As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Arshiya Jamadar
  Mobile Forensics – Analyzing Data Stored by Meetup Application on iOS Devices
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Labeling AI
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  Bellingcat Challenge – Week 2 Writeup
  
  
• Eric Capuano
  The Role of Fuzzy Hashes in Security Operations
  
  
• Forensafe
  Investigating Samsung Wipe History
  
  
• Odysseus at HackTheBox
  Memory dump analysis with Signal decryption
  
  
• Hal Pomeranz at ‘Righteous IT’
  A Little More on LKM Persistence
  
  
• Iram Jack
  • Viewing Named-Pipes and SRUM Logs
  • Network Analysis via PowerShell
  • Blizzard Part 1
  • Blizzard Part 2
  • Blizzard Part 3
  • Dead End
    
    
• Salvation DATA
  How to Create an Accurate Forensics Timeline for Digital Evidence？
  
  
• John Brown at SANS
  A Prescription for Windows Prefetch Analysis
  
  
• SecurityAura
  Microsoft Unified Audit Log (UAL): What You Come To Learn The Hard Way
  
  
• Danya Hammoudeh
  Comparative Forensic Analysis of iOS Backups: Investigating the Impact of the Hidden App Feature
  
  
• Venkat Sai Akash Varma Penmetcha
  Unravelling ESS 45 Zebra: A Cutting-Edge Forensic Analysis of Application Data and Security
  
  
• Yeswanth K
  Editing Gone Wild : What PicsArt knows About Your Creations (and Your Secrets)
  
  
• Walter Hofstetter
  Beyond Packets: Wireshark Analysis with Additional Data
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Windows Server 2022 and MsMpEng.exe
  • Beyond good ol’ Run key, Part 145
  • Beyond good ol’ Run key, Part 146
  • Windows Server 2025 and MsMpEng.exe
    
    
• Adam Goss
  Web Scraping Cyber Threat Intelligence Using Octoparse: Full Guide
  
  
• Antonio Formato
  From Unstructured Threat Intelligence to STIX 2.1 Bundles with Generative AI
  
  
• Arden’s Substack
  Profiling CSAM consumers
  
  
• Lawrence Abrams at BleepingComputer
  New fake Ledger data breach emails try to steal crypto wallets
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2024-12-17 – SmartApeSG injected script leads to NetSupport RAT
  • 2024-12-18 – One week of server scans and probes and web traffic
    
    
• Brad Garnett
  • Brad Bits: December 19, 2024 (RTO Mandates and Salt Typhoon)
  • Brad Bits: December 18, 2024
  • Brad Bits: December 20, 2024 (1-800-ChatGPT and NCIRP)
    
    
• Cado Security
  • What is Cloud-Based Forensics?
  • Leveraging Adversary Emulation for Effective Cloud Forensic Analysis
    
    
• Michaela Adams, Roman Daszczyszak, and Steve Luke at Center for Threat-Informed Defense
  Summiting the Pyramid: Bring the Pain with Robust and Accurate Detection
  
  
• CERT Ukraine
  • “Повідомлення про порушення” від UAC-0099 (CERT-UA#12463)
  • Кібератака UAC-0125 з використанням тематики “Армія+” (CERT-UA#12559)
    
    
• CERT-AGID
  • Vidar via PEC: dal weekend al martedì. Cambio di strategia?
  • Falso avviso di consegna: una nuova campagna di smishing colpisce gli utenti di Poste Italiane
  • Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 dicembre
    
    
• Check Point
  16th December – Threat Intelligence Report
  
  
• CrowdStrike
  • A Look Back: The Evolution of Latin American eCrime Malware in 2024
  • CrowdStrike Uses Proven Detection Logic for Pre-Deployment Malware Scanning
    
    
• CTF导航
  APT-C-36（盲眼鹰）持续针对哥伦比亚开展攻击活动
  
  
• Vasilis Orlof at Cyber Intelligence Insights
  • From 939 to 85 : Hunting Cobalt Strike Servers
  • Mapping Amadey Loader Infrastructure
    
    
• Cybercrime Diaries
  Russia’s Sovereign RuNet: A Challenge to the Cybercrime Underworld?
  
