As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Understanding Partitioning Schemes, FileVault 2 and macOS Encryption: A User-Friendly Guide
  • P5: Exploring macOS Extended Attributes: The Hidden Metadata You Didn’t Know Existed || P6…
  • P7 macOS File System Events: The Power of Spotlight
    
    
• Christopher Eng at Ogmini
  • CISSP – Stalled
  • Zeltser Challenge – Third Month Accomplishments
  • CISSP – Domain 3
  • David Cowen Sunday Funday Challenge – Cloud Log Availability Delays
  • CISSP – Domain 4
  • CISSP – Domain 5
  • CISSP – Domain 6
    
    
• Chris Ray at Cyber Triage
  2025 Guide to Registry Forensics Tools
  
  
• Damien Attoe
  • The Duck Hunters Guide – Blog #5 – Bookmarks & Favorites (Android)
  • The Duck Hunters Guide – Android Cheat Sheet
    
    
• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #793: Sunday Funday 3/30/25
  • Daily Blog #794: What did gemini make up?
  • Daily Blog #795: What did Gemini make up part 2
  • Daily Blog #796: Using AI’s to help you with EDR searches
  • Daily Blog #797: Azure Snapshot Downloads
  • Daily Blog #798: Forensic Lunch Test Kitchen 4/4/25 – Using Replit!
  • Daily Blog #799: Solution Saturday 4/5/25
    
    
• Forensafe
  Android Burner
  
  
• Malware-Hunter
  Windows Artifacts in Digital Forensics
  
  
• Adithya Vellal at Petra Security
  Why Does Teams Activity Appear in SharePoint Logs? And Why Does This Matter to Attackers?
  
  
• The DFIR Report
  Fake Zoom Ends in BlackSuit Ransomware
  

THREAT INTELLIGENCE/HUNTING

• ⌛☃❀✵Gootloader Details ✵❀☃⌛
  🚨Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
  
  
• Faan Rossouw at Active Countermeasures
  The Beginner’s Guide to Command and Control Part 1 – How C2 Frameworks Operate
  
  
• Adam Goss
  How to Plan a CTI Project: Key Documentation You Need
  
  
• Aqua
  Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks
  
  
• Arctic Wolf
  The State of Cybersecurity: 2025 Trends Report
  
  
• AttackIQ
  • Emulating the Sophisticated Russian Adversary Seashell Blizzard
  • Response to CISA Advisory (AA25-093A): Fast Flux: A National Security Threat
    
    
• BushidoToken
  Tracking Adversaries: EvilCorp, the RansomHub affiliate
  
  
• Cado Security
  What’s New in the Ultimate Guide to Incident Response in AWS?
  
  
• CERT Ukraine
  UAC-0219: кібершпигунство з використанням PowerShell-стілеру WRECKSTEEL (CERT-UA#14283)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 29 marzo – 4 aprile
  
  
• Check Point
  31st March – Threat Intelligence Report
  
  
• CISA
  Fast Flux: A National Security Threat
  
  
• Cisco’s Talos
  Available now: 2024 Year in Review
  
  
• Cofense
  • More Than Music: The Unseen Cybersecurity Threats of Streaming Services
  • Q1 Goals to Gaps in Security: The Rise of HR-Themed Phishing
    
    
• Ryan Terry and Kendra Kendall at CrowdStrike
  How to Navigate the 2025 Identity Threat Landscape
  
  
• Vasilis Orlof at Cyber Intelligence Insights
  Hunting Pandas
  
  
• Cyble
  Ransomware Attack Levels Remain High as Major Change Looms
  
  
• Cyfirma
  Weekly Intelligence Report – 04 Apr 2025
  
  
• Cyjax
  • Build vs. Buy: What’s the Best Threat Intelligence Approach? 
  • Decoding Threat Intelligence: A Glossary
  • Leading Experts Shaping the Future of Threat Intelligence
  • A DLS EMERGEncy! –  Record breaking extortion group DLS emergence in 2025
    
