As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Box Cloud Storage Forensic Investigations: Logs, Cached Files, and Metadata Analysis
  • Cloud Storage Affect on file Timestamps and collection with KAPE: A Forensic Guide
  • Volume Shadow Copy extraction with KAPE(including data/file recovery)
  • Metadata Investigation(Exiftool): A Powerful Tool in Digital Forensics
  • Remote Collections Artifacts Using KAPE including UNC and Over the Internet(ZeroTier)
    
    
• Belkasoft
  Windows Forensics: Analyzing Prefetch Files with Belkasoft X
  
  
• Cyber Triage
  How to Investigate Malware WMI Event Consumers 2025
  
  
• Damien Attoe at Spyder Forensics
  Vacuuming the Digital Trail – Part 2
  
  
• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #737: Sunday Funday 2/2/25
  • Daily Blog #738: Arsenal Recon LevelDB Recon
  • Daily Blog #739: USN Versions (2, 3 and 4)
  • Daily Blog #740: USN V4 Data Ranges
  • Daily Blog #741: AI powered Honeypots
  • Daily Blog #742: Life is short
  • Daily Blog #743: Solution Saturday 2/8/25
    
    
• Decrypting a Defense
  Facial Recognition Results are Not Probable Cause, Vehicle Tracking, Preserving iCloud Data, The Stored Communications Act & More
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  ShmooCon and C2PA Forgeries
  
  
• Forensafe
  Investigating Android MEGA
  
  
• Nicholas Dubois at Hexordia
  Tips And Tricks – Bulk Disassembly Scripting
  
  
• iblue team
  Banners, isfinfo, and custom profiles
  
  
• Florian Bausch at Insinuator
  When Your Edge Browser Syncs Private Data to Your Employer
  
  
• James McGee at The Metadata Perspective
  Hello! Who is on the Line?
  
  
• Eric Wise at Wise Forensics
  HackTheBox | BFT
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – Merlin C2 Data Jitter
  
  
• Adam at Hexacorn
  DWRCSAccess.log artifact
  
  
• Maor Dahan at Akamai
  Cryptominers? Anatomy: Cryptomining Internals
  
  
• Anton Chuvakin
  15+ Years of Loading Threat Intel into SIEM: Why Does This Still Suck?
  
  
• ASEC
  Persistent Threats from the Kimsuky Group Using RDP Wrapper
  
  
• Ionut Alexandru Baltariu, Andrei Anton-aanei, and Alina Bîzgă at Bitdefender
  Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam
  
  
• Brad Duncan at Malware Traffic Analysis
  2025-02-07: Three days of scans and probes and web traffic hitting my web server
  
  
• Brad Garnett
  Brad Bits: February 6, 2025
  
  
• CERT-AGID
  • Vidar muta ancora: payload variabile e offuscamento più raffinato per questa nuova ondata
  • Sintesi riepilogativa delle campagne malevole nella settimana del 01 – 07 febbraio
    
    
• Chainalysis
  35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments
  
  
• Check Point
  • 3rd February – Threat Intelligence Report
  • CPR Finds Threat Actors Already Leveraging DeepSeek and Qwen to Develop Malicious Content
    
    
• Cisco’s Talos
  • Google Cloud Platform Data Destruction via Cloud Build
  • Changing the tide: Reflections on threat data from 2024
    
    
• Jhon Revesencio at Cofense
  When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns
  
  
• Coveware
  Will Law Enforcement success against ransomware continue in 2025?
  
  
• Shaefer Drew, Mickey Brautbar, and Yaron Zinar at CrowdStrike
  Caught in the Act: CrowdStrike’s New ML-Powered LDAP Reconnaissance Detections
  
  
• Cyble
  • Cyble Sensors Detect Attacks on Apache OFBiz, Palo Alto Networks
  • Stealthy Attack: Dual Injection Undermines Chrome’s App-Bound Encryption
  • U.S. Ransomware Attacks Surge to Start 2025
  • Open Graph Spoofing Toolkit: Old Exploitation Techniques Still in Use to Lure Social Media Users into Phishing Attacks
    