  
• Cybereason
  Your Data Is Under New Lummanagement: The Rise of LummaStealer
  
  
• Cyble
  LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks
  
  
• Cyfirma
  • CYFIRMA INDUSTRY REPORT : MATERIALS
  • BIZFUM STEALER
  • RUSSIA AS A THREAT ACTOR IN THE UK
  • TRACKING RANSOMWARE : NOVEMBER 2024
  • Weekly Intelligence Report – 20 Dec 2024
    
    
• Cyjax
  • Stealer Malware and Stealer Logs Explained
  • Living Up to Its Name: Alleged Extortion Group LeakedData Begins to Leak Data
  • Cybercriminals targeting the legal sector 
    
    
• Datadog Security Labs
  • Escalating privileges to read secrets with Azure Key Vault access policies
  • From Detection to Enforcement: Migrating from IMDSv1 to IMDSv2
    
    
• Disconinja
  日本におけるC2サーバ調査(Week 50 2024)
  
  
• Abdulrahman H. Alamri and Lexie Mooney at Dragos
  Dragos Industrial Ransomware Analysis: Q3 2024 
  
  
• Ted Kietzman at Duo
  Defending Against Help Desk Attacks
  
  
• Esentire
  Winos4.0 “Online Module” Staging Component Used in CleverSoar Campaign
  
  
• Flashpoint
  Staying Ahead of Threat Actors: Flashpoint’s 2025 Ransomware Survival Guide
  
  
• Google Cloud Security Community
  • Using Google Threat Intelligence to create behavioral detections as a detection engineer
  • New to Google Secops: Top Ten YARA-L Rules Troubleshooting Tips
    
    
• Billy Leonard at Google Threat Analysis Group
  TAG Bulletin: Q4 2024
  
  
• Nati Tal at Guardio
  “DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of…
  
  
• Hudson Rock
  • Server-Side Infostealers: How Initial Access Broker Pryx is Revolutionizing Infostealers
  • Interview with Pryx Part 2: Diving Deeper into Server-Side Stealers & Other Interesting Chit-chats (Video Included)
    
    
• Anton Ovrutsky at Huntress
  Analyzing Initial Access Across Today’s Business Environment | Huntress
  
  
• IC3
  HiatusRAT Actors Targeting Web Cameras and DVRs
  
  
• Bart Lenaerts and Tom Grimes at Infoblox
  2024 DNS Threat Landscape
  
  
• Intel471
  • Expanding source coverage: adding Signal chats to threat intelligence
  • ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics
  • Bring Your Own Hunts to HUNTER471
    
    
• Invictus Incident Response
  Responding to Adversary in the Middle attacks
  
  
• Keisuke Shikano at JPCERT/CC
  TSUBAME Report Overflow (Jul-Sep 2024)
  
  
• Sunny Chau at Jumpsec Labs
  TokenSmith – Bypassing Intune Compliant Device Conditional Access
  
  
• Kaido Järvemets
  Stay Current with Microsoft Sentinel Content Hub Updates
  
  
• KELA Cyber Threat Intelligence
  • Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives?
  • Infostealers Under the Spotlight: What are Infostealers and Why Do You Need to Know? 
    
    
• Kostas
  Unveiling the Gaps: Linux EDR Telemetry in Focus
  
  
• Bert-Jan Pals at KQL Query
  IOC hunting at scale
  
  
• Brian Krebs at Krebs on Security
  • How to Lose a Fortune with Just One Bad Click
  • Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm
    
    
• Matheo Boute at NVISO Labs
  Microsoft Purview – Evading Data Loss Prevention policies
  
  
• Olaf Hartong at Falcon Force
  Detection engineering rabbit holes — parsing ASN.1 packets in KQL
  
  
• Palo Alto Networks
  • Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration
  • Effective Phishing Campaign Targeting European Companies and Organizations
  • LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory
  • Cybersecurity Trends on the Horizon Across APAC for 2025 and Beyond
  • Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript
    
    
• Remy Kullberg at Panther
  Investigating Amazon EKS Privilege Escalation with PantherFlow
  
  
• Proofpoint
  • Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs
  • Security Brief: Threat Actors Gift Holiday Lures to Threat Landscape
    
    
• Qualys
  • NotLockBit: A Deep Dive Into the New Ransomware Threat
  • Securing Cloud Environments Against Potential Extortion Threats
    
