As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
- Christopher Eng at Ogmini
- Wide World of DFIR
- Magnet Virtual Summit 2025 CTF – AAR “Pigs in a Blanket”
- Magnet Virtual Summit 2025 CTF – AAR “Dressing, with a dash, of 17 spices”
- Magnet Virtual Summit 2025 CTF – AAR “Capital Offense”
- Magnet Virtual Summit 2025 CTF – AAR “100X Scale”
- Windows Notepad – Rewrite / AI Part 2
- Magnet Virtual Summit 2025 CTF – AAR “Hidden Spirits”
- Chris Ray at Cyber Triage
How to Investigate RunMRU 2025 - Damien Attoe
The Duck Hunters Guide – Blog #4 – DuckDuckGo Closed Tab Information (Android) - David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
- Daily Blog #772: Sunday Funday 3/9/25
- Daily Blog #773: Sandpiper Trade Secrets and Cyber Dallas 2025
- Daily Blog #774: Forensic Lunch Test Kitchen 3/11/25
- Daily Blog #775: An Azure log entry to look for when a threat actor is in
- Daily Blog #776: Forensic Lunch Test Kitchen 3/13/25
- Daily Blog #777: Forensic Lunch Test Kitchen 3/14/25
- Daily Blog #778: Solution Saturday 3/15/25
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Sign Here - Oleg Afonin at Elcomsoft
Forensic Implications of Apple’s “Stolen Device Protection” - Forensafe
Android Garmin Connect - Kevin Pagano at Hexordia
- Itochu Cyber & Intelligence
Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts - Justin De Luna at ‘The DFIR Spot’
AnyDesk – Investigating Threat Actors Favorite Tool - malwr4n6
Mac Evaluation Tool for macOS DFIR - The DFIR Journal
SharePoint Sync: Productivity Turned Data Exfiltration
THREAT INTELLIGENCE/HUNTING
- Abuse ch
Introducing: abuse.ch Hunting Platform - Adam Goss
Top 5 Challenges of Building a CTI Team (+ How to Overcome) - Assaf Morag at Aqua
Stopping Sobolan Malware with Aqua Runtime Protection - Arctic Wolf
INDOHAXSEC – Emerging Indonesian Hacking Collective - ASEC
- Ayelen Torello at AttackIQ
Response to CISA Advisory (AA25-071A): #StopRansomware: Medusa Ransomware - Ben Folland
Compromising Threat Actor Communications - BI Zone
Squid Werewolf cyber spies masquerade as recruiters - BI.Zone
Squid Werewolf cyber spies masquerade as recruiters - Jade Brown at Bitdefender
Bitdefender Threat Debrief - Mehmet Ergene at Blu Raven Academy
C2 Beaconing Detection with MDE Aggregated Report Telemetry - Brad Duncan at Malware Traffic Analysis
2025-03-03: Three days of scans and probes and web traffic hitting my web server - Brian Krebs at ‘Krebs on Security’
- Tara Gould at Cado Security
Exposed Jupyter Notebooks Targeted to Deliver Cryptominer - Jeffrey Bellny at CatchingPhish
Fake CAPTCHA but make it Email - CERT-AGID
- Chainalysis
International Action Dismantles Notorious Russian Crypto Exchange Garantex - Check Point
- 10th March – Threat Intelligence Report
- Blind Eagle: …And Justice for All
- Dark Storm Team Claims Responsibility for Cyber Attack on X Platform – What It Means for the Future of Digital Security
- February 2025’s Malware Spotlight: AsyncRAT Emerges, Targeting Trusted Platforms
- SideWinder Cyber-Espionage Campaign Targets Key Sectors Across Asia and Africa
