As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Jessica Hyde at Forensic Mag
Data Preservation on Mobile Devices: The Quicker, The Better - Akash Patel
- Investigating Firefox Browser Forensics: A Forensic Guide/Browser analysis Book
- Firefox Privacy Settings and Firefox Extensions as well as synchronization: A Forensic Deep Dive
- Browser Credential Storage and Forensic Password Recovery
- Forensic Analysis (Investigating downloads, Browsers Bookmark, Extensions) of Microsoft Edge…
- Forensic Analysis of Microsoft Edge Collections and IE Mode
- Understanding Microsoft Edge Synchronization: A Forensic Perspective
- Investigating Edge-Based Browsers: A Forensic Guide/Browser analysis Book
- Electron Application Forensics and Analyzing LevelDB in Digital Forensics: A Simple Guide
- Private Browsing: What Really Gets Left Behind? and Recovering Deleted Browser Artifacts.
- Christian Peter
Don’t lose your logbook - Christopher Eng at Ogmini
- Windows Notepad – Rewrite / AI Part 3
- Expectations vs Reality – Digital Forensic Science Master’s Degree Part 5
- Windows Notepad – Rewrite / AI Part 4
- Windows Notepad – Rewrite / AI Part 5
- The Intersection of DFIR and IT Troubleshooting
- David Cowen Sunday Funday Challenge – SSH Artifacts
- Beyond Sunday Funday – SSH Artifacts in Windows 11
- Chris Ray at Cyber Triage
Shellbags Forensic Analysis 2025 - David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
- Daily Blog #779: Sunday Funday 3/16/25
- Daily Blog #780: Self validating linux executables
- Daily Blog #781: Validating local linux hashes to their distros
- Daily Blog #782: Validating linux packages other than rpms
- Daily Blog #783: Automating rpm checks
- Daily Blog #784: Validating linux systems with Yum
- Daily Blog #785: Solution Saturday 3/22/25
- Forensafe
Android MeWe - Manuel Guerra at GLIDER.es
¡Déjame en paz!, yo no necesito saber todo esto para ser un buen forense. - Kevin Pagano at Stark 4N6
- Jordan Hare at S-RM
Cracking the Vault: Exposing the weaknesses of encrypted apps - SJDC
Preserve! Preserve! Preserve!
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
Threat Hunting a Telegram C2 Channel - Adam Goss
The F3EAD Intelligence Loop Explained: A Complete Guide - Adithya Vellal at Petra Security
- Maor Dahan at Akamai
Cryptominers? Anatomy: Analyzing Cryptominers - Anity
Analysis of a group of phishing attacks by Taiwan’s “Green Spot” attack group using open source remote control Trojans - Francis Guibernau at AttackIQ
Emulating the Sophisticated Chinese Adversary Salt Typhoon - Jack Hyland at Black Hills Information Security
Canary in the Code: Alert()-ing on XSS Exploits - Brian Krebs at ‘Krebs on Security’
- CERT Ukraine
UAC-0200: Шпигунство за оборонно-промисловим комплексом за допомогою DarkCrystal RAT (CERT-UA#14045) - CERT-AGID
- Check Point
17th March – Threat Intelligence Report - Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura at Cisco’s Talos
UAT-5918 targets critical infrastructure entities in Taiwan - CloudSEK
The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants - Don Santos and Harsh Patel at Cofense
Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder - Brent Harrell at CrowdStrike
Follow the Adversary: The Top 3 Red Team Exploitation Paths from 2024 - Dr. Brian Carrier at Cyber Triage
Alert Triage vs Endpoint Triage: What SOCs Need to Know - Cyber_Guy
Email Phishing Automation with n8n — Detailed Steps - Cyble
Medusa Ransomware Hits Record Levels, FBI and CISA Provide Key Security Insights - Cyfirma
Weekly Intelligence Report – 21 Mar 2025 - Shail Yadav at Cyjax
The ROI of threat intelligence: Measuring the Value Beyond Detection - Dark Atlas
BlackLock Ransomware: A Growing Threat Across Industries - Darktrace
Cyberhaven Supply Chain Attack: Exploiting Browser Extensions - Detect FYI
- Disconinja
日本におけるC2サーバ調査(Week 11 2025) - Dragos
Hunting Active Threats in Littleton’s Grid with the Dragos Platform and OT Watch - EclecticIQ
Observable Scoring: Focus on what really matters - Justin Higdon at Elastic