    
• Rapid7
  2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends
  
  
• Red Canary
  • A defender’s guide to identity attacks
  • Red Canary’s best of 2024
  • Intelligence Insights: December 2024
    
    
• Alessio Stefan at Red Hot Cyber
  FBI responds to threats and announcement of LockBit 4.0
  
  
• Alex Capraro at ReliaQuest
  Using CAPTCHA for Compromise: Hackers Flip the Script
  
  
• SANS Internet Storm Center
  • Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th)
  • [Guest Diary]; A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th)
  • Christmas “Gift” Delivered Through SSH, (Fri, Dec 20th)
  • Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary], (Tue, Dec 17th)
    
    
• Hans Eliseo Carriel at Security Art Work
  C2: La clave oculta en las operaciones de Red Team
  
  
• Den Iuzvyk and Tim Peck at Securonix
  Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads
  
  
• Sekoia
  • Detection engineering at scale: one step closer (part one)
  • Happy YARA Christmas!
    
    
• Simone Kraus
  • Violation Report” from UAC-0099 (CERT-UA#12463)
  • Cyberattack UAC-0125 using the “Army+” theme (CERT-UA#12559)
    
    
• SOCRadar
  • Unveiling India’s Cyber Threat Landscape: Data, Trends, and Resilience 
  • Dark Web Market: BidenCash
    
    
• SpecterOps
  • Misconfiguration Manager: Detection Updates
  • ADFS Entra Lab with Ludus
    
    
• Spur
  Astrill VPN and Remote Worker Fraud
  
  
• Stephan Berger
  Today I Learned – setfacl
  
  
• Sublime Security
  • B2B freight-forwarding scams on the rise to evade financial fraud crackdowns
  • Callback phishing via invoice abuse and distribution list relays
    
    
• Lewis Henderson at Team Cymru
  Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy
  
  
• TRAC Labs
  WikiKit AiTM Phishing Kit: Where Links Tell Lies
  
  
• Trellix
  • Safeguarding Election Integrity: Threat Hunting for the U.S. Elections
  • Hacktivist Groups: The Shadowy Links to Nation-State Agendas
    
    
• Trend Micro
  • Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
  • Python-Based NodeStealer Version Targets Facebook Ads Manager
    
    
• Phil Hay at Trustwave SpiderLabs
  Email Bombing: Why You Need to be Concerned
  
  
• VMRay
  • Inside the latest phishing campaigns: CarPhish, EDG, Tpass, and Mamba2FA phishing kits
  • Backdoored configuration script waits until user is inactive (!) to run Linux malware
    
    
• WeLiveSecurity
  • ESET Threat Report H2 2024
  • ESET Threat Report H2 2024: Key findings
    
    
• Wiz
  • New Developments in LLM Hijacking Activity
  • Under the Radar: Exploring Spring Boot Actuator Misconfigurations
  • Unpacking Diicot – Evolving Campaign Targeting Linux Environments
    
    
• Jacob Latonis at YARA-X
  Using the Mach-O module in YARA-X
  
  
• Santiago Rodriguez at Zimperium
  Mobile Spear Phishing Targets Executive Teams
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-01-06 #livestream #infosec #infosecnews
  
  
• Magnet Forensics
  • Unlocking mobile insights for traffic investigations
  • Cyber Unpacked S1:E1 // From zero to YARA hero: Detect malware like a pro
    
    
• Silent Push
  Webinar – Before the Strike: Preemptive Threat Detection of APTs with Silent Push
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  The Most Prolific Adversaries and Threats of 2024
  
  
• Ali Hadi
  • C5W Webinar Series – Internal Investigation (Windows System – Part #1)
  • Fast Way to Build and use Batch Files with Eric Zimmerman’s RECmd
  • Fast Way to Build and use Batch Files with Eric Zimmerman’s RECmd
    
    
• Anuj Soni
  Shellcode Analysis – Part 2: Automated Extraction
  
  
• ArcPoint Forensics
  • S2: DFIRmas Podcast: Shanon Burgess
  • S2: DFIRmas Podcast: Jerry Bui
  • S2: DFIRmas Podcast: Sarah Hayes
  • S2: DFIRmas Podcast: Kevin Pagano
  • S2: DFIRmas Podcast: Lili Infante
    
