As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • How Windows Knows Your Files Came from the Internet: Alternate Data Streams (Zone.Identifier)
  • Breaking Down the $LogFile and How to Use LogFileParser
  • Tracking Microphone and Camera Usage in Windows (Program Execution: CompatibilityAccessManager)
  • Windows Registry: A Forensic Goldmine for Installed Applications
  • Tracking Trusted Office Documents: A Key to Investigating Macro-Based Malware
    
    
• Brian Maloney
  OneDrive Microsoft.FileUsageSync.db
  
  
• Christopher Eng at Ogmini
  • Investigating Visual Studio Code – Part 2
  • Expectations vs Reality – Digital Forensic Science Master’s Degree Part 3
  • Homelab Part 3 – Thought Process
  • Release – Windows Notepad Parser v1.0.2
  • KAPE Target – Windows Notepad
  • KAPE Target – Windows Notepad WOOPS
  • Investigating Visual Studio Code – Part 3
    
    
• Cyber Sundae DFIR
  CapabilityAccessManager.db Deep Dive, Part 3
  
  
• Cyber Triage
  WMI Malware: The Complete Forensics Guide
  
  
• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #751: Sunday Funday 2/16/25
  • Daily Blog #752: Windows hello challenge part 3 fingerprints
  • Daily Blog #753: Windows hello challenge part 4
  • Daily Blog #754: Pagefile carving with Page Brute
  • Daily Blog #755: A new blog is born!
  • Daily Blog #756: Forensic test kitchen, using the AWS CloudTrail Downloader v2!
  • Daily Blog #757: Solution Saturday 2/22/25
    
    
• Forensafe
  iOS TextMe
  
  
• Ilya Kobzar
  EC2 IAM role STS credentials compromise via IMDS
  
  
• Invictus Incident Response
  Locked Out, Dropboxed In: When BEC threats innovate
  
  
• Jon Baumann at Ciofeca Forensics
  Never Trust Cookies
  
  
• Joshua Hickman at ‘The Binary Hick’
  Ridin’ With Apple CarPlay 2
  
  
• malwr4n6
  • Apple Intelligence Photo Forensics
  • Browser History Forensics Trick
    
    
• Stephan Berger
  macOS Extended Attributes: Case Study
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Measuring Data Jitter Using RCR
  
  
• Adam at Hexacorn
  • The rapidly changing geopolitics and its inevitable effect on cyber
  • Good Exports are real
    
    
• Apophis
  Harvester APT
  
  
• Francis Guibernau at AttackIQ
  [CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
  
  
• Mary Kay Sondecker, Jason Goode, Jesse Lepich, and Michael Leighty at AWS Security
  From log analysis to rule creation: How AWS Network Firewall automates domain-based security for outbound traffic
  
  
• BI.Zone
  Bloody Wolf evolution: new targets, new tools
  
  
• Brad Duncan at Malware Traffic Analysis
  2025-02-18: SmartApeSG script for fake browser update leads to NetSupport RAT and StealC
  
  
• Brian Krebs at ‘Krebs on Security’
  How Phished Data Turns into Apple & Google Wallets
  
  
• CERT-AGID
  • Risolte vulnerabilità nelle librerie .NET per SPID e CIE
  • Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 febbraio
    
    
• Chainalysis
  Iranians Flock to Crypto Amidst Geopolitical Tension; International Sanctions Actions Disrupt Russia’s War Machine
  
  
• Check Point
  • 17th February – Threat Intelligence Report
  • Cyber Criminals Using URL Tricks to Deceive Users
    
    
• CISA
  #StopRansomware: Ghost (Cring) Ransomware
  
  
• Cisco’s Talos
  Weathering the storm: In the midst of a Typhoon
  
  
• Adri Andaya at Cofense
  Amazon Phish Hunts for Security Answers and Payment Information
  
  
• Covertshell
  The Growing Threat of Browser Extension Security
  
  
• Cyble
  Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devices” Feature for Espionage in Ukraine 
  
  
• Cyfirma
  Weekly Intelligence Report – 20 Feb 2025
  
  
• Cyjax
  • What is the MITRE ATT&CK Framework?
  • New Extortion Ransomware Group ‘Linkc’ Emerges: What You Need to Know
    