    
• Cyfirma
  Weekly Intelligence Report – 07 Feb 2025
  
  
• Darktrace
  RansomHub revisited: New front-runner in the ransomware-as-a-service marketplace
  
  
• Disconinja
  日本におけるC2サーバ調査(Week 5 2025)
  
  
• Aaron Jewitt at Elastic
  How to detect malicious browser extensions using Elastic
  
  
• Ryan Slaney at Field Effect
  Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor
  
  
• Gaetan Ferry at GitGuardian
  The Secret to Your Artifactory: Inside The Attacker Kill-Chain
  
  
• Google Cloud Security Community
  Consuming Backscatter Information to Perform Threat Hunting
  
  
• Google Cloud Threat Intelligence
  • CVE-2023-6080: A Case Study on Third-Party Installer Abuse
  • Using capa Rules for Android Malware Detection
    
    
• Group-IB
  • The Dark Side of Automation and Rise of AI Agents: Emerging Risks of Card Testing Attacks
  • 5 ways to leverage our Malware Reports for malware analysis
    
    
• GuidePoint Security
  GRIT’s 2025 Report: Annual Vulnerability Analysis and Exploitation Trends
  
  
• Hunt IO
  • GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains
  • SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries
    
    
• Matt Kiely at Huntress
  Device Code Phishing in Google Cloud and Azure | Huntress
  
  
• IC3
  Guidance on Digital Forensics and Protective Monitoring Specifications for Producers of Network Devices and Appliances
  
  
• Intel 471
  Law enforcement hammered cybercrime in 2024. Is it working?
  
  
• Nicole Fishbein, Joakim Kennedy and Justin Lentz at Intezer
  XE Group: From Credit Card Skimming to Exploiting Zero-Days
  
  
• David Kennedy at Jumpsec Labs
  Bring Your Own Trusted Binary (BYOTB) – BSides Edition
  
  
• KELA Cyber Threat Intelligence
  Work Smarter in 2025: 7 Benefits of Automating CTI into SOC Activities
  
  
• Brian Krebs at Krebs on Security
  • Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’?
  • Experts Flag Security, Privacy Risks in DeepSeek AI App
  • Teen on Musk’s DOGE Team Graduated from ‘The Com’
    
    
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – January Update
  
  
• Lab52
  GRU: Military Unit 54777
  
  
• Microsoft Security
  Code injection attacks using publicly disclosed ASP.NET machine keys
  
  
• Natto Thoughts
  Sichuan Silence Information Technology and Guan Tianfeng: Your Criminal Our Hero
  
  
• Nextron Systems
  Cyber Security 2025: Practical Trends Beyond the Hype
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 034. That’s How Real Adversaries Abuse PowerShell for Persistence
  • 035. Is It a Must for Adversaries to Masquerade Phishing Attachments Properly?
  • 036. macOS FlexibleFerret Malware: Detection and Hunting Opportunities
  • 037. The Easiest Way to Detect a macOS Stealer
  • 038. Adversaries Abuse PowerShell to Steal Email Addresses
  • 039. Adversaries MSBuild.exe to Deploy Malicious C# Code
    
    
• Tom Fakterman, Chen Erlich and Tom Sharon at Palo Alto Networks
  Stealers on the Rise: A Closer Look at a Growing macOS Threat
  
  
• Nizar B. at Paraben Corporation
  What is threat hunting?
  
  
• Permiso
  • Unused Cloud Regions: How Threat Actors Abuse Unsupported Cloud Regions
  • RansomWhen – An open-source tool to help defenders counter KMS-based ransomware
    
    
• Recorded Future
  The convergence of space and cyber: An evolving threat landscape
  
  
• Red Alert
  • Monthly Threat Actor Group Intelligence Report, October 2024 (JPN)
  • Monthly Threat Actor Group Intelligence Report, December 2024 (KOR)
  • Monthly Threat Actor Group Intelligence Report, November 2024 (ENG)
    
    
• Jesse Griggs at Red Canary
  CopyObjection: Fending off ransomware in AWS
  
  
• Resecurity
  ICAO and ACAO Breached: Cyberespionage Groups Targeting Aviation Safety Specialists
  