- “ClickFix” Phishing Impersonation Campaign Targets Hospitality Sector
- CISA
#StopRansomware: Medusa Ransomware - Omid Mirzaei at Cisco’s Talos
Abusing with style: Leveraging cascading style sheets for evasion and tracking - Cofense
- CQURE Academy
- Critical Start
H2 2024 Cyber Threat Intelligence Report: Key Takeaways for Security Leaders - Vasilis Orlof at Cyber Intelligence Insights
Host long and prosper🖖 - Cybereason
Cracking the Code: How to Identify, Mitigate, and Prevent BIN Attacks - Cyble
NCSC Reports Surge in Cyber Security Incidents with Financial Losses in Q4 2024 - Cyfirma
Weekly Intelligence Report – 14 Mar 2025 - Cyjax
The Future of Threat Intelligence: Trends, Tools, and Tactics To Watch - Darktrace
Darktrace’s Detection of State-Linked ShadowPad Malware - David Trigano and Alex Kozodoy at Deep Instinct
The Rise of AI-Driven Cyber Attacks: How LLMs Are Reshaping the Threat Landscape - Detect FYI
- Disconinja
- Arda Büyükkaya at EclecticIQ
Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices - Eclypsium
Silk Typhoon Targeting IT Supply Chains and Network Devices, Microsoft Reports - Justin Higdon at Elastic
Hunting with Elastic Security: Detecting covert data exfiltration - Elastic Security Labs
AWS SNS Abuse: Data Exfiltration and Phishing - Eric Capuano
Introduction to YARA - Falco
- Forescout
- Jenna Wang at Fortinet
Fortinet Identifies Malicious Packages in the Wild: Insights and Trends from November 2024 Onward - Google Cloud Security Community
New To Google SecOps: It’s All Relative (in Dashboards) - Lukasz Lamparski, Punsaen Boonyakarn, Shawn Chew, Frank Tse, Jakub Jozwiak, Mathew Potaczek, Logeswaran Nadarajan, Nick Harbour, and Mustafa Nasser at Google Cloud Threat Intelligence
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers - GreyNoise
- Group-IB
- Hunt IO
JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure - Anton Ovrutsky, Dray Agha, and Josh Allman at Huntress
Untold Tales from Tactical Response | Huntress - InfoSec Write-ups
- Intel 471
Zservers: Bulletproof hosting for online crime - Josh “Soup” Campbell at Sublime Security
Seeing both sides of a service abuse financial fraud using YOPmail disposable messages - Lili Lin at Jumpsec Labs
The Anatomy of a Phishing Investigation: How Attackers Exploit Health-Related Fears - KELA Cyber Threat Intelligence
Could The Belsen Group Be Associated With ZeroSevenGroup? - Kevin Beaumont at DoublePulsar
No, there isn’t a world ending Apache Camel vulnerability - Michalis Michalos
Effective strategies for fighting redirectors with UrlClickEvents, UrlChain, & DeviceNetworkEvents - Adithya Vellal at Petra Security
Tracing an AitM Attack: From Lure to Lockout - Microsoft Security
- Nextron Systems
Patching is Not Enough: Why You Must Search for Hidden Intrusions - Nikhil Gupta
Process Herpaderping — The Road Less Travelled - Oleg Skulkin at ‘Know Your Adversary’
- 068. Detecting RMMs from Ransomware Affiliate’s Toolkit: MeshAgent
- 069. Hunting for Suspicious URL Files
- 070. Can an Adversary Abuse IoT to Deploy Ransomware?