    
• Darktrace
  Darktrace Releases Annual 2024 Threat Insights
  
  
• Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
  Cloud Snooping Attacks
  
  
• Disconinja
  日本におけるC2サーバ調査(Week 7 2025)
  
  
• Julia Ibinson at DomainTools
  Why RDAP is the Next Big Step in Domain Intelligence
  
  
• Efstratios Lontzetidis
  LummaStealer Campaign: Too much love for software pirates
  
  
• Elastic Security Labs
  Emulating AWS S3 SSE-C Ransom for Threat Detection
  
  
• g0njxa
  The House Always Wins: Exposing Traffer Fake Crypto Casinos
  
  
• Gitlab
  Tech Note – Malicious browser extensions impacting at least 3.2 million users
  
  
• Google Cloud Threat Intelligence
  Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger
  
  
• Group-IB
  Fingerprint Heists: How your browser fingerprint can be stolen and used by fraudsters
  
  
• GuidePoint Security
  GRIT’s 2025 Report: Ransomware Group Dynamics and Case Studies
  
  
• Hornet Security
  Monthly Threat Report Februar 2025
  
  
• Patrick Schläpfer at HP Wolf Security
  Reviewing Zero-day Vulnerabilities Exploited in Malware Campaigns in 2024
  
  
• Hudson Rock
  • Infostealing Malware Infections in the U.S. Military & Defense Sector: A Cybersecurity Disaster in the Making
  • Hudson Rock Drops BlackBastaGPT: Built from 1M Internal Messages Leaked from Black Basta Ransomware Group
    
    
• Hunt IO
  • Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users
  • LightSpy Expands Command List to Include Social Media Platforms
    
    
• Bob Hansmann at Infoblox
  The Many Faces of DNS Abuse: How Threat Actors Exploit the Domain Name System
  
  
• InfoSec Write-ups
  • Windows Internals — Alternate Data Streams
  • Enhance your Incident Investigation and Response capabilities with Palo Alto Cortex XDR
  • Setting up Malware Analysis Lab — Part 1
    
    
• Intel 471
  Threat hunting case study: SocGholish
  
  
• Jeffrey Appel
  How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow
  
  
• Yuma Masubuchi at JPCERT/CC
  SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability
  
  
• K7 Labs
  • LDAPNightmare Spoof Stealer
  • Exposing the Deceit: Phishing Sites Impersonating Government Entities
    
    
• Kaido Järvemets
  Simple MFA Tracker for Microsoft Sentinel
  
  
• Kostas
  Fake reCAPTCHA Phishing: When Good Intentions Go Wrong
  
  
• Lina Lau at Inversecos
  An inside look at NSA (Equation Group) TTPs from China’s lense
  
  
• Digit Oktavianto at MII Cyber Security
  Data Engineering, Detection Engineering, and SecDataOps : Where the Magic (and Mayhem) Happens!
  
  
• Natto Thoughts
  The Pangu Team—iOS Jailbreak and Vulnerability Research Giant: A Member of i-SOON’s Exploit-Sharing Network
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 048. Detecting Kimsuky Dropbox Abuse
  • 049. Here’s How Mustang Panda Evades AV and How to Detect It
  • 050. Detecting Dirty Wolf’s Tunneling Tool
  • 051. Bloody Wolf’s Techniques From Detection Perspective
  • 052. Detecting Poseidon Stealer’s Anti-Analysis Techniques
  • 053. Detecting Dead Drop Resolver (DDR) Technique
    
    
• Marine Pichon and Alexis Bonnefoi at Orange Cyberdefense
  Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
  
  
• Proofpoint
  • An Update on Fake Updates: Two New Actors, and New Mac Malware
  • Proofpoint Research: 2024 Account Takeover Statistics
    
    
• Red Alert
  Monthly Threat Actor Group Intelligence Report, December 2024 (ENG)
  
  
• Red Canary
  Intelligence Insights: February 2025
  
  
• Pietro Melillo at Red Hot Cyber
  Linkc Ransomware: The New Cybercriminal Group Targeting Artificial Intelligence Data
  