    
• Detect FYI
  • WMI Exploitation: How Attackers Use It — And How to Detect It
  • Hunting malicious OneOnOne chats via MS Teams
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week13 2025)
  
  
• Elastic Security Labs
  Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective
  
  
• Cara Lin at Fortinet
  RolandSkimmer: Silent Credit Card Thief Uncovered
  
  
• Lovely Antonio, Ricardo Pineda, and Louis Sorita at G Data Software
  Smoked out – Emmenhtal spreads SmokeLoader malware
  
  
• Google Cloud Security Community
  UEBA – A Key Detection Ingredient
  
  
• Google Cloud Threat Intelligence
  • DPRK IT Workers Expanding in Scope and Scale
  • Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
    
    
• GreyNoise
  • Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
  • Heightened In-The-Wild Activity On Key Technologies Observed On March 28
    
    
• Group-IB
  • The beginning of the end: the story of Hunters International
  • Fraud Underbelly: Australia’s Digital Boom—A Fraudster’s Goldmine?
    
    
• Alon Gal at Hudson Rock
  • Samsung Tickets Data Leak: Infostealers Strike Again in Massive Free Dump
  • Royal Mail Group Loses 144GB to Infostealers: Same Samsung Hacker, Same 2021 Infostealer Log
  • HELLCAT Ransomware Group Strikes Again: Four New Victims Breached via Jira Credentials from Infostealer Logs
    
    
• Hunt IO
  • Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs
  • Identifying ClickFix Exploits: A Case Study in Proactive Threat Hunting
    
    
• Huntress
  • The Unwanted Guest
  • Cyber Hygiene Threats Lurking at Your Perimeter: RDP, VPNs, and Remote Tools
    
    
• Aashish Baweja at InfoSec Write-ups
  “Must-Know SPL Queries for Rapid Incident Response in Splunk”
  
  
• Intel 471
  • Update: Medusa Ransomware
  • Six Key Takeaways From the SANS 2025 Threat Hunting Survey
  • An in-depth look at Black Basta’s TTPs
  • VanHelsing Ransomware
    
    
• Invictus Incident Response
  Cloud Heavy, Hybrid Ready: Lessons from BlackBasta and Scattered Spider
  
  
• Jed Morley and Austin Bollinger at Mitiga
  Rippling Turning Into a Tsunami
  
  
• Kevin Beaumont at DoublePulsar
  Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
  
  
• Arun Yadav
  This could be your Detection Engineering Life Cycle
  
  
• Microsoft Security
  Threat actors leverage tax season to deploy tax-themed phishing campaigns
  
  
• Alice Koeninger, Shane Steiger and Maretta Morovitz at MITRE Engage™
  The Cybersecurity Trick You Already Have in Your Toolbox
  
  
• Natto Thoughts
  Indictments and Leaks: Different but Complementary Sources
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 089. Detecting RMMs from Ransomware Affiliate’s Toolkit: NinjaRMM
  • 090. Hunting for Gamaredon’s PowerShell Abuse
  • 091. Hunting for Malicious LNK Files as Seen in a Recent Head Mare Campaign
  • 092. Detecting FogDoor’s C&C Communications
  • 093. Detecting RokRAT’s PowerShell Abuse
  • 094. Detecting ClickOnce Abuse
  • 095. Inside Play Ransomware Toolkit: WKTools
  • 096. Hunting for Canon IJ Printer Assistant Tool Abuse
    
    
• OSINT Team
  • A SOC Analyst’s Diary: Tracking a Sophisticated Cyber Attack from Phishing to Data Exfiltration
  • Building a Winning Cybersecurity Dream Team — Threat Hunt Team
  • A SOC Analyst’s Diary: Track Attacker Actions Across Your Network
  • Reimagining the SOC Analyst Role Using AI — What is Actually Realistic?
  • Malware Explained: Types, Risks, and How to Remove It
  • Ghostware: The Invisible Malware That Almost Destroyed X Business — And How They Recovered
  • Trojan Malware in 2025: How X Business Survived One of the Most Unexpected Cyberattacks Ever
  • Detecting Modern Ransomwares with Wazuh and Sysmon : Leveraging Custom Detection Rules
    
