Added something new to the site this week; a couple of training vendors have reached out to offer readers a discount on their next training class purchase.

Using these discount codes will also support the site 🙂

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Adam at Hexacorn
  Being a tool while using a tool

   

• Akash Patel
  • Forensic Challenges in Cloud Storage Investigations
  • OneDrive Forensics : Investigating Cloud Storage on Windows Systems
  • Investigating OneDrive for Business: Advanced Forensics & Audit Logs

     

• Azr43lKn1ght
  DFIR-Labs

   

• Jean-Philippe Noat and Paul Lorentz at Cellebrite
  iOS Stolen Device Protection 

   

• Christopher Eng at Ogmini
  • Second Week Musings
  • David Cowen Sunday Funday Challenge – ChatGPT Desktop Artifacts
  • Diving Deep – LevelDB
  • Diving Deep – LevelDB Part 2
  • ChromeCacheView / ChromeHistoryView
  • Belkasoft – Windows Forensics with Belkasoft
  • Belkasoft – Windows Forensics with Belkasoft Part 2

     

• Cyber Triage
  What Is Jump List Cache?

   

• Damien Attoe
  The Duck Hunters Guide – Blog #3 – DuckDuckGo Open Tab Information (Android)

   

• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #723: Sunday Funday 1/19/25
  • Daily Blog #724: Project Adaz testing part 2
  • Daily Blog #725: Project adaz testing part 3
  • Daily Blog #726: Surviving the Breach Episode 1
  • Daily Blog #727: Experimenting with Deepseek v3
  • Daily Blog #728: Test Kitchen with Cursor
  • Daily Blog #729: Solution Saturday 1/25/25

     

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Lend Me Your Ears

   

• Forensafe
  Investigating Android Mastodon

   

• Garrett Jones
  ChatGPT Forensics – Windows Desktop App

   

• Haircutfish
  KC7 Module: A Scandal in Valdoria: Section 3 Plenty of Phish

   

• Iram Jack
  • Malware Detection with YARA
  • Integrating With Other Libraries – Expanding on Yara | Part 5
  • Integrating With Other Libraries – Expanding on Yara | Part 6
  • Detecting Sandboxes with YARA

     

• Eric Wise at Wise Forensics
  HackTheBox | Brutus

   

• Chas Meier and John Patzakis at X1 Discovery
  Inactive Mailboxes in M365 Present Significant Hidden Risks and Costs

   

• Yogesh Khatri at ‘Swift Forensics’
  New Wifi database from Apple intelligence
  

THREAT INTELLIGENCE/HUNTING

• Abdulrehman Ali
  • Voodoo Bear APT44 Adversary Simulation
  • Venomous Bear APT Adversary Simulation
  • Primitive Bear APT Adversary Simulation

• Faan Rossouw at Active Countermeasures
  A Network Threat Hunter’s Guide to C2 over QUIC

• Adam Goss
  New Free Training Courses and Threat Hunting Packages!

• Anton Chuvakin
  Google Cloud Security Threat Horizons Report #11 Is Out!

• Andres Ramos at Arctic Wolf
  Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access

• Francis Guibernau at AttackIQ
  Response to CISA Advisory (AA25-022A): Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

• Bitdefender
  • Akira Ransomware: A Shifting Force in the RaaS Domain
  • Criminals Exploit Telegram Captcha to Trick Victims into Installing Malware

• Bill Toulas at BleepingComputer
  Fake Homebrew Google ads target Mac users with malware

• Brad Duncan at Malware Traffic Analysis
  • 2025-01-13: KongTuke campaign leads to infection abusing BOINC platform
  • 2025-01-21: Quick post for Koi Loader/Koi Stealer activity
  • 2025-01-22: Traffic Analysis Exercise – Download from fake software site

• BushidoToken
  Tracking Adversaries: Ghostwriter APT Infrastructure

• Campaign and public sector information security
  How can I learn skills for digital forensics and incident response as a beginner?