  
• Jim Wilson at ReliaQuest
  Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
  
  
• Rick Martin
  New NailaoLocker ransomware used against EU healthcare orgs
  
  
• SANS Internet Storm Center
  • ModelScan – Protection Against Model Serialization Attacks, (Mon, Feb 17th)
  • My Very Personal Guidance and Strategies to Protect Network Edge Devices, (Thu, Feb 6th)
  • XWorm Cocktail: A Mix of PE data with PowerShell Code, (Wed, Feb 19th)
  • https://SecTemplates.com – simplified, free open-source templates to enable engineering and smaller security teams to bootstrap security capabilities for their organizations, (Tue, Feb 18th)
  • Using ES|QL in Kibana to Queries DShield Honeypot Logs, (Thu, Feb 20th)
  • Tool update: sigs.py – added check mode, (Fri, Feb 21st)
    
    
• Sekoia
  Cyber threats impacting the financial sector in 2024 – focus on the main actors
  
  
• Silent Push
  Lumma Stealer Malware Thrives as Silent Push Uncovers Unique Patterns in the Infostealer’s Domain Clusters
  
  
• SOCRadar
  • A New Wave of Ransomware Campaigns Targeting Microsoft Teams
  • EagerBee: Advanced Backdoor Attacks on Middle Eastern Governments and ISPs
  • Chinese APT Exploits Cisco IOS XE Vulnerabilities (CVE-2023-20198 & CVE-2023-20273) in Global Attacks
  • Black Basta’s Internal Chats Leak: Everything You Need to Know
  • Top 10 Best Free Cyber Threat Intelligence Sources and Tools in 2025
    
    
• Alexander DeMine at SpecterOps
  Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops
  
  
• Brandon Webster at Sublime Security
  Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits
  
  
• Matt Morrow at Sucuri
  When Spam Hides In Plain Sight
  
  
• Symantec Enterprise
  Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience
  
  
• System Weakness
  • [HTB Sherlocks Write-up] Detroit becomes Human
  • [HackTheBox Sherlocks Write-up] OpTinselTrace24–1: Sneaky Cookies
  • Review — CyberWarFare Labs : Cyber Defence Analyst [CCDA] Certification
  • [HTB Sherlocks Write-up] OPTinselTrace24–4: Neural Noel
  • [HTB Sherlocks Write-up] OPTinselTrace24–3: Blizzard Breakdown
  • Analyzing iOS Files
    
    
• Taz Wake
  Linux investigations – USB devices and keyboard layouts.
  
  
• THOR Collective Dispatch
  • A DEATHCON Thrunting Workshop Overview Part 4: Baseline Hunting
  • Stop Chasing Ghosts: How Five-Number Summaries Reveal Real Anomalies
    
    
• Alex Ball at TrustedSec
  Exploring NTDS.dit – Part 1: Cracking the Surface with DIT Explorer
  
  
• Trustwave SpiderLabs
  • The Rise of Email Marketing Platforms for Business Email Compromise Attacks
  • Three Years of Cyber Warfare: How Digital Attacks Have Shaped the Russia-Ukraine War
    
    
• Valery Rieß-Marchive
  Did Akira poach affiliates from Black Basta?
  
  
• Matěj Harvánek at WeLiveSecurity
  DeceptiveDevelopment targets freelance developers
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-02-24 #livestream #infosec #infosecnews
  
  
• Cyacomb Forensics
  • Streamline Workflow and Prosecute Faster with New Cyacomb Contraband Export
  • Accelerate Frontline CT and CSAM Investigations: Employing Fast, Simple, Thorough Digital Triage Tools Successfully
    
    
• Magnet Forensics
  • Preserving your iOS extractions with Magnet Graykey and Graykey Preserve
  • Overcoming mobile forensics challenges in workplace investigations
    
    
• Recorded Future
  2024 Annual Threat Landscape
  
  
• SANS
  Two Decades of Defending ICS: The SANS ICS Summit 20th Anniversary!
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  A Deep Dive into DeepSeek and the Risks of Foreign LLMs
  