- 071. Squid Werewolf (APT37): Detection Opportunities
- 072. Here’s How Adversaries Abuse PowerShell to Steal Authentication Material
- 073. Detecting RMMs from Ransomware Affiliate’s Toolkit: FleetDeck
- 074. Detecting Ransomware Affiliate’s Toolkit: Cloudflared
- OSINT Team
- Palo Alto Networks
- Nathan Eades at Permiso
Understanding Elevate Access mechanism, its implementation, and logs where activities are recorded - Positive Technologies
Positive Technologies Study Reveals Successful Cyberattacks Nett 5X Profits - Proofpoint
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice - Red Alert
Monthly Threat Actor Group Intelligence Report, January 2025 (ENG) - Pietro Melillo at Red Hot Cyber
- ReliaQuest
Threat Landscape Report: Uncovering Critical Cyber Threats to Hospitality and Recreation - S-RM
Cyber threat advisory: Medusa and the SimpleHelp vulnerability - SANS Internet Storm Center
- Securelist
- Gerardo Santos at Security Art Work
Irán IRGC – una visita a sus operaciones ciber más interesantes. Un antes y después del inicio de la guerra de Hamas e Israel - Securonix
Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits - Socket
- Michael Clark at Sysdig
Detecting and Mitigating the “tj-actions/changed-files” Supply Chain Attack (CVE-2025-30066) - Taz Wake
Linux DFIR – bash login sequence - THOR Collective Dispatch
- Trend Micro
- Christopher Paschen at TrustedSec
Abusing Windows Built-in VPN Providers - Reegun Jayapaul at Trustwave SpiderLabs
Resurgence of a Fake Captcha Malware Campaign - Kenneth Kinion at Valdin
Lazarus Group Bybit Heist: C2 forensics - Lucie Cardiet at Vectra AI
Attackers Don’t Hack In—They Log In: The MFA Blind Spot by Lucie Cardiet - Merav Bar, Shay Berkovich, and Gal Nagli at Wiz
GitHub Action tj-actions/changed-files supply chain attack: everything you need to know - Блог Solar 4RAYS
Хроники DFIR: как атаковали APT-группировки в 2024 году
UPCOMING EVENTS
- Atola Technology
Must-Visit DFIR Conferences In 2025 - Belkasoft
Automating Forensic Workflows: Increased Performance with No Increase in Budget - Cellebrite
- Gerald Auger at Simply Cyber
- Magnet Forensics
- MSAB
- Oxygen Forensics
Oxygen On-Air! – Episode 11 – Cracking the Legal Case: eDiscovery with Oxygen Forensics & CloudNine. - SANS
SANS Threat Analysis Rundown with Katie Nickels | March 2025
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
NSOCKS: Insights into a Million-Dollar Residential Proxy Service - AhmedS Kasmani
Initial Analysis of Black Basta Chat Leaks - Black Hat
- Black Hills Information Security
REKAST – Talkin’ Bout [infosec] News 2025-03-10 #infosecnews #cybersecurity #podcast #podcastclips - Breaking Badness
Hacked Chats & Telecom Takedowns: Black Basta & Salt Typhoon - Cellebrite
Tip Tuesday: Saving Time with Streamline - Cyber Social Hub
- Cyberwox
The Truth About The TryHackMe SAL1 Certification (Complete Review) - Endace
Packet Forensic Files Ep 60 James Spiteri - Gerald Auger at Simply Cyber
The Entry-Level SOC Interview Cheat Sheet: 5 Skills That Make You Unforgettable - Hasherezade
Searching for #AceLdr in memory, with #PEsieve/#HollowsHunter [narrated] - Huntress
- InfoSec_Bret
CyberDefenders – Yellow RAT Lab - Jai Minton
Forget FAKE CAPTCHAs, I got MALWARE via a REAL CAPTCHA! | I2Parcae Malware Analysis - John Hammond
- Magnet Forensics
Customer story: driving efficiency with SaaS-based forensics in Magnet Nexus - Matthew Plascencia
- MSAB
XAMN Pro Hex Viewer - MyDFIR
Why you NEED a Home Lab | How To Build a Home Lab (SOC Analyst) - Nextron Systems
THOR – Advanced Malware & Threat Detection for IBM AIX and Legacy UNIX Systems - SANS
- SANS Cyber Defense
SANS Open-Source Intelligence (OSINT) Summit 2025 - SentinelOne
LABScon24 Replay | Resilience and Protection in the Windows Ecosystem - The Cyber Mentor
LIVE: USB and Log Analysis | Cybersecurity | Blue Team | AMA - Three Buddy Problem