• CatchingPhish
  Ransomware in Healthcare: A Comprehensive Subsector Analysis

• CERT-AGID
  • Ancora attacchi ad opera di Vidar: cadenza regolare e vecchie strategie sempre efficaci
  • Report riepilogativo sulle tendenze delle campagne malevole analizzate dal CERT-AGID nel 2024
  • Smishing a danno di INPS: caccia ai documenti personali da sfruttare per il furto di identità
  • Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 gennaio

• Check Point
  20th January– Threat Intelligence Report

• CISA
  Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

• Omid Mirzaei at Cisco’s Talos
  Seasoning email threats with hidden text salting

• Tony Gore and Justin Schoenfeld at CrowdStrike
  Leveraging CrowdStrike Falcon Against Attacks Targeting Okta Environments

• Cyberdom
  Entra ID Destruction: How Attackers Leverage User.DeleteRestore.All

• Cyfirma
  Weekly Intelligence Report – 24 Jan 2025

• Datadog Security Labs
  Datadog threat roundup: top insights for Q4 2024

• Disconinja
  日本におけるC2サーバ調査(Week 3 2025)

• Arnau Ortega at Falcon Force
  Exploring WinRM plugins for lateral movement

• Gi7w0rm
  A beginner(s) guide to hunting web-based credit card skimmers

• Joshua Goddard at Google Cloud Threat Intelligence
  Securing Cryptocurrency Organizations

• Noah Stone at GreyNoise
  Evaluating Threat Intelligence Providers: What Security Teams Need to Know

• Hunt IO
  • Mapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity
  • Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

• Andrew Schwartz at Huntress
  PerfMon! What Is It Good For? | Huntress

• InfoSec Write-ups
  • Splunk Series: Installation Guide for Windows and Linux (Part 1)
  • Reverse Engineering Chinese Social Media for Fun (REDNote App)
  • Splunk Series: Forwarding Logs Using Universal Forwarder (Part 2)
  • Splunk series: Rule Development (Part 3)

• Intel 471
  • How ransomware may trend in 2025
  • Threat hunting case study: PsExec

• Intrinsec
  “Premium panel”: phishing tool used in longstanding campaigns worldwide

• Israel National Cyber Directorate
  Hunting Infostealers: A Practical Approach

• Jack’s Substack
  PhaaS: The threat that keeps hitting inboxes

• Shusei Tomonaga at JPCERT/CC
  Beware of Contacts through LinkedIn: They Target Your Organization’s Property, Not Yours

• Kijo Girardi
  Day 20 – Microsoft Defender AV detection

• Brian Krebs at Krebs on Security
  MasterCard DNS Error Went Unnoticed for Years

• Lumen
  The J-Magic Show: Magic Packets and Where to find them

• Microsoft Security
  New Star Blizzard spear-phishing campaign targets WhatsApp accounts

• Natto Thoughts
  Salt Typhoon: the Other Shoe Has Dropped, but Consternation Continues

• Nisos
  Japanese Companies Threatened by DPRK IT Workers

• Oleg Skulkin at ‘Know Your Adversary’
  • 019. Here’s Another Rootkit Remover Commonly Abused by Threat Actors
  • 020. Play Ransomware Gang’s Reconnaissance Tool Looks Like Legitimate Security Software
  • 021. Do You Think This Java.exe is Legitimate?
  • 022. That’s How FIN7 Uses Malicious JAR Files
  • 023. Detecting a Gamaredon Copycat
  • 024. PlushDaemon Supply-Chain Attack: Detection Opportunities
  • 025. Silent Lynx Campaign: Detection Opportunities

• Praetorian
  ETW Threat Intelligence and Hardware Breakpoints

• QiAnXin Threat Intelligence Center
  Operation (Giỗ Tổ Hùng Vương) Hurricane: A brief discussion of the techniques and tactics of the New OceanLotus group in memory

• Shilpesh Trivedi at Qualys
  Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai

• Recorded Future
  • Cleo MFT: CVE-2024-50623
  • Annual Payment Fraud Intelligence Report: 2024
  • “Crazy Evil” Cryptoscam Gang: Unmasking a Global Threat in 2024

• Red Canary
  • What we learned by integrating with Google Cloud Platform
  • Intelligence Insights: January 2025
  • Tangerine Turkey mines cryptocurrency in global campaign

• Alex Capraro at ReliaQuest
  Report Finds 50% of Scattered Spider Phishing Domains Targeted Finance & Insurance

• SANS Internet Storm Center
  • Partial ZIP File Downloads, (Mon, Jan 20th)
  • Geolocation and Starlink, (Tue, Jan 21st)
  • Catching CARP: Fishing for Firewall States in PFSync Traffic, (Wed, Jan 22nd)
  • [Guest Diary] How Access Brokers Maintain Persistence, (Fri, Jan 24th)
  • XSS Attempts via E-Mail, (Thu, Jan 23rd)