  
• SANS Internet Storm Center
  • Crypto Wallet Scam, (Mon, Feb 3rd)
  • Some updates to our data feeds, (Tue, Feb 4th)
  • Phishing via “com-” prefix domains, (Wed, Feb 5th)
  • The Unbreakable Multi-Layer Anti-Debugging System, (Thu, Feb 6th)
  • SSL 2.0 turns 30 this Sunday… Perhaps the time has come to let it die?, (Fri, Feb 7th)
  • Crypto Wallet Scam: Not For Free, (Sat, Feb 8th)
  • Sorry, client-side security does not work
    
    
• Anna Lazaricheva at Securelist
  Investors, Trump and the Illuminati: What the “Nigerian prince” scams became in 2024
  
  
• Sekoia
  Detection engineering at scale: one step closer (part two)
  
  
• Silent Push
  Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks
  
  
• Simone Kraus
  Isn’t it funny to be a hack of a wolf?
  
  
• SOC Fortress
  Mastering Linux Monitoring with Tetragon and Wazuh
  
  
• Kirill Boychenko at Socket
  Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  
  
• SOCRadar
  Dark Web Profile: Tortoiseshell APT
  
  
• Puja Srivastava at Sucuri
  Google Tag Manager Skimmer Steals Credit Card Info From Magento Site
  
  
• Sygnia
  • A Surge in Identity-based Attacks: Cybersecurity trends from Sygnia’s new 2025 Field Report
  • The Anatomy of Abyss Locker Ransomware Attack
  • The Critical Importance of a Robust Incident Response Plan
    
    
• System Weakness
  [CyberDefenders Write-up] 3CX Supply Chain
  
  
• Lefebvre Fabien and Pezier Pierre-Henri at Tehtris
  “LegionLoader” exposed !
  
  
• THOR Collective Dispatch
  A DEATHCON Thrunting Workshop Overview Part 3: ⚡ Hypothesis-Driven Threat Hunting
  
  
• Trend Micro
  • CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
  • Chinese-Speaking Group Manipulates SEO with BadIIS
    
    
• Truesec
  Law Enforcement disrupts Major Spam Delivery Service
  
  
• Mike Casayuran and John Kevin Adriano at Trustwave SpiderLabs
  Beyond the Chatbot: Meta Phishing with Fake Live Support
  
  
• Benjamin Harris, Aliz Hammond, and Pinaki Mondal at watchTowr Labs
  8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
  
  
• 위협분석보고서-genians
  K 메신저로 유포된 ‘APT37’ 그룹의 악성 HWP 사례 분석
  
  
• Huntress
  Threat Actors LOVE These Trends and Tactics | Tradecraft Tuesday
  

UPCOMING EVENTS

• Atola Technology
  Must-Visit DFIR Conferences in 2025
  
  
• Cellebrite
  Empowering Tech Webinar Series: IU Uncovered The 2025 Operational Update for Investigations and Intelligence Units
  
  
• Magnet Forensics
  • Magnet Virtual Summit 2025
  • Mobile Unpacked S3:E2 // apples, onions, and ogres: dealing with layered iOS data structures
    
    
• Recorded Future
  2024 Annual Report
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Putting a Spotlight on Energy Sector Threats with Corelight’s Greg Bell
  
  
• Archan Choudhury at BlackPerl
  Threat Hunting Course with Microsoft Sentinel – FIN7 Threat Actor
  
  
• Black Hat
  From Exploits to Forensics Evidence – Unraveling the Unitronics Attack
  
  
• BlueMonkey 4n6
  Job scheduling on a Linux system with cron – crontab file tutorial
  
  
• Breaking Badness
  DNS Errors and Malware Builders Turning on Attackers
  
  
• Cellebrite
  Tip Tuesday: Retrieve Locations
  
  
• Cyacomb
  Introducing Cyacomb’s “Guardians For Good” Podcast: Episode 1 with Debbie Garner
  
