
  • Hacking from Cloud to Endpoint (and vice versa)
  • They Say This Malware is INSANE
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – ConfuserEx 2 Deobfuscation with Python and dnlib, BBTok Loader
  
  
• Magnet Forensics
  • Ask the right questions in incident response thanks to Axiom Incident Response Examinations (AX310)
  • Magnet Forensics Training courses that help you go deeper into mobile investigations
  • Master cloud-based and social media forensics with Axiom Internet & Cloud Investigations (AX320)
  • How Magnet Axiom Examinations (AX200) helps level up your DFIR abilities
  • Revolutionizing digital forensics with Magnet One
    
    
• MSAB
  MSAB Customer Portal Installation Guide
  
  
• MyDFIR
  • Troubleshooting 30-Day MyDFIR SOC Analyst Challenge | Day 29
  • On-Premise Setup Tutorial 30-Day MyDFIR SOC Analyst Challenge | BONUS
    
    
• Richard Davis at 13Cubed
  Linux Memory Forensics Challenge
  
  
• SANS
  • A Visual Summary of SANS CloudSecNext Summit 2024
  • SANS AI in Cybersecurity Summit
  • HANDS-ON WORKSHOP: Centralizing Cross-Cloud Security Events: Aviata Chapter 5
  • The Impact of AI with OSINT
    
    
• The Defender’s Advantage Podcast
  Using LLMs to Analyze Windows Binaries
  

MALWARE

• Alex Necula
  Malware Analysis Part 5. XeHook Stealer
  
  
• Any.Run
  • How to Collect Indicators of Compromise in the ANY.RUN Sandbox
  • TI Lookup: Real-World Use Cases from a Malware Researcher
    
    
• Assaf Morag and Idan Revivo at Aqua
  perfctl: A Stealthy Malware Targeting Millions of Linux Servers
  
  
• CERT Polska
  The Dark Knight Returns: Joker malware analysis
  
  
• contagio
  2024-09-24 Linux Malware Cryptocurrency Miners, DONUT LOADER, RUDEVIL RAT, KAIJI- Stager and DDoS botnet samples
  
  
• Dr. Web
  • Doctor Web’s Q3 2024 virus activity review
  • Doctor Web’s Q3 2024 review of virus activity on mobile devices
  • Redis honeypot: server with vulnerable Redis database reveals new SkidMap modification used to hide cryptocurrency mining process
    
    
• Christopher Lopez at Kandji
  Another PDF Viewer – Is It Malicious?
  
  
• Lexfo
  • StealC Malware Analysis Part 1
  • StealC Malware Analysis Part 2
  • StealC Malware Analysis Part 3
    
    
• Jan Michael Alcantara at Netskope
  Netskope Threat Labs Uncovers New XWorm’s Stealthy Techniques
  
  
• Nikhil “Kaido” Hegde
  Emansrepo Infostealer – PyInstaller, Deobfuscation and LLM
  
  
• Bart Parys at NVISO Labs
  All that JavaScript for… spear phishing?
  
  
• Zhassulan Zhussupov
  Malware development trick 43: Shuffle malicious payload. Simple C example.
  

MISCELLANEOUS

• Chris Brenton at Active Countermeasures
  Running Zeek and RITA on Windows
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 09/30/24
  
  
• Doug Metz at Baker Street Forensics
  Book Review: Cloud Forensics Demystified
  
  
• Erik Hjelmvik at Netresec
  • Video Tutorial: Installing NetworkMiner Professional
  • Opening capture files with NetworkMiner Professional
  • Hosts tab in NetworkMiner Professional
  • Files tab in NetworkMiner Professional
  • Browsers tab in NetworkMiner Professional
  • VoIP tab in NetworkMiner Professional
    
    
• Forensic Focus
  Amped Authenticate – Overcoming Multimedia Forensics Challenges With Expert Witness Testimony
  
  
• Husam Shbib at Memory Forensic
  • My Review on Certified CyberDefender Certification
  • RAM 101 – What it is and Why it Matters
    
    
• Namit Ranjan
  Day 29 of MYDFIR-30 Day-SOC Analyst Challenge:Installing and Configuring Elastic Defend for…
  
  
• Matt Linton at Open Source DFIR
  Communicating is our hardest job
  
  
• Passware
  New Articles on the Passware Knowledge Base – Revision 2024
  
  
• Security Onion
  Did you know Security Onion Pro provides enterprise features that folks have been asking for?
  
  
• Stephan Berger
  EDR: The Great Escape – RomHack Training Review
  
  
• Sumuri
  Why Take the CFME? The Mac Forensics Certification for Digital Forensic Examiners
  
  
• Victor M. Alvarez at YARA-X
  The fmt command
  

SOFTWARE UPDATES

• Alexis Brignoni
  • ALEAPP v3.2.4
  • iLEAPP v1.19.5
    
    
• Cyber Triage
  3.12 Adds Data Exfiltration Detection, USB Devices, and Easier Validation
  
  
• Digital Sleuth
  winfor-salt v2024.14.2
  
  
• Falco
  Blog: Introducing Falco 0.39.0
  
  
• Soufiane Fariss, Willi Ballenthin, Mike Hunhoff, Genwei Jiang, Tina Johnson, and Moritz Raabe at Google Cloud Threat Intelligence
  capa Explorer Web: A Web-Based Tool for Program Capability Analysis
  
  
• Mandiant
  Capa v7.4.0
  
  
• Mazars Tech
  AD_Miner v1.6.1
  
  
• MSAB
  Now available: XRY 10.11, XAMN 7.11, and XEC 7.11
  
  
• Niantic Labs
  Venator – Threat Detection Platform
  
  
• OpenCTI
  6.3.5
  
  
• Passmark Software
  OSForensics – V11.0 build 1014 3rd October 2024
  
  
• Vound
  Intella 2.7.2 Release Notes
  
  
• Xways
  X-Ways Forensics 21.3 Beta 2
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!