As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Adam Messer
  Cloud Digital Forensics and Incident Response — Elastic Kubernetes Service Takeover Leads to…
  
  
• Belkasoft
  Document Forensics with Belkasoft X
  
  
• CTF导航
  Reverse Engineering iOS 18 Inactivity Reboot
  
  
• Tonmoy Jitu at Denwp Research
  Unexplored LOLBAS Technique: Wevtutil.exe
  
  
• DFIR Insights
  Mastering Sysmon e-book release
  
  
• Forensafe
  Investigating Android Firebase Cloud Messaging
  
  
• Nicholas Dubois at Hexordia
  iOS Inactivity Reboot
  
  
• Salvation DATA
  • Key Benefits of Disk Imaging for Data Recovery
  • 10 Techniques for Log File Analysis in Digital Forensics
    
    
• Teri Radichel
  Determining If Devices Have Been Tampered With In Transit
  
  
• The DFIR Journal
  Puzzle Pieces: RDP Bitmap Cache
  
  
• Eric Wise at Wise Forensics
  • Combating Anti-forensics: Timestomping
  • CacheGrab
    

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Browsing the browsers
  • Windows.Storage.lol
  • Mapping the API mapping/code redundancy
  • 1 little known secret of ShellExec_RunDLL
    
    
• Adam Goss
  C2 Hunting: How to Find C2 Servers with Shodan
  
  
• Assaf Morag at Aqua
  Matrix Unleashes A New Widespread DDoS Campaign
  
  
• ASEC
  • Warning Against Malware in SVG Format Distributed via Phishing Emails
  • Infected Systems Controlled Through Remote Administration Tools – Detected by EDR (2)
  • Proxy Tools Detected by AhnLab EDR
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2024-11-24 – Redline bash script for Linux malware
  • 2024-11-26 – Traffic Analysis Exercise: Nemotodes
    
    
• CERT-AGID
  • Caselle PEC sempre più usate nel phishing per le frodi bancarie
  • Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 novembre
    
    
• Check Point
  • 25th November – Threat Intelligence Report
  • Gaming Engines: An Undetected Playground for Malware Loaders
    
    
• Yehuda Gelb at Checkmarx Security
  • Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data…
  • Malicious NPM Package Exploits React Native Documentation Example
    
    
• Chris DiSalle
  Hunting Linux Web Shells with Velociraptor
  
  
• CyberArmor
  Vietnamese Phishers Target Meta Business Owners with Over 400 Phish Pages
  
  
• Cyble
  • Notorious Ursnif Banking Trojan Uses Stealthy Memory Execution to Avoid Detection
  • The 2023–2024 Annual Cyber Threat Report Reveals Rising Cyber Threat Trends for Individuals and Businesses
  • German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment
    
    
• Cyfirma
  • Investigation into Helldown : RANSOMWARE
  • CYFIRMA INDUSTRY REPORT : AUTOMOTIVE
  • HEXON STEALER: THE LONG JOURNEY OF COPYING, HIDING, AND REBRANDING
  • THE CHANGING CYBER THREAT LANDSCAPE SOUTHEAST ASIA
  • Weekly Intelligence Report – 29 Nov 2024
    
    
• Cyjax
  • Don’t Get Golden Fleeced: New Argonauts Extortion Group Emerges
  • Threat Actor Recruitment: Exploiting Online Platforms to Target Employees
    
    
• Detect FYI
  • Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV…
  • Detecting WiFi dumping via direct WinAPI calls and introduction to “Immutable Artifacts”
  • Helldown, DoNex & Darktrace Ransomware
    
    
• Disconinja
  日本におけるC2サーバ調査(Week 47 2024)
  
  
• Shunichi Imano and Fred Gutierrez at Fortinet
  Ransomware Roundup – Interlock
  
  
• Mahmoud Mosaad at Group-IB
  Shady Bets: How to Protect Yourself from Gambling Fraud Online
  
  
• Grumpy Goose Labs – Medium
  Unemployfuscation
  
  
• Hacking Articles
  Abusing AD-DACL: GenericWrite
  
  
• HackTheBox
  How Volt Typhoon targeted US ISPs with a zero-day exploit (Attack Anatomy)
  
  
• Hunt IO
  Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
  
  
• Faith Stratton and Josh Allman at Huntress
  Know Thy Enemy: A Novel November Case | Huntress
  
  
• Brian Krebs at Krebs on Security
  Hacker in Snowflake Extortions May Be a U.S. Soldier
  
  
• Josh MacMonagle, Krystina Lacey, and Jamie Vendel at Kroll
  How Threat Actors Use Enterprise Applications in Microsoft 365 to Exfiltrate Data
  
  
• Microsoft Security
  Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON
  
  
• Suneel Sundar at MITRE-Engenuity
  • Share the How
  • Threat-Informed Defense Applies Broadly
    
    
• Natalie Zargarov at Rapid7
  New “CleverSoar” Installer Targets Chinese and Vietnamese Users
  