Hunting with Elastic Security: Detecting credential dumping with ES|QL - Elastic
From Access to Encryption: Dissecting Hunters International’s Latest Ransomware Attack - Flashpoint
Flashpoint 2025 Global Threat Intelligence Report: Stay Ahead of Emerging Threats - Truman Brown, Emily Astranova, Steven Karschnia, Jacob Paullus, Nick McClendon, and Chris Higgins at Google Cloud Threat Intelligence
BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique - GreyNoise
GreyNoise Observes Active Exploitation of Critical Apache Tomcat RCE Vulnerability (CVE-2025-24813) - Group-IB
The Cybercriminal with Four Faces: Revealing Group-IB’s Investigation into ALTDOS, DESORDEN, GHOSTR and 0mid16B - HP Wolf Security
HP Wolf Security Threat Insights Report: March 2025 - Alon Gal at Hudson Rock
Jaguar Land Rover Breached by HELLCAT Ransomware Group Using Its Infostealer Playbook—Then a Second Hacker Strikes - Hunt IO
South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon - Intel 471
- Invictus Incident Response
Cloud Incident Readiness: Key logs for cloud incidents - James Henning
Comprehensive Intelligence Report on APT Aquatic Panda Targeting Critical Infrastructure and Government Entities - Jonathan Johnson
The Truth About Telemetry: The Role of Primary and Secondary Telemetry Sources - Keisuke Shikano at JPCERT/CC
TSUBAME Report Overflow (Oct-Dec 2024) - Mahantesh Muchandi
Anomalous Activity Detection Failure In Xdr #confirm Compromised Endpoints #dpapi - Tim Carrington at MDSec
Red Teaming with ServiceNow - Natto Thoughts
Zhou Shuai: A Hacker’s Road to APT27 - Max Resing and Filippo Vitale at Netscout
Italy in the Crosshairs - Nixintel Open Source Intelligence & Investigations
Using SSL Certificates To Find Threat Actor Infrastructure - Thomas Papaloukas at NVISO Labs
How to hunt & defend against Business Email Compromise (BEC) - Oleg Skulkin at ‘Know Your Adversary’
- 075. Detecting RMMs from Ransomware Affiliate’s Toolkit: ConnectWise
- 076. Herald Werewolf: Detection Opportunities
- 077. Detecting Windows Sandbox Abuse
- 078. Detecting AMOS Stealer’s Virtual Machine Checks
- 079. Hunting for DarkWatchman RAT
- 080. Detecting Silent Werewolf’s Malicious LNK Files
- 081. Detecting EarthWorm Network Tunnel Tool
- 082. Huniting for Malicious Browser Extensions
- Jared Elder at Permiso
Rippling Lawsuit Shows How Search Terms Portray Intent of Threat Actors - Positive Technologies
Crypters And Tools. One tool for thousands of malicious files - Pulsedive
Rilide – An Information Stealing Browser Extension - Red Canary
- Pietro Melillo at Red Hot Cyber
VanHelsing RaaS: An Expanding Ransomware-as-a-Service Model - Gautham Ashok and Alexa Feminella at ReliaQuest
Threat Spotlight: Credential Theft vs. Admin Control—Two Devastating Paths to VPN Exploitation - Roger C.B. Johnsen
Sentifender Lexica Detectica - S-RM
Cyber briefing note | The Black Basta leaks - SANS Internet Storm Center
- Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th)
- Static Analysis of GUID Encoded Shellcode, (Mon, Mar 17th)
- Python Bot Delivered Through DLL Side-Loading, (Tue, Mar 18th)
- Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440, (Wed, Mar 19th)
- Some new Data Feeds, and a little “incident”., (Thu, Mar 20th)
- Secrss
Low-tech weapons + protracted war strategy: Taiwan hacker groups’ 18-year cyber attacks on the mainland - Securelist
- SecurityBreak
Introducing NOVA - Dheeraj Kumar, and Sina Chehreghani at Securonix
Securonix Threat Labs Monthly Intelligence Insights – February 2025 - Sekoia
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery - Jim Walter at SentinelOne
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on “The Five Families” Cybercrime Reputation - Kirill Boychenko at Socket
Black Basta’s Dependency Confusion Ambitions and Ransomware in Open Source Ecosystems - SOCRadar
Dark Web Profile: FSociety (Flocker) Ransomware - SpearTip Cyber Counterintelligence
Third-Party Supply Chain Attack Affecting Auto Dealerships - Brandon Murphy at Sublime Security
