As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Abdulrehman Ali
Mustang Panda APT Adversary Simulation - Akash Patel
- Running Plaso/Log2Timeline on Windows
- Mastering Timeline Analysis: A Practical Guide for Digital Forensics: (Log2timeline)
- Forensic Analysis of Universal Windows Platform (UWP) Applications
- (USB Forensic) USB Device Identifiers and Forensic Insights: iSerialNumber, SCSI Serial Numbers…
- Making Sense of SRUM Data with SRUM_DUMP Tool
- A Deep Dive into Windows Search Database Parsing (WinSearchDBAnalyzer / SQLite / SIDR)
- Google Workspace Email Collection: Data Extraction, eDiscovery, and Audit Logging
- Andro6
Magnet CTF 2025 Writeups - Christopher Eng at Ogmini
- Magnet Virtual Summit 2025 CTF – AAR “The SPIRITs are among us”
- Magnet Virtual Summit 2025 CTF – AAR “A Shadow of the Real Thing”
- Magnet Virtual Summit 2025 CTF – AAR “Out of the Ordinary”
- Magnet Virtual Summit 2025 CTF – AAR “Dead Portrait Society”
- Magnet Virtual Summit 2025 CTF – AAR “DAdataTA”
- Magnet Virtual Summit 2025 CTF – AAR “YOU Watch a Lot of space Videos”
- Magnet Virtual Summit 2025 CTF – AAR “ICONic green bubbles”
- Chanllenges in digital forensics investigations into modern mobile devices running iOS and Android
- Chris Ray at Cyber Triage
MUICache: 2025 Guide for IT and Investigators - David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
- Daily Blog #758: Sunday Funday 2/23/25
- Daily Blog #759: Forensic Lunch Test Kitchen with Claude 3.7 and Cursor!
- Daily Blog #760: Forensic Lunch Test Kitchen adding role based discovery to our cloudtrail discovery tool
- Daily Blog #761: Forensic Test Kitchen with more Claude 3.7!
- Daily Blog #762: Forensic Test Kitchen with Cursor Rules
- Daily Blog #763: Forensic Test Kitchen trying Chat GPT 4.5!
- Daily Blog #764: Solution Saturday 3/1/25
- Doug Metz at Baker Street Forensics
- Elcomsoft
- Forensafe
Android Proton Mail - Forensic Science International: Digital Investigation
Forensic Science International: Digital Investigation – Volume 52 - Iram Jack
- Doriane P. & Albert E. at Lexfo
The business of forged documents: Investigation into a complex network - SJDC
What’s your Recommendation? iOS Recommendation_v9.sqlite - The DFIR Report
Confluence Exploit Leads to LockBit Ransomware
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Adam Goss
The History of Cyber Threat Intelligence: Quick Fire Guide - Ori David at Akamai
Abusing VBS Enclaves to Create Evasive Malware - Arctic Wolf
- ASEC
Phishing Email Attacks by the Larva-24005 Group Targeting Japan - Francis Guibernau at AttackIQ
Emulating the Deceptive Akira Ransomware - Barracuda
Medusa ransomware and its cybercrime ecosystem - Mehmet Ergene at Blu Raven Academy
Advanced KQL for Threat Hunting: Window Functions — Part 2 - Brian Krebs at ‘Krebs on Security’
- Nathan Richards at Bridewell
Who are Hellcat Ransomware Group? - BushidoToken
BlackBasta Leaks: Lessons from the Ascension Health attack - Cado Security
- CatchingPhish
Intune or Outplayed? - CERT Ukraine
- CERT-AGID
- Chainalysis
The Chainalysis 2025 Crypto Crime Report Preview (Part 1): Podcast Ep. 151 - Check Point
- The Bybit Incident: When Research Meets Reality
- Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
- 24th February – Threat Intelligence Report
- Threat Alert: Sophisticated Botnet Targeting Microsoft 365 with Advanced Authentication Bypass Techniques
- How an Attacker Drained $50M from a DeFi Protocol Through Role Escalation
- Modern Approach to Attributing Hacktivist Groups
- Cyber Criminals Using URL Tricks to Deceive Users
- Cisco’s Talos
- Cofense
- Confiant
If It Bleeds It Leads: Gory Celebrity Images Drive Investment Scams - CrowdStrike
CrowdStrike 2025 Global Threat Report: Beware the Enterprising Adversary - Cyber Geeks
Russian campaign targeting Romanian WhatsApp numbers - Cybereason
Deceptive Signatures: Advanced Techniques in BEC Attacks - Cyble
- Cyfirma
Weekly Intelligence Report – 28 Feb 2025 - Cyjax
- Darktrace
- Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
Threat Hunting for Cloud Attacks - Detect FYI
- Disconinja
日本におけるC2サーバ調査(Week 8 2025) - DomainTools
Guess who's back, back again? DTI’s back, tell a friend! - Dragos
2025 OT/ICS Cybersecurity Report: A Year in Review - Elastic Security Labs
Linux Detection Engineering – The Grand Finale on Linux Persistence - Abdallah Elnoty
DNS Tunneling - Esentire
- Amit Assaraf at ExtensionTotal
A Wolf in Dark Mode: The Malicious VS Code Theme That Fooled Millions - Google Cloud Security Community
- Google Cloud Threat Intelligence
Phishing Campaigns Targeting Higher Education Institutions - GreyNoise
- GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks
- GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
- GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?