  
• Black Hat
  • Living off Microsoft Copilot
  • MaLDAPtive: Diving Deep Into LDAP Obfuscation, Deobfuscation & Detection
  • Locked Down but Not Out: Fighting the Hidden War in Your Bootloader
  • Moral Hazards and Ethical Considerations in Cyber-Insurance
    
    
• Black Hills Information Security
  • REKAST – Talkin’ Bout [infosec] News 2025-02-10 #infosecnews #cybersecurity #podcast #podcastclips
  • REKAST – Talkin’ Bout [infosec] News 2025-02-17 #infosecnews #cybersecurity #podcast #podcastclips
    
    
• BrakeSec Education Podcast
  steam distributes malware in game form, RDP open from DOGE servers, hacking a supply chain for 50K
  
  
• Breaking Badness
  Breaking Badness 200: Cybersecurity’s Evolution, 200 Puns Later!
  
  
• Cellebrite
  Tip Tuesday: Images Split View
  
  
• Cloud Security Podcast by Google
  EP211 Decoding the Underground: Google’s Dual-Lens Threat Intelligence Magic
  
  
• Cyberwox
  Computer Networking & Cybersecurity Fundamentals using Wireshark (Mini-Course)
  
  
• Huntress
  Active Scam Stopped in Real-Time! | Huntress Managed EDR Saves the Day
  
  
• InfoSec_Bret
  Challenge – Obfuscated HTA
  
  
• John Hammond
  • stop falling for this (disable Win+R run dialog)
  • Learn Data Recovery Forensics!
  • but is it malware?
  • Chat with Microsoft about NEW Scareware Blocker
    
    
• John Hubbard at ‘The Blueprint podcast’
  SOC Dashboards Done Right with Ryan Thompson
  
  
• Jumpsec Labs
  Please Mind the CAP – Modern Conditional Access Policy circumvention and what it means for your organisation (webinar recording)
  
  
• Magnet Forensics
  • Cyber Unpacked S1:E5 // Forensics in the Cloud: Risks, rewards, and realities for businesses
  • AI-powered media investigation in Magnet Griffeye: Get to the vital evidence faster
    
    
• Microsoft Threat Intelligence Podcast
  A Blizzard Is Impacting NATO and Ukraine – The Latest on Russian Cyber Threats
  
  
• MSAB
  • XAMN Pro – Exclude Filter Explored
  • Samir Datt
    
    
• MyDFIR
  • CyberDefenders SOC Analyst Lab – Memory Analysis (Ramnit)
  • A Scandal in Valdoria | KC7 Cyber | Section 3
    
    
• The Cyber Mentor
  Blue Team Tools Every SOC Analyst Needs
  
  
• The Defender’s Advantage Podcast
  Signals of Trouble
  
  
• Yaniv Hoffman
  How Mexican Cartels Built a Secret Phone Network
  

MALWARE

• Alexander Sevtsov
  How to Deal with Obfuscated PowerShell Scripts using Script Block Logging
  
  
• Any.Run
  Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency
  
  
• Apophis
  Malicious PowerShell Analysis
  
  
• ASEC
  • Trends Report on Phishing Emails in January 2025
  • January 2025 Infostealer Trend Report
  • ACRStealer Infostealer Exploiting Google Docs as C2
  • Rhadamanthys Infostealer Being Distributed Through MSC Extension
  • LummaC2 Malware Distributed Disguised as Total Commander Crack
    
    
• Cryptax
  Communication with a Prometei C2 — Part Three
  
  
• cyber.wtf
  Unpacking Pyarmor v8+ scripts
  
  
• Esentire
  Fake DeepSeek Site Infects Mac Users with Poseidon Stealer
  
  
• Kevin Su at Fortinet
  FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant
  
  
• Asher Langton at Juniper Networks
  Invisible obfuscation technique used in PAC attack
  
  
• Christopher Lopez at Kandji
  DPRK DriverEasy & ChromeUpdate Deep Dive
  
  
• Malwarebytes
  • Macs targeted by info stealers in new era of cyberthreats
  • SecTopRAT bundled in Chrome installer distributed via Google Ads
    