Microsoft OAuth URL used as redirect to AITM credential phishing site - Marco A. De Felice at SuspectFile
- Nital Ruzin at Sygnia
Breaking the Virtual Barrier: From Web-Shell to Ransomware - Symantec Enterprise
RansomHub: Attackers Leverage New Custom Backdoor - Bill Marczak, John Scott-Railton, Kate Robertson, Astrid Perry, Rebekah Brown, Bahr Abdul Razzak, Siena Anstis, and Ron Deibert at The Citizen Lab
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - Third Eye intelligence
Data Leaks: The Silent Reputation Killer & Compliance Nightmare - THOR Collective Dispatch
- Jambul Tologonov and John Fokker at Trellix
Analysis of Black Basta Ransomware Chat Leaks - Trend Micro
- Scott White at TrustedSec
Are Attackers “Passing Through” Your Azure App Proxy? - Wiz
- Блог Solar 4RAYS
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-03-24 #livestream #infosec #infosecnews - FIRST
- Magnet Forensics
- SANS
The Quest to Summit | SANS ICS Security Summit 2025
PRESENTATIONS/PODCASTS
- AhmedS Kasmani
Unmasking stealthy credential stealer inside GitHub hosted project - Appalachian4n6
- Black Hat
Navigating the Complex Challenges of Setting Up Efficient and Robust OT SOC Capabilities - BlueMonkey 4n6
- Breaking Badness
APT 41’s VPN Exploits & The Great Firewall’s Leaky Secrets - Cloud Security Podcast by Google
EP215 Threat Modeling at Google: From Basics to AI-powered Magic - Cyber Social Hub
Micro-Learning in Digital Forensics: Why Aren’t You Keeping Up? - Eclypsium
BTS #47 – BMC&C Part 3 - Hudson Rock
The Information Heist: Cracking the Code on Infostealers (New Hudson Rock Interview) - InfoSec_Bret
CyberDefenders – Amadey Lab - Jai Minton
Hacking Gandalf AI (LLM) to reveal SECRETS | Basic PROMPT INJECTION techniques - John Hammond
I took the TryHackMe Security Analyst Level 1 Certification (SAL1) - John Hammond
ms teams is now a C2 (command-and-control) - Masumi Uno at JPCERT/CC
JSAC2025 -Day 2- - Magnet Forensics
- Microsoft Threat Intelligence Podcast
The Professionalization of the Ransomware Criminal Ecosystem - MSAB
STT Setup Guide - MyDFIR
Cybersecurity SOC Analyst Lab – Memory Ransomware - Sandfly Security
Sandfly Agentless Linux Security and Incident Response Intro - SANS
- Sarah Edwards at Mac4n6
New Presentation – Using Apple Intelligence (AI) Data in Investigations - The Cyber Mentor
Notepad Saves Your Notes – Even If You Don’t! - The Microsoft Security Insights Show
The Microsoft Security Insights Show Episode 252 – WIC Month, Cat Daniels - Three Buddy Problem
China exposing Taiwan hacks, Paragon spyware and WhatsApp exploits, CISA budget cuts
MALWARE
- ASEC
Malicious HWP Document Disguised as Reunification Education Support Application - Denwp Research
Reversing FUD AMOS Stealer - Elastic Security Labs
Shedding light on the ABYSSWORKER driver - G Data Security
Unboxing Anubis: Exploring the Stealthy Tactics of FIN7’s Latest Backdoor - Ioannis Loutsis
Deep Dive: Analyzing PDF Changes with Incremental Updates and pdftool.py - Kirti Kshatriya at Seqrite
New Steganographic Campaign Distributing Multiple Malware - Jérôme Segura at Malwarebytes
AMOS and Lumma stealers actively spread to Reddit users - Microsoft Security
StilachiRAT analysis: From system reconnaissance to cryptocurrency theft - Orange Cyberdefense
Using & improving frida-trace - Security Onion
Quick Malware Analysis: REMCOS RAT pcap from 2025-03-10 - Ben Martin at Sucuri
Fake Cloudflare Verification Results in LummaStealer Trojan Infections - System Weakness
Malware Hash Analysis: Identifying Threats with Cryptographic Precision - Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
MISCELLANEOUS
- Any.Run
Decoding a Malware Analyst: Essential Skills and Expertise - Brett Shavers
You Don’t Belong in DF/IR - Calum Hall at Cado Security
Business Email Compromise (BEC): Understanding the Threat With Cado - Cellebrite
- How Service Providers are Reimagining Investigations to Meet Client Needs
- Modern Remote Mobile Collection: A Deep Dive into the Cellebrite-RelativityOne Integration
- Settings Matter – How Your Settings in Physical Analyzer Can Impact What You See!