    
• Black Hills Information Security
  • Introduction to Zeek Log Analysis w/ Troy Wojewoda
  • REKAST – Talkin’ Bout [infosec] News 2024-12-16 #infosecnews #cybersecurity #podcast #podcastclips
    
    
• Breaking Badness
  2025 Cybersecurity Predictions: AI, Ransomware, and Quantum Threats
  
  
• Cellebrite
  • Tip Tuesday: Inherit Settings in Reader
  • Mobile Forensics Mastery with Cellebrite Inseyets | Digital Forensic Trainings and Certifications
    
    
• Computer Crime Chronicles
  Episode 9 – Computer Forensics – The Tools We Use
  
  
• Cyber from the Frontlines
  E15 How Hunting Enhances Threat Informed Cyber Defense
  
  
• Cyberwox
  OffSec IR-200 Review (Complete Breakdown) for Cybersecurity/SOC Analysts & Incident Responders
  
  
• InfoSec_Bret
  SA -SOC227-189 – Possible CVE-2023-29357 Exploitation
  
  
• Intel471
  Collecting Useful CTI from Underground Markets
  
  
• Magnet Forensics
  • Mobile Minute Ep. 5: Disappearing Data from iOS devices
  • Mobile Unpacked Ep. 24 // Split Personalities – understanding multiple user account purposes in Android
    
    
• Marcus Hutchins
  TryHackMe Advent Of Cyber – Day 21 (Help Me I’m Reverse Engineering) Walkthrough
  
  
• Microsoft Threat Intelligence Podcast
  Doctors’ Perspective: The Rise of Healthcare Ransomware
  
  
• MSAB
  • XAMN Subset One Click Review
  • Forensic Fix Episode 18
    
    
• MyDFIR
  5 FREE Labs You MUST DO (LetsDefend)
  
  
• Sandfly Security
  • Linux Process Running from /dev/shm RAM Disk Attack
  • Deleted Process Binary Attack on Linux
    
    
• SANS
  • CyberThreat 2024 Recap: Highlights, CTF Competition, and Key Insights
  • Countering Ransomware with Jen Ellis
    
    
• SentinelOne
  • LABScon24 Replay | Let Them Eat Cake: “Secure by Upgrade” Software is a National Security Threat
  • LABScon24 Replay | The Ransomware Trust Paradox
    
    
• The Citizen Lab
  Rebekah Brown discusses the global abuse of commercial spyware on TaiwanPlus
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show – Episode 240 – Holiday 2024
  
  
• WeLiveSecurity
  ESET Research Podcast: Telekopye, again
  

MALWARE

• Any.Run
  • What’s Inside ANY.RUN’s Cyber Threat Intelligence Feeds?
  • How to Set up a Windows 11 Malware Sandbox
  • How DFIR Analysts Use ANY.RUN Sandbox
    
    
• ASEC
  • Analysis on the Case of TIDRONE Threat Actor’s Attacks on Korean Companies
  • cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3)
    
    
• Xusheng Li at Binary Ninja
  Having Fun with Flare-on Using Time-Travel Debugging (TTD)
  
  
• Dr Josh Stroschein
  00 – Welcome to Creating Shellcode and Prerequisistes
  
  
• Paul Asadoorian and Jesse Michael at Eclypsium
  BadRAM-ifications: A Low-Cost Attack on Trusted Execution Environments
  
  
• Banu Ramakrishnan at G Data Security
  New I2PRAT communicates via anonymous peer-to-peer network
  
  
• Jérôme Segura at Malwarebytes
  Malicious ad distributes SocGholish malware to Kaiser Permanente employees
  
  
• Wenfeng Yu and ZePeng Chen at McAfee Labs
  Spyware distributed through Amazon Appstore
  
  
• Nadav Lorber at Morphisec
  CoinLurker: The Stealer Powering the Next Generation of Fake Updates
  
  
• Netscout
  • 2024 DDoS-for-Hire Landscape Part 5
  • 2024 DDoS-for-Hire Landscape Part 6
    
    
• Patrick Wardle at Objective-See
  Restoring Reflective Code Loading on macOS
  
  
• Lucija Valentić at ReversingLabs
  A new playground: Malicious campaigns proliferate from VSCode to npm
  
  
• Vasily Berdnikov and Sojun Ryu at Securelist
  Lazarus group evolves its infection chain with old and new malware
  
  
• Sean Gallagher and Mark Parsons at Sophos
  Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces
  
  
• Scott Nusbaum at TrustedSec
  Malware Series: Process Injection Mapped Sections
  
  
• Jason Reaves at Walmart
  Decoding RevC2 strings
  
  
• Zhassulan Zhussupov
  Malware and cryptography 36 – random sbox generation algorithms: Fisher-Yates shuffle. Simple C example.
  