  
• Cyber Social Hub
  • Automated Cyber Incident Response: What are you waiting for?
  • Speed Up Digital Investigations Involving Multimedia
  • Evidence in the Open: Social Media & Open-Source Intelligence for Investigators
  • Challenging Deepfakes: Detecting AI-generated Images With Geometrical Analysis and Deep Learning
  • From Footage to Findings – Streamlining Video Analysis with AI
  • Post Forensic Collection: Mastering eDiscovery for Phones and Collaborative Tools
  • Discover How to Capture HDMI Data & Consent Forms
  • Encrypted Messenger Forensics: Signal and Telegram
  • How to Present Using Virtual Forensics
  • Accelerate Your Investigations with Intelligent Triage
  • Mobile Forensics: Alibi Maker or Alibi Breaker
  • A New Way to Process CyberTips
  • Why Every Digital Examiner Should See the Data Through the Suspect’s Eyes
  • On-Scene Preview: The First Step in Triage and Early Case Assessment
  • ICAC Investigations: The Art of Balancing Victim/Witness Consent and Evidence Collection
  • The Digital Forensic Investigation of Smartwatches
  • Safeguarding More Children Faster with On-Scene Triage Using AI
  • Can AI Replace a Digital Forensic Expert?
  • Tick-Tock TikTok: Collecting TikTok Evidence Before It Disappears
  • From Data to Discovery: Accelerate Your Digital Investigations with Analyse AI+ from Detego Global
  • Starting a DFIR or Digital Investigations Business
  • How to Present Evidence Using Virtual Machines
  • How Programming Skills Can Help You Succeed in DFIR
  • ProHawk: Elevate Your Video Enhancement Skills
  • Breaking Down SQLite Databases: Cell Structure
  • Unlocking the Suspect’s Perspective in a DFIR Investigation
  • What Story is Your Mobile Device Evidence Telling?
  • Barry Bonds and Digital Forensics: Privileged Documents and Efficient Review
  • Faster Forensics: Streamline Your Investigations & Reduce Backlogs
  • Scan to Solve: Using ADF for Enhanced Investigations
  • Mobile Forensics, Challenges and Solutions with MSAB Enterprise Products
  • How AI Can Assist You in Your Digital Investigation
  • Unleashing the Potential of Reddit OSINT: Tips and Tricks for Successful Investigation
  • Rapid Triage Meets AI Analytics: Discover Detego Analyse AI+ and the All-New Express Triage Feature
  • Tools to Help Law Enforcement Identify & Rescue More CSAM Victims
  • Mastering Computer Forensic Investigations Across Devices
  • How to Use RF Surveying to Best Effect for Intelligence and Evidence
  • Master SQLite #shorts
    
    
• Eclypsium
  BTS #45 – Understanding Firmware Vulnerabilities in Network Appliances
  
  
• InfoSec_Bret
  CyberDefenders – PhishStrike Lab
  
  
• John Hammond
  Shellcode Loaders! (Windows Malware Development)
  
  
• Magnet Forensics
  Cyber Unpacked S1:E4 // Return of the AI: A new hope (or a new threat)
  
  
• Microsoft Threat Intelligence Podcast
  Microsoft’s CVP of Fraud on Combating Ecosystem Abuse
  
  
• MSAB
  Chats Revisited
  
  
• MyDFIR
  • Cybersecurity SOC Analyst Right For You?
  • A Rap Beef (KC7 Cyber) | MyDFIR KQL Series | Cybersecurity Training
    
    
• Security Onion
  New YouTube Video: Introduction to Security Onion 2.4
  
  
• The Defender’s Advantage Podcast
  Agentic AI in Cybersecurity
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 245 – Andy Jaw
  
  
• Triskele Labs
  TL Blue | Episode 13 | Feb 2025
  

MALWARE

• Dave Addison at BadOosb
  xWorm Extractor – Extracting Configs Without a Sandbox
  
  
• BI.Zone
  NOVA: blast from the past
  
  
• Cryptax
  Reversing a Prometei botnet binary with r2 and AI (Part One)
  
  
• Dr Josh Stroschein
  • 00 – Introduction to Working with Time Travel Debugging in Binary Ninja
  • 01 – Installing WinDbg and Configuring Binary Ninja
  • 02 – Recording a TTD Trace with Binary Ninja
  • 03 – Replaying TTD Traces in Binary Ninja
    
    
• Axelle Apvrille at Fortinet
  Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst
  
  
• Kaspersky Lab
  • New Tria stealer intercepts text messages on Android | Kaspersky official blog
  • SparkCat — first OCR trojan stealer to infiltrate the App Store | Kaspersky official blog
    