  
• Recorded Future
  “Operation Undercut” Shows Multifaceted Nature of SDA’s Influence Operations
  
  
• Red Hot Cyber
  RHC DarkLab Interview Stormous Ransomware. Between history, ideology, techniques and tactics
  
  
• Katie Nickels at SANS
  SANS Threat Analysis Rundown in Review: Breaking Down November 2024’s Top Threats
  
  
• SANS Internet Storm Center
  • 
Quick & Dirty Obfuscated JavaScript Analysis, (Sun, Nov 24th)
  • The strange case of disappearing Russian servers, (Mon, Nov 25th)
  • [Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware, (Tue, Nov 26th)
  • SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary], (Tue, Nov 26th)
  • Quickie: Mass BASE64 Decoding, (Fri, Nov 29th)
  • From a Regular Infostealer to its Obfuscated Version, (Sat, Nov 30th)
    
    
• Securelist
  • Advanced threat predictions for 2025
  • Analysis of Elpaco: a Mimic variant
  • APT trends report Q3 2024
  • IT threat evolution in Q3 2024. Non-mobile statistics
  • IT threat evolution in Q3 2024. Mobile statistics
  • IT threat evolution Q3 2024
    
    
• Livia Tibirna, Caroline Lewis and Sekoia TDR at Sekoia
  Ransomware-driven data exfiltration: techniques and implications
  
  
• Jim Walter at SentinelOne
  CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks
  
  
• SOCRadar
  Dark Web Market: Abacus Market
  
  
• Brandon Murphy at Sublime Security
  Talking phish over turkey
  
  
• Thomas Roccia at SecurityBreak
  • Building a Threat Intelligence GenAI Reporter with ORKL and Claude
  • GenAI x Sec Advent
    
    
• TRAC Labs
  • Who Ordered the SMOKEDHAM? Backdoor Delicacies in the Wild
  • Hearts Stolen, Wallets Emptied: Insights into CryptoLove Traffer’s Team
    
    
• Trend Micro
  • Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
  • Guess Who’s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024
    
    
• Diana Solomon and John Kevin Adriano at Trustwave SpiderLabs
  Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)
  
  
• WeLiveSecurity
  • RomCom exploits Firefox and Windows zero days in the wild
  • Bootkitty: Analyzing the first UEFI bootkit for Linux
  • Bootkitty marks a new chapter in the evolution of UEFI threats
    
    
• Victor M. Alvarez
  Profiling your YARA rules
  
  
• Yelisey Bohuslavskiy at Red Sense
  The Evolution of BlackBasta Malware Dissemination
  

UPCOMING EVENTS

• Cellebrite
  Cellebrite Inseyets: Latest Updates and Capabilities Tips & Tricks (January)
  
  
• Cyber Social Hub
  Join Us for the Ultimate Digital Investigation Conference!
  
  
• Cyber 5W
  Join Our Monthly Webinar: Windows Forensic Investigation
  
  
• 2 Cyber Chicks
  S5 E8: Consulting Stories with Jax and Erika
  
  
• Magnet Forensics
  • Give your lab an investigative edge with Magnet One
  • Unlocking mobile insights for traffic investigations
  • Overcoming mobile forensics challenges in workplace investigations
    

PRESENTATIONS/PODCASTS

• CounterSurveil podcast
  CounterSurveil Podcast: 11-25-24 – Ransomewhere Over the Rainbow
  
  
• Adversary Universe Podcast
  LIMINAL PANDA and the Implications of Global Telco Targeting
  
  
• Black Hills Information Security
  REKAST – Talkin’ Bout [infosec] News 2024-11-25 #infosecnews #cybersecurity #podcast #podcastclips
  
  
• Breaking Badness
  Healthcare Cybersecurity: Protecting Patients in 2024 Ken Zalevsky
  
  
• Cellebrite
  #TipTuesdays – The Power of External.db: Validating Android Media Origins
  
  
• Cyber Secrets
  • Welcome to the CSIL-CCFI
  • CSIL CCFI – The CSI Workstation
  • csil-ccfi exam information
    
    
• Cyberwox
  OffSec SOC-200 Review (Complete Breakdown + Giveaway) for Cybersecurity & SOC Analysts
  
  
• Dr Josh Stroschein
  Network Analysis & Packet Capture with Arkime’s Creator Andy Wick
  
  
• Huntress
  RISE with Robert Cioffi | Hacker Sentencing
  
  
• InfoSec_Bret
  Challenge – RanDev
  
  
• Intel471
  Using CTI in Realistic Attack Simulations
  
  
• Magnet Forensics
  • Mobile Minute Ep 4: Performing category-based extractions with Magnet Verakey and Magnet Graykey
  • Give your lab an investigative edge with Magnet One
  • Cyber Unpacked Ep. 4 // Return of the AI: A new hope (or a new threat)
  • Investigating a Turncloak: A case study on when Axiom Cyber and Verakey intersect with a malicious insider
  • Accelerating digital investigations with cloud technology
  • Mobile Unpacked Ep. 23 // Following the Money | Tracking Mobile Payment Artifacts
    