- New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran
- HackTheBox
How to use SmartScreen logs to find evidence of execution and user activity analysis - Hunt IO
Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure - Hurricane Labs
The Salt Typhoon Cyber Attack: A Wake Up Call? - Infoblox
- Intel 471
- Intrinsec
Doppelgänger: New disinformation campaigns spreading on social media through Russian networks - IronPeak
Caldera: Pimp My TTPs - Jamf
Event analysis with Jamf telemetry - KELA Cyber Threat Intelligence
- Kraven Security
The History of Cyber Threat Intelligence: Quick Fire Guide - Kroll
- Maverits
Drain, baby, drain! Drainers speculate on Trump crypto - Maxim Suhanov
Symlink attacks without code execution - Robert Derby at Netscout
What Happened Before the Breach? - Oleg Skulkin at ‘Know Your Adversary’
- 054. Detecting CypherIT Crypter Behaviors
- 055. Detecting Sticky Werewolf’s Forced Authentication Abuse
- 056. PebbleDash: Detection Opportunities
- 057. Detecting NetExec
- 058. Hunting for Ghostwriter
- 059. Threat Actors Abuse FTP to Execute Scripts
- 060. Detecting System Registry Abuse for Installing Sagerunex Backdoor as a Service
- OSINT Team
STIX/TAXII: A Full Guide to Standardized Threat Intelligence Sharing - Outpost24
Threat Context monthly: Executive intelligence briefing for February 2025 – Black Basta & M_A_G_A - Palo Alto Networks
- Auto-Color: An Emerging and Evasive Linux Backdoor
- 2025 Unit 42 Incident Response Report — Attacks Shift to Disruption
- RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector
- Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations
- JavaGhost’s Persistent Phishing Attacks From the Cloud
- Alexey Lukash at Positive Technologies
Cyberattacks on Egypt’s infrastructure in 2024 - Pulsedive
Compromised Browser Extensions – A Growing Threat Vector - Qi’anxin X Lab
- Saeed Abbasi at Qualys
Defense Lessons From the Black Basta Ransomware Playbook - Recorded Future
2024 Malicious Infrastructure Report - Red Alert
- ReliaQuest
From Data to Defense: Insights from ReliaQuest’s 2025 Annual Threat Report - Resecurity
- SANS Internet Storm Center
- Wireshark 4.4.4 Released, (Sun, Feb 23rd)
- Unfurl v2025.02 released, (Mon, Feb 24th)
- [Guest Diary] Malware Source Servers: The Threat of Attackers Using Ephemeral Ports as Service Ports to Upload Data, (Wed, Feb 26th)
- Njrat Campaign Using Microsoft Dev Tunnels, (Thu, Feb 27th)
- Wireshark 4.4.5 Released, (Sun, Mar 2nd)
- Securelist
- Securonix
Securonix Threat Labs Monthly Intelligence Insights – January 2025 - Sekoia
PolarEdge: Unveiling an uncovered ORB network - Simone Kraus
- Socket
- SOCRadar
Seraph Stealer Malware Hits the Market, Black Basta’s Internal Chaos, New Data Leak Claims - Rod Soto at Splunk
Infostealer Campaign against ISPs - Stephan Berger
Today I Learned – Protected Symlinks - Brandon Murphy at Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics - System Weakness
Living off the Land (LOTL) attacks: How North Korea’s Lazarus Group Hackers Exploited Windows - THOR Collective Dispatch
- Caroline Fenstermacher at TrustedSec
A Threat Hunter’s Guide to Decoding the Cloud - Trustwave SpiderLabs
- Lucie Cardiet at Vectra AI
Ghost Ransomware: Striking Before You Even Know It’s There by Lucie Cardiet - Joshua Platt at Walmart
Agent AI, Basta Parser Extraordinaire - Блог Solar 4RAYS
Erudite Mogwai использует кастомный Stowaway для скрытного продвижения в сети
UPCOMING EVENTS
- Black Hills Information Security
- Cyber 5W
Security Operations Center (SOC) & Threat Detection - DFRWS
Register Now to Join DFRWS-EU in Brno in April! - Gerald Auger at Simply Cyber
SOC Challenges, Trends, and Community Wisdom with Reanna Schultz | S2 E8 Simply Defensive - Magnet Forensics
Customer story: driving efficiency with SaaS-based forensics in Magnet Nexus
PRESENTATIONS/PODCASTS
- Vitaliy Mokosiy
Atola TaskForce 2 - Adversary Universe Podcast
China’s Cyber Enterprise Grows: CrowdStrike 2025 Global Threat Report - Ali Hadi
ShadowMe #4 (HAL) – UNALLOCATED Space Investigation - Black Hat
- Black Hills Information Security
REKAST – Talkin’ Bout [infosec] News 2025-03-24 #infosecnews #cybersecurity #podcast #podcastclips - Breaking Badness
S3 Takeovers, DeepSeek Deceptions & the Cloud’s Dirty Laundry - Cellebrite