    
• Karlo Zanki at ReversingLabs
  Malicious ML models discovered on Hugging Face platform
  
  
• Dmitry Kalinin, Sergey Puzan at Securelist
  Take my money: OCR crypto stealers in Google Play and App Store
  
  
• Phil Stokes & Tom Hegel at SentinelOne
  macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
  
  
• VMRay
  Fully undetected Shell Script dropping macOS Atomic Stealer
  
  
• VMRay
  Fully undetected Shell Script dropping macOS Atomic Stealer
  
  
• Wladimir Palant at ‘Almost Secure’
  Analysis of an advanced malicious Chrome extension
  
  
• Zhassulan Zhussupov
  Linux hacking part 4: Measuring cache hit and cache miss times in linux.
  

MISCELLANEOUS

• Anchored Narratives
  Course Review – TrainSec Malware Analysis and Development
  
  
• Ben Heater
  Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the VirtualBox Lab
  
  
• Brett Shavers
  • Cross-examination will Go in Raw, Wreck Your Credibility, and Leave You Begging for a Safe Word
  • Are you a DF/IR Expert Witness or Just a Useful Pawn?
  • The way you look at devices will affect what you find on them.
    
    
• Cellebrite
  Release Highlights: Endpoint Inspector Charts a New Course
  
  
• Christopher Eng at Ogmini
  • Zeltser Challenge – First Month Accomplishments
  • CISSP – Domain 1 and 2
  • Belkasoft – Windows Forensics with Belkasoft
  • Starting Belkasoft CTFs
  • CISA IR Training – Preventing Web and Email Server Attacks (IR205)
  • GaslitPad – Release
  • Notepad++ – Documenting Digital Artifacts
    
    
• Claroty
  Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 02/03/25
  
  
• Elan at DFIR Diva
  Free & Affordable Training News Monthly: Dec 2024 – Feb 2025
  
  
• Forensic Focus
  • Magnet Virtual Summit 2025 Starts February 10! Learn More About The Latest In DFIR For Free
  • Partner Spotlight: Exterro
  • Forensic Focus Digest, February 07 2025
    
    
• Hudson Rock
  Hudson Rock’s Cybercrime and Threat Intelligence Researcher, Leonid Rozenberg Shares About Infostealers and Security
  
  
• Jai Minton
  HISAC – High Impact Security Analysis and Communication
  
  
• Magnet Forensics
  Enhancing, not replacing, human expertise with AI
  
  
• OSINT Team
  • Incident Responder: Role, Responsibilities, and Skills for Job
  • Threat Hunting (Passive OSINT)
    
    
• Oxygen Forensics
  What Lies Ahead: 3 solutions for today’s mobile forensics challenges
  

SOFTWARE UPDATES

• Acelab
  New version of the PC-3000 Mobile PRO 2.9.42 has been released
  
  
• Apache
  6 February 2025: Apache Tika Release – Release 2.9.3 – 2/1/2025
  
  
• Cado Security
  What’s New in the Cado Platform: Q3 Recap
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.73
  
  
• Capa
  v9.0.0
  
  
• Cellebrite
  Now Available: Cellebrite Endpoint Inspector SaaS 2.5
  
  
• Datadog Security Labs
  GuardDog v2.4.0
  
  
• Didier Stevens
  Update: strings.py Version 0.0.11
  
  
• Digital Sleuth
  winfor-salt v2025.3.7
  
  
• Erik Hjelmvik at Netresec
  PolarProxy 1.0.1 Released
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.17.1.1 Is Available Now
  
  
• Hasherezade
  hollows_hunter v0.4.0.2
  
  
• kev365
  ToolFetcher (v1.1.0)
  
  
• Matt Kiely
  cazadora
  
  
• OpenCTI
  6.5.1
  
  
• Phil Harvey
  ExifTool 13.18
  
  
• Sigma
  Release r2025-02-03
  
  
• Unpacme
  UnpacMe 8.7.0 – Malicious Python, AI Safety, and Binary Signature Hunting
  
  
• Xways
  X-Ways Forensics 21.4 Beta 5
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!