    
• MSAB
  XRY Finish Tone
  
  
• MyDFIR
  Improve Your Investigations Using ANY.RUN
  
  
• Sandfly Security
  • Linux Security and Incident Response Stream by Sandfly Security
  • Linux EDR Security Telemetry Risks and Data Privacy
  • Linux Reverse Shell Detection, Investigation, and Forensics
    
    
• SANS Cloud Security
  Spooky Scary Lambda Attacks | Cloud Security Webcast
  
  
• Security Conversations
  Volexity’s Steven Adair on Russian Wi-Fi hacks, memory forensics, appliance 0days and network inspectability
  
  
• SentinelOne
  LABScon24 Replay | A 30-Year Journey from Compilation Student to Decompilation Pioneer
  
  
• The Microsoft Security Insights Show
  Microsoft Security Insights Show Episode 237 – Ignite Debrief
  

MALWARE

• 0xMatheuZ
  How detect a LD_PRELOAD rootkit and hide from ldd & /proc
  
  
• Any.Run
  • Investigating Phishing Threats with TI Lookup: Use Cases from an Expert
  • PSLoramyra: Technical Analysis of Fileless Malware Loader
    
    
• c3rb3ru5d3d53c
  I Deleted ALL my Videos
  
  
• KanakSasak at InfoSec Write-ups
  Working with Shellcode from Malware
  
  
• Daniel Jeremiah
  Analysing a Fake Royal Mail Smishing Attack Hidden Behind Cloudflare
  
  
• Fernando Ruiz at McAfee Labs
  SpyLoan: A Global Threat Exploiting Social Engineering
  
  
• Reverse Engineering
  Flare-On 2024 Challenge #5 – sshd
  
  
• Karlo Zanki at ReversingLabs
  Malicious PyPI crypto pay package aiocpa implants infostealer code
  
  
• Puja Srivastava at Sucuri
  Credit Card Skimmer Malware Targeting Magento Checkout Pages
  
  
• Chicken0248 at System Weakness
  [CyberDefenders Write-up] Phobos
  
  
• Sean Wilson at Unpacme
  ATIP – Introducing AI-Powered Threat Reporting and Analysis
  

MISCELLANEOUS

• Cellebrite
  Embracing Change: Innovations in Digital Forensics You Need to Know
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 11/25/24
  
  
• Dragos
  Get Your OT Cyber Threat Questions Answered in the “Ask Dragos Intel” Blog Series
  
  
• Elan at DFIR Diva
  Free & Affordable Training News: Black Friday 2024 Edition
  
  
• Forensic Focus
  • Magnet Forensics Unveils The Presentation Catalog At Magnet User Summit 2025
  • Magnet Virtual Summit 2025: Register Now For The Virtual DFIR Event Of The Year
  • Oxygen Forensics Tech Takedown: A Remote Journey
  • Digital Forensics Round-Up, November 27 2024
  • Speech-To-Text Capabilities In Oxygen  Forensic® Detective
    
    
• IntaForensics
  Incident Response for E-commerce Breaches: A Guide to Protecting Your Online Business
  
  
• Ken Pryor at ‘No Pryor Knowledge’
  Importing Remnux and SIFT OVA’s into Proxmox (New Way to Do It)
  
  
• Magnet Forensics
  • Streamlining mobile extractions and processing with Magnet Graykey Fastrak and Axiom
  • AI in law enforcement and the future of digital forensics 
  • Enterprise forensics: Why scalable solutions matter 
    
    
• Nextron Systems
  Uncover Hidden Threats with THOR Cloud – Now at 50% Off!
  
  
• Jonathan Prince at NVISO Labs
  Wake up and Smell the BitLocker Keys
  
  
• Yassir Acaf at System Weakness
  Reverse engineer docker image : From Docker image to Dockerfile
  

SOFTWARE UPDATES

• C.Peter
  UFADE 0.9.6
  
  
• Datadog Security Labs
  GuardDog v2.1.0
  
  
• Didier Stevens
  Update: base64dump.py Version 0.0.27
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Google
  Timesketch 20241129
  
  
• IsoBuster
  IsoBuster 5.5 beta released
  
  
• k1nd0ne
  VolWeb v3.0.0
  
  
• Kathryn Hedley
  Parse USBs v1.5.4
  
  
• Magnet Forensics
  • Magnet Axiom 8.7: Initiate processing from Magnet Graykey Fastrak and more!  
  • Magnet Axiom Cyber 8.7: Acquire iCloud backups from ADP-enabled accounts, and more!
    
    
• OpenCTI
  6.4.2
  
  
• Passware
  Passware Kit Mobile 2025 v1 Now Available
  
  
• Phil Harvey
  ExifTool 13.04
  
  
• Ulf Frisk
  MemProcFS v5.13
  
  
• Xways
  • X-Ways Forensics 21.3 SR-6
  • X-Ways Forensics 21.4 Preview
    
    
• Yamato Security
  Hayabusa v2.19.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!