A half-dozen Microsoft zero-days, Juniper router backdoors, advanced bootkit hunting - Yaniv Hoffman
🤯Paying Ransomware Is Fueling Cybercrime’s MASSIVE Growth
MALWARE
- Any.Run
5 Common Evasion Techniques in Malware - Chuong Dong
LockBit Ransomware v4.0 - Doug Metz at Baker Street Forensics
- Jack’s Substack
Malicious DELTA themed Android App found in 2025 - Baran S at K7 Labs
Android Banking Trojan – OctoV2, masquerading as Deepseek AI - Lookout Threat Lab
Lookout Discovers North Korean APT37 Mobile Spyware | Threat Intel - Leandro Fróes at Netskope
Analyzing Elysium, a Variant of the Ghost (Cring) Ransomware Family - HyeongJun Kim at S2W Lab
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer - Sandfly Security
Destination Linux Cybersecurity Interview with Craig Rowland - Puja Srivastava at Sucuri
Credit Card Skimmer and Backdoor on WordPress E-commerce Site - Walmart
- Yohanes Nugroho
Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs - Zhassulan Zhussupov
Malware development: persistence – part 27. Scheduled Tasks. Simple C example. - Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
SuperBlack
MISCELLANEOUS
- Martino Jerian at Amped
AI, Trust, and the Future of Justice - Brett Shavers
DF/IR is not dying. It’s just harder than ever. - Cellebrite
Covering More Ground: How Digital Forensics Solutions are Increasing Efficiency in Washoe Co., Nevada - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 03/10/25 - Elan at DFIR Diva
Free & Affordable Training News Monthly: Feb – Mar 2025 - Forensic Focus
- GMDSOFT Tech Letter Vol 9. Investigating An Unknown USIM As Digital Evidence
- AI Unpacked With Brandon Epstein: New Webinar Series Explores The Latest In Artificial Intelligence And DFIR
- Learn About Oxygen Analytic Center With Matt Finnegan
- Digital Forensics Round-Up, March 12 2025
- Robert Fried’s Award-Winning Approach To Digital Forensics
- Network Forensics: A Short Guide to Digital Evidence Recovery from Computer Networks
- Forensicfossil
Building a SOC automation Home Lab - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (3/1/2025) - Adam Goss at Kraven Security
Top 5 Challenges of Building a CTI Team (+ How to Overcome) - Magnet Forensics
Helping enterprises identify deepfakes and protect their reputation - Mila
Is SAL1 the new BTL1? - N00b_H@ck3r
My Journey to TryHackMe’s Security Analyst Level 1 (SAL1) Certification - Nextron Systems
Efficient NIS2 Compliance with THOR & ASGARD - No Logs No Breach
InfoSec Homelab: 2025 Edition - Roberto Rodriguez at Open Threat Research
Floki 👁️🗨️: Building an AI Agentic Workflow Engine with Dapr⚡️ - Rick Martin
My Journey to Becoming a Detection Engineer - Salvation DATA
Key Trends in Digital Forensics for 2025: Technological Innovation and Core Challenges - Nathan D. at SpecterOps
Getting Started with BHE — Part 1 - Symantec Enterprise
AI: Advent of Agents Opens New Possibilities for Attackers - Nick Miles at Tenable
DeepSeek Deep Dive Part 1: Creating Malware, Including Keyloggers and Ransomware
SOFTWARE UPDATES
- Autopsy
Autopsy 4.22.0: BitLocker Support, Cyber Triage Sidecar, Library Updates - Lethal Forensics
Collect-MemoryDump-v1.1.0 - Datadog Security Labs
GuardDog v2.5.0 - Didier Stevens
- Eric Capuano at Digital Defense Institute
Triage.zip - Erki Suurjaak
Skyperious v5.7 - Magnet Forensics
New in Magnet Automate 4.1: Dashboard updates, Cellebrite PA and Tableau TX1 integration, single sign-on support, and more! - Manabu Niseki
Mihari v8.1.0 - Mehmet Demir
THOR Timeline Extractor - OpenCTI
6.5.6 - Ryan Benson at dfir.blog
- Security Onion
Security Onion 2.4.130 now available including Elastic 8.17.3 and much more! - Xways
Viewer Component v8.5.7 - Yamato Security
Hayabusa v3.1.1 🦅 - Phil Harvey
ExifTool 13.25 (production release)
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 