- Clint Marsden at the TLP – Digital Forensics Podcast
- Cyber Social Hub
Finding a Picture Location – GPS NOT REQUIRED! - Cyberwox
The Cybersecurity Bootcamp Industry & Level Effect w/ Anthony Bendas | Cyber Stories Podcast EP 23 - DFIR Insights
Investigation goals in DFIR reports - Grzegorz Tworek
Stealing a password from impersonating process - John Hammond
Can you handle a cyber attack? TryHackMe SOC Simulator - John Hubbard at SecHubb
How to Turn On Advanced Data Protection for iPhone – Keep Your iCloud Data Secure! - Magnet Forensics
- Matthew Plascencia
iOS Challenges Video writeup | MVS Capture the Flag (CTF) 2025 #iOS #digitalforensics - Mostafa Yahia
Threat Hunting workflow – بالعربي - MSAB
Automated document creation in Frontline - MyDFIR
- Richard Davis at 13Cubed
RADAR Contact! An Obscure Evidence of Execution Artifact - Sandfly Security
SSH Lateral Movement Risks on Linux Webinar and White Paper - SANS
- SANS Cloud Security
The Cloud Won’t Save You from Ransomware Here’s What Will | SANS Cloud Security Webcast - The Defender’s Advantage Podcast
What to Watch For in 2025 - The Microsoft Security Insights Show
The Microsoft Security Insights Show Episode 248 – The Just Us Crew minus Rod. - Three Buddy Problem
MALWARE
- Any.Run
Malware Traffic Analysis in Linux: Hands-on Guide with Examples - Dr Josh Stroschein
- 04 – Uncovering the Final Stage Payload and Identifying the Malware Family (it’s AgentTesla)
- 00 – Following the Trail from an RTF Doc to AgentTesla – Analysis Objectives and the Sample
- 03 – Identifying Use of Auto-IT Scripts, More Shellcode and Some Encryption
- 01 – Initial File Triage and Shellcode Identification
- 02 – Identifying Shellcode Entry Point and Analyzing Common Shellcode Techniques
- InfoSec Write-ups
- Suresh Reddy at K7 Labs
LCRYX Ransomware: How a VB Ransomware Locks Your System - Kaspersky Lab
Malicious code in fake GitHub repositories | Kaspersky official blog - Sakshi Jaiswal at McAfee Labs
The Dark Side of Clickbait: How Fake Video Links Deliver Malware - Security Onion
Quick Malware Analysis: SMARTAPESG / NETSUPPORT RAT / STEALC pcap from 2025-02-18 - Tom Hegel at SentinelOne
Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition - Kayleigh Martin at Sucuri
Fake WordPress Plugin Impacts SEO by Injecting Casino Spam - Zhassulan Zhussupov
- Rohit Hegde and Yesenia Barajas at ZScaler
DeepSeek Lure Using CAPTCHAs To Spread Malware - بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Android.SmsSpy.DET - Amnesty International Security Lab
- Kevin Pagano at Stark 4N6
Forensics StartMe Updates (3/1/2025) - Patrick Siewert at ‘The Philosophy of DFIR’
Dabblers v. Professionals
MISCELLANEOUS
- Hexordia
- Antonio Formato
Integrating urlDNA with Microsoft Sentinel - Any.Run
Learn to Analyze Real-World Cyber Threats with Security Training Lab - Binalyze
Making Sense of Response Automation: Balancing Cyber Response and Investigation - Tibor Luter at Black Cell
8 Essential Network Traffic Analysis Tools - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 02/24/25 - Forensic Focus
- Dwayne McDaniel at GitGuardian
Threat Intelligence and AI Research In Austin: IntelliC0N 2025 - Sara Cardoso at Jumpsec Labs
Ranking MFA Methods – From Least to Most Secure - Lesley Carhart
- Magnet Forensics
- Husam Shbib at Memory Forensic
My Review on 13Cubed Investigating Windows Memory Course - MobilEdit
MOBILedit Online Store is Back! - Oxygen Forensics
- r-tec
Bypass AMSI in 2025
SOFTWARE UPDATES
- Adam at Hexacorn
DeXRAY v2.35 - Airbus Cybersecurity
IRIS-Web v2.5.0-beta.1 - Digital Sleuth
winfor-salt v2025.3.15 - Khaled Allam
Mac Triage - Lethal Forensics
Microsoft-Analyzer-Suite v1.4.0 - Magnet Forensics
Magnet Griffeye enhances evidence unlocking and media analysis with T3K.AI CORE and Magnet Verify - MISP
MISP v2.4.205 and v2.5.7 Released – Enhancements, Fixes, and Improved Correlation Management - OpenCTI
6.5.3 - Passmark Software
OSForensics – V11.1 build 1003 28th February 2025 - Paul Navarro
HAWK 4.0 - Phil Harvey
ExifTool 13.22 - Rapid7
Velociraptor Release 0.74 - Sandfly Security
Sandfly 5.3.1 – New License Tiers and SELinux Support - Thiago Canozzo Lahr
uac-3.1.0-rc1 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 