- Accelerate Your Digital Forensics Career with CCME Fast Track
- Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 03/17/25 - Forensic Focus
- Jessica Hyde, Founder, Hexordia
- Magnet Forensics Kicks Off Magnet User Summit 2025 By Demonstrating Continued Innovation
- Digital Forensics Round-Up, March 19 2025
- MD-DRONE: Advancing The Future Of Drone Forensics
- Magnet Forensics Announces Strategic Technology Partnership With TRM Labs
- Understanding The AI Act And The Future Of Image And Video Forensics
- DSI’s 6th Digital Forensics For National Security Symposium – Register Today
- Magnet Forensics Demonstrates Continued Leadership In AI With New Product Innovations And Resources
- Oxygen Forensics Helps Clients Take Their Data Strategy To The Next Level
- Forensic Focus Digest, March 21 2025
- Ilias Mavropoulos
How I Wasted 537$ on the SANS Paller Scholarship without even being considered as a valid… - Lesley Carhart
- Magnet Forensics
- Meet the recipients of the 2025 Magnet Forensics Scholarship Award!
- Announcing the first winner of the Agency Impact Award
- Magnet Axiom 9.0: Event Snapshots, Express Extraction of Graykey images, AI tools, and more!
- IOC Insights Dashboard: A faster, smarter way to identify threats in Magnet Axiom Cyber
- Unlock faster mobile forensics with Magnet Axiom Express Extraction
- Focus your investigations with Event Snapshots in Magnet Axiom
- Accelerating investigations with AI using Magnet Copilot in Magnet Axiom
- The challenge of authenticating media in the age of AI-generated CSAM
- Magnet User Summit 2025: Driving innovation for our customers
- Meet the Magnet Forensics Training Team: David Hammersley
- Oxygen Forensics
Digital Forensics in eDiscovery: A Comprehensive Guide to Modern Investigations - Patrick Wardle at Objective-See
Leaking Passwords (and more!) on macOS - Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.4.130!
SOFTWARE UPDATES
- 0xx0d4y
Ransomware Groups Statistics Extractor - Belkasoft
What’s new in Belkasoft X v.2.7 - Digital Sleuth
winfor-salt v2025.4.1 - Eric Zimmerman
ChangeLog - Oxygen Forensics
Introducing Oxygen Forensic® Detective v.17.2 - Magnet Forensics
Magnet Axiom Cyber 9.0: IOC Insights Dashboard, Event Snapshots, AI tools, and more! - Metadata Forensics
Google Location History Takeout Parser - MISP
MISP v2.4.206 and v2.5.8 Released – new workflow modules, improved graph object relationship management and many other improvements - MSAB
Now available: XRY 11.0, XAMN 8.1, UNIFY 25.3*, XEC 7.13 and KTE 11.0 - Nir Sofer
Updates history viewer for Windows 11 - OpenCTI
6.5.9 - Passmark Software
OSForensics V11.1 build 1004 19th March 2025 - Thiago Canozzo Lahr
uac-3.1.0 - WithSecure Labs
Chainsaw v2.12.0-1 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 