  
• ZScaler
  Technical Analysis of RiseLoader
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  Trojan.Win32.DNSChanger
  

MISCELLANEOUS

• Chris Brenton at Active Countermeasures
  Tuning Fail2ban
  
  
• Akash Patel
  • SentinelOne(P1- Dashboard)|| (P2- SentinelOne’s Deep Visibility: Enhanced vs.
  • Sentinel One(P4- Sentinels): A Practical Guide
  • Sentinel One(P3- Network Discovery): A Practical Guide
    
    
• Emre Tınaztepe at Binalyze
  Reflecting on 2024: A Year of Milestones, Recognition & Fresh Identity
  
  
• Brett Shavers
  Raising the Bar: Establishing a Common Baseline in DFIR
  
  
• Cellebrite
  • Cellebrite Statement About Amnesty International Report
  • Seamless, Swift and Secure: The New Era of Mobile Data Collection 
    
    
• Craig Ball at ‘Ball in your Court’
  Safety First: A Fun Day at the “Office”
  
  
• Danny Zendejas
  Cybersecurity: The Tools of the Trade
  
  
• DFIR Dominican
  • DFIR Jobs Update – 12/16/24
  • How To Break Into DFIR (Part 1 of 5) – Cybersecurity Fundamentals
    
    
• Forensic Focus
  • Detecting AI Fakes: Forensic Image Analysis With Cellebrite
  • Digital Forensics Round-Up, December 18 2024
  • Understanding Digital Forensics Mental Health Stressors: PTSD And Anxiety
  • Amped Software Introduces The New Reflections Filter And More Updates To Amped Authenticate
  • Alexis Brignoni, Special Agent and Digital Forensic Examiner, FBI
  • Crypto Crime – No Such Thing?
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  A brief history of logs and Console
  
  
• Matt Edmondson at SANS
  SEC587: Advanced Open-Source Intelligence Course Update – What’s New?
  

SOFTWARE UPDATES

• Atola
  TaskForce 2 Changelog – 2024.9.1
  
  
• Airbus Cybersecurity
  IRIS-Web v2.4.19
  
  
• Alexis Brignoni
  • iLEAPP v2.0.2
  • RLEAPP v1.1.2
    
    
• Costas K
  PrefetchBrowser
  
  
• Cyber Triage
  3.13 Adds MemProcFS and Extends the S3 and Recorded Future Sandbox Integrations
  
  
• Digital Sleuth
  winfor-salt v2024.19.7
  
  
• Elcomsoft
  Elcomsoft System Recovery 8.33 adds built-in log viewer
  
  
• James Habben
  Homebrew Tap for LEAPP
  
  
• Magnet Forensics
  • Magnet Axiom Cyber 8.8: Email threads in Email Explorer, chat threads in Exhibit Builder, and new artifacts from Samsung Cloud Backups
  • Magnet Axiom 8.8: Chat threads in Exhibit Builder, Email threads in Email Explorer, and new artifacts from Samsung Cloud Backups
    
    
• Manabu Niseki
  Azuma v0.7.0
  
  
• Michael Haag
  PowerShell-Hunter
  
  
• MISP
  MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities.
  
  
• MobilEdit
  New MOBILedit Forensic 9.5 Joins the Leaders in Security Bypassing
  
  
• OpenCTI
  6.4.5
  
  
• Passware
  Passware Kit 2025 v1 Now Available
  
  
• Phil Harvey
  ExifTool 13.10 (production release)
  
  
• Security Onion
  Security Onion 2.4.111 now available!
  
  
• Sigma
  Release r2024-12-19
  
  
• Three Planet Software
  Apple Cloud Notes Parser v0.21
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!