• Sekoia
  Targeted supply chain attack against Chrome browser extensions

• SentinelOne
  • 2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise
  • HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

• Silent Push
  • Dark Web Scanning with Silent Push Community Edition
  • ClouDNS Hostnames Discovered Accidentally Pointing to a Prolific Puma IP Address

• SOCRadar
  Dark Web Profile: OilRig (APT34)

• Mark Parsons, Colin Cowie, Daniel Souter, Hunter Neal, Anthony Bradshaw, and Sean Gallagher at Sophos
  Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”

• Djurre (DJ) Hoeksema, James Rigdon, and Benjamin Jones at SpearTip Cyber Counterintelligence
  fasthttp Used in New Bruteforce Campaign

• SpecterOps
  Entra Connect Attacker Tradecraft: Part 2

• Stephan Berger
  • Tear Down The Castle – Part 1
  • Oh my .. ! – Suspicious network traffic detected including Ransomware

• Sygnia
  ESXi Ransomware Attacks: Stealthy Persistence through SSH Tunneling

• Sysdig
  • How Falco and Wireshark paved the way for Stratoshark
  • Stratoshark: Extending Wireshark’s legacy into the cloud

• Scott Caveza at Tenable
  Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor

• Trend Micro
  • Investigating A Web Shell Intrusion With Trend Micro Managed XDR
  • Trend Micro Managed XDR Analysis of Infection From Fake Installers and Cracks

• Kevin Clark at TrustedSec
  Operating Inside the Interpreted: Offensive Python

• Serhii Melnyk at Trustwave SpiderLabs
  The New Face of Ransomware: Key Players and Emerging Tactics of 2024

• Chris Partridge
  Fake copies of Belsen Group’s FortiGate config leaks install malware

• Aaron Meese at Valdin
  Tracking a Malicious Blogspot Redirection Campaign to ApateWeb
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-01-27 #livestream #infosec #infosecnews

• Gerald Auger at Simply Cyber
  Unlocking the Potential of Blue Teaming with Simeon | Simply Defensive S2 E3

• Magnet Forensics
  Mobile Unpacked S3:E1 // ADB: It’s easy as ABC – Understanding the power of ADB commands

• SOCRadar
  Mastering Ransomware Negotiations: Unlock Critical Skills with SOCRadar’s Expert Training
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Digital Forensics Now Podcast – S2 E8

• Ali Hadi
  Scheduled Tasks and GhostTask Investigations | ShadowMe Webinar

• Black Hat
  Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels

• Black Hills Information Security
  • Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan
  • REKAST – Talkin’ Bout [infosec] News 2025-01-20 #infosecnews #cybersecurity #podcast #podcastclips

• Breaking Badness
  Spring Cleaning Your Digital Life: APT Threats, Third-Party Breaches, and Chat Risks 

• Cellebrite
  Tip Tuesday: Chat Capture Part Two

• Cloud Security Podcast by Google
  EP207 Slaying the Ransomware Dragon: Can a Startup Succeed?

• Getting Defensive Podcast
  Getting Defensive With Michael Taggart

• InfoSec Deep Dive
  Mastering Malware Analysis: Tools, Techniques, and Insights

• InfoSec_Bret
  Challenge – Malicious NuGet Package

• John Hammond
  • Hunting Scam Popups
  • Google Ad Promotes Fake Homebrew Malware
  • NetworkChuck and I Just Banter
  • Fake ChatGPT Browser Extension Malware Analysis (CyberDefenders)

• Magnet Forensics
  • Mobile Minute Episode 6: Enhancing Geolocation Investigations with Animated Maps in Route View
  • Cyber Unpacked S1:E3 // Bridging the Gap: Integrating MITRE ATT&CK with Magnet Axiom Cyber
  • Give your lab an investigative edge with Magnet One

• Microsoft Threat Intelligence Podcast
  Seashell Blizzard Resumes Spear-Phishing the EU, Revisiting NPRK Tech Workers

• MSAB
  MSAB Workflow

• MyDFIR
  How To Become a SOC Analyst in 2025

• Security Conversations
  Death of the CSRB, zero-days storms at the edge, Juniper router backdoors