    
• Robert Falcone at Palo Alto Networks
  Stately Taurus Activity in Southeast Asia Links to Bookworm Malware
  
  
• Securelist
  • StaryDobry ruins New Year’s Eve, delivering miner instead of presents
  • Angry Likho: Old beasts in a new forest
    
    
• Trend Micro
  • Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection
  • Updated Shadowpad Malware Leads to Ransomware Deployment
    
    
• Unpacme
  Malware Trends: Yearly 2024
  

MISCELLANEOUS

• Calum Hall at Cado Security
  Top Free and Open-Source Forensics Tools
  
  
• Danny Zendejas
  Cybersecurity Career Paths Recap
  
  
• DFIR Dominican
  • DFIR Jobs Update – 02/17/25
  • How To Break Into DFIR (Part 2 of 5) – Windows Forensics
    
    
• Forensic Focus
  • Enhancing Investigative Capabilities: MD-VIDEO AI Introduces Advanced Face Search And Restoration Features
  • Hot On The Digital Trail: How Law Enforcement Teams Can Use Detego To Build Stronger Cases Faster
  • Techno Security & Digital Forensics Conference East 2025
  • Magnet Forensics Strengthens Federal Commitment With Launch Of FedRAMP Authorization
  • Exterro Disrupts The Status Quo For Mobile Device Investigations
  • Introducing Oxygen Remote Explorer Version 1.7.1 – Available Now
  • Advanced Detection Tools From Amped Software Aim To Combat AI-Generated CSAM And Protect Children
  • Digital Forensics Round-Up, February 19 2025
  • Forensic Focus Digest, February 21 2025
  • Why DFIR Employers Must Prioritize Well-Being In Digital Forensics Now
    
    
• Google Cloud Security Community
  The SOC Metrics that Matter…or Do They?
  
  
• Lesley Carhart
  • A Very Personal Interview with SecurityWeek Magazine
  • On Cybersecurity Mentorship
  • Podcast: Expanding Frontiers Research
    
    
• Magnet Forensics
  • Highlights from Magnet Virtual Summit 2025 
  • Introducing Advanced Mobile Data Analysis (AX400), a new mobile forensics training course
  • AI Unpacked with Brandon Epstein: new webinar series explores the latest in artificial intelligence and DFIR
  • Why human expertise is key in AI-driven digital forensics
    
    
• Nicolas Bareil at ‘Just Another Geek’
  QEMU is so underrated
  
  
• Oxygen Forensics
  State of the Art Mobile Forensics
  
  
• Robert Fried
  Forensic Data Collections 2.0
  
  
• Salvation DATA
  How to Recover Deleted Files: Expert Guide for Professionals
  
  
• SANS
  Why You Should Enroll in SEC488: Cloud Security Essentials
  
  
• Sectemplates
  Announcing the Incident Response Program Pack v1.5
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.120!
  

SOFTWARE UPDATES

• ADF Solutions
  Version 6.0 Press Release
  
  
• Alexis Brignoni
  • iLEAPP v2.1.0
  • ALEAPP v3.3.0
    
    
• Arsenal Consulting
  Arsenal Image Mounter Changelog – v3.11.303
  
  
• Binalyze
  Faster BEC Investigations: Streamlining Cloud Evidence Collection
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.76
  
  
• Digital Sleuth
  winfor-salt v2025.3.11
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.22.0
  
  
• IntelOwl
  v6.3.1
  
  
• MALCAT
  0.9.9 is out: Offline Kesakode, python 3.13 & UI
  
  
• Microsoft
  msticpy – Cyberint TI provider and Prisma Cloud (Palo Alto) Data provider
  
  
• Mohammed Hassan
  LogonSessionAuditor
  
  
• Obsidian Forensics
  unfurl v2025.02
  
  
• OpenCTI
  6.5.2
  
  
• Passmark Software
  OSForensics – V11.1 build 1002 18th February 2025
  
  
• Phil Harvey
  ExifTool 13.21
  
  
• Ryan Benson at dfir.blog
  Unfurl v2025.02 Released
  
  
• Xways
  X-Ways Forensics 21.4 v21.4
  
  
• Yamato Security
  Hayabusa v3.1.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!