    
• Outpost24
  • Threat Context Monthly: Green Nailao & UNC3886 – Briefing for March 2025  
  • Unmasking EncryptHub: Help from ChatGPT & OPSEC blunders 
    
    
• Palo Alto Networks
  • Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon
  • OH-MY-DC: OIDC Misconfigurations in CI/CD
    
    
• Adam Crosser at Praetorian
  An Improved Detection Signature for the Kubernetes IngressNightmare Vulnerability
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, February 2025 (KOR)
  
  
• Red Hot Cyber
  The Evil Purr – DarkLab Interview to HellCat Ransomware!
  
  
• Resecurity
  Smishing Triad is Now Targeting Toll Payment Services in a Massive Fraud Campaign Expansion
  
  
• Paul Roberts at ReversingLabs
  Malicious Python packages target popular Bitcoin library
  
  
• Katie Nickels at SANS
  SANS Threat Analysis Rundown in Review: Breaking Down March 2025’s Discussion
  
  
• SANS Internet Storm Center
  • Apache Camel Exploit Attempt by Vulnerability Scan (CVE-2025-27636, CVE-2025-29891), (Mon, Mar 31st)
  • Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive [Guest Diary], (Wed, Apr 2nd)
  • Surge in Scans for Juniper “t128” Default User, (Wed, Apr 2nd)
    
    
• Sansec
  Found defunct.dat on your site? You’ve got a problem.
  
  
• Vasily Kolesnikov and Oleg Kupreev at Securelist
  TookPS: DeepSeek isn’t the only game in town
  
  
• Sekoia
  From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
  
  
• Toby G at sentinel.blog
  Part 3 – Inside the Attacker’s Toolkit: Advanced Phishing Frameworks and Infrastructure
  
  
• Silent Push
  PoisonSeed Cryptocurrency Seed Phrase and Phishing Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation
  
  
• Simone Kraus
  • Annual Threat Assessment of the US IC — Countering Chinese Cyber Operations & Disinformation
  • Analyzing Chinese Cognitive warfare
  • Counter-Strategy Against State-Sponsored Proxies & China
  • Understanding Russian Cognitive Warfare
  • Cyber-Enabled Irregular Warfare Against Narco Cartels
    
    
• Sophos
  • Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
  • It takes two: The 2025 Sophos Active Adversary Report
    
    
• Steve Parker at SpearTip Cyber Counterintelligence
  The Anatomy of a Phishing Attack
  
  
• Sublime Security
  Who are you trying to April Fool with that email scam?
  
  
• Marco A. De Felice aka amvinfe at SuspectFile
  The Manipulations of Babuk2: A Narrative Built on Lies
  
  
• Sysdig
  Detecting Fast Flux with Sysdig Secure and VirusTotal
  
  
• System Weakness
  • [HackTheBox Sherlocks Write-up] Fragility
  • HTB Shocker Walkthrough/Explanation
  • THM – Splunk 2
  • Building Ransomware in Go: Encryption & Decryption Explained
    
    
• THOR Collective Dispatch
  • The Threat Hunts in Our Stars
  • The Power of the Trio
    
    
• ThreatFabric
  Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices
  
  
• TRAC Labs
  The Wagmi Manual: Copy, Paste, and Profit
  
  
• Lenart Bermejo, Ted Lee, and Theo Chen at Trend Micro
  The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques
  
  
• John Basmayor at Trustwave SpiderLabs
  Babuk2 Bjorka: The Evolution of Ransomware for ‘Data Commoditization’
  
  
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – March Update
  
  
• Vasilis Orlof at Valdin
  Hunting Pandas
  
  
• Lucie Cardiet at Vectra AI
  How Threat Actors Weaponize EV Certificates by Lucie Cardiet
  
  
• watchTowr Labs
  Is The Sofistication In The Room With Us? – X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)
  
  
• Wiz
  CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims
  
  
• Блог Solar 4RAYS
  • Обзор уязвимостей веб-приложений в 1-м квартале 2025 года
  • Ландшафт вредоносных атак: аналитика с сенсоров и ханипотов в 4 квартале 2024 г.
    