• Security Onion
  Security Onion 2.4.120 Sneak Peek Video

• The DFIR Report podcast
  DFIR Discussions: The Curious Case of an Egg-Cellent Resume

• Triskele Labs
  TL Blue | Episode 12 | Jan 2025

• Yaniv Hoffman
  Jetson Nano A Compact Powerhouse for Cybersecurit
  

MALWARE

• Alexandre Borges at ‘Exploit Reversing’
  Exploiting Reversing (ER) series: article 03 | Chrome (part 01)

• Any.Run
  • InvisibleFerret Malware: Technical Analysis
  • How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case

• ASEC
  RID Hijacking Technique Utilized by Andariel Attack Group

• Mark Vaitzman at Deep Instinct
  Beyond Flesh and Code: Building an LLM-Based Attack Lifecycle With a Self-Guided Malware Agent

• Dr. Web
  Doctor, where did you get these pictures? Using steganography in a cryptocurrency mining campaign.

• Esentire
  Lumma Stealer Malware Updated to Use ChaCha20 Cipher for Config Decryption

• Aayush Tyagi at McAfee Labs
  GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

• Leandro Fróes at Netskope
  Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection

• Puja Srivastava at Sucuri
  Malware Redirects WordPress Traffic to Harmful Sites

• ventdrop
  ASyncRAT [IR/Malware Analysis]

• VMRay
  Heavily obfuscated batch file loads XWorm hosted on GitHub

• Joshua Platt, Jason Reaves and Jonathan McCay at Walmart
  Qbot is Back.Connect

• Facundo Muñoz at WeLiveSecurity
  PlushDaemon compromises supply chain of Korean VPN service

• Wladimir Palant at ‘Almost Secure’
  Malicious extensions circumvent Google’s remote code ban

• Zhassulan Zhussupov
  Malware development trick 44: Stealing data via legit GitHub API. Simple C example.

• Vishnu Pratapagiri at Zimperium
  AppLite: A New AntiDot Variant Targeting Mobile Employee Devices
  

MISCELLANEOUS

• Brett Shavers
  The Human Element of DF/IR (YOU!)

   

• Brian Maloney
  Running Autopsy Auto Ingest in Headless Mode

   

• Cado Security
  From SIEM to Ticketing: Streamlining Security Operations with Cado’s Export Capabilities

   

• Craig Ball at ‘Ball in your Court’
  Tailor FRE 502(d) Order to the Case

   

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 01/20/25

   

• Forensic Focus
  • Solutions For Next-Gen Investigators
  • Accelerating The Fight Against Human Trafficking With Detego Technology
  • MD-NEXT Expands UNISOC Chipset Support
  • Digital Forensics Round-Up, January 23 2025
  • Inside The Minds Of CSAM Investigators With Prof. Patrick Brady
  • Forensic Focus Digest, January 24 2025
  • MD-Series Release Note Highlights: 2024 Q4 Review

     

• Magnet Forensics
  • How to simplify multi-endpoint collection for enterprises 
  • State of Enterprise DFIR 2025 Report: Remote collections, the surge in AI usage, and the growth of SaaS-based tools
  • Simplifying enterprise digital forensics with cloud-based tools

     

• Marius Sandbu
  Deep-dive Azure Networking 

   

• Oxygen Forensics
  • 10 benefits of digital forensics collaboration using Oxygen Analytic Center
  • Fine-tuning the collaboration process with Oxygen Analytic Center

     

• Security Onion
  • Coming soon to Security Onion: CyberChef 10.19.4!
  • Coming soon to Security Onion: Local IP Lookups!

     

• AJ Williams at Sublime Security
  Enhanced message groups: Improving efficiency in email incident response
  

SOFTWARE UPDATES

• Andrew Rathbun
  KAPE-EZToolsAncillaryUpdater 4.3

• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.69

• Digital Sleuth
  winfor-salt v2025.3.3

• Eric Zimmerman
  ChangeLog

• Invictus Incident Response
  Release: Microsoft Extractor Suite v3

• Manabu Niseki
  Azuma v0.7.3

• Martin Willing
  Microsoft-Analyzer-Suite v1.2.0

• Phil Harvey
  ExifTool 13.16

• Xways
  X-Ways Forensics 21.4 Beta 2
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!