    
• Genians
  경찰청과 국가인권위를 사칭한 Konni APT 캠페인 분석
  

UPCOMING EVENTS

• Black Hills Information Security
  • Detection Engineering Alert Disposition w/ Hal & Paul
  • BHIS – Talkin’ Bout [infosec] News 2025-04-07 #livestream #infosec #infosecnews
    
    
• Cellebrite
  • Digital Evidence for Frontline Investigators: Best Practices for Device Seizure & Exhibit Management
  • Navigating the Evolving Landscape of Computer Forensics (Part 1 of a Two-Part Series)
  • Combatting crimes against children: How Cellebrite Supports Law Enforcement in Child Protection
  • Unlocking Digital Investigations: How Cellebrite Empowers Investigative Units
  • Hidden Clues: Tips & Tricks for Investigators Using Cellebrite Solutions
  • The AI Advantage: Publicly Available Information
    
    
• Cyber5W
  Threat Actor Desktop – Kali Linux
  
  
• Huntress
  Tradecraft Tuesday | Say Hello to Mac Malware
  
  
• Magnet Forensics
  • Unlocking DFIR: Free resources for efficient triage and acquisition
  • Streamlined mobile workflows with Magnet Axiom 9.0
    

PRESENTATIONS/PODCASTS

• Behind the Binary by Google Cloud Security
  EP07 Jordan Wiens – Inside the Mind of a Binary Ninja: CTFs, AI and the Future of Cyber Security
  
  
• Breaking Badness
  DNS Masterclass: Attacks, Defenses, and the Day the Internet Was Saved
  
  
• Chainalysis
  The Chainalysis 2025 Crypto Crime Report Preview (Part 2): Podcast Ep. 156
  
  
• Cisco’s Talos
  Beers with Talos: Year in Review episode
  
  
• Cloud Security Podcast by Google
  EP217 Red Teaming AI: Uncovering Surprises, Facing New Threats, and the Same Old Mistakes?
  
  
• Cyber Social Hub
  • Why would you virtualize the suspect’s computer system?
  • What to Expect from Digital Forensic Experts on the Opposition
  • Breaking Down SQLite Databases
    
    
• Huntress
  • Blocking Fake CAPTCHA Malware with a Simple Registry Tweak
  • How to Overcome Analysis Paralysis in Security Compliance | Community Fireside Chat
    
    
• Insane Forensics
  OT Office Hours – The Case for Host & Network Data Integration VEED
  
  
• Intel 471
  Writing high-quality IDS detection rules
  
  
• Jai Minton
  “Try my game” DISCORD MALWARE | Reverse Engineering Leet Stealer, Electron Malware Used By HACKERS
  
  
• John Hammond
  Learn Cybersecurity Defense!
  
  
• Daiki Ishihara at JPCERT/CC
  JSAC2025 -Workshop & Lightning Talk-
  
  
• Magnet Forensics
  • Mobile Minute Ep. 8: Unlocking faster mobile forensics workflow with Magnet Axiom Express Extraction
  • Cyber Unpacked S2:E1 // Exploring IOCs: Enhancing threat detection and forensics
  • Verify authenticity and streamline media analysis with Magnet Griffeye
    
    
• Matthew Plascencia
  Magnet Acquire Overview with Android Acquisition | Android Forensics 8
  
  
• MSAB
  XRY 11 Options
  
  
• MyDFIR
  Cybersecurity SOC Analyst Lab – Browser Forensics (Cryptominer)
  
  
• OALabs
  Automated AI Reverse Engineering with MCPs for IDA and Ghidra (Live VIBE RE)
  
  
• SANS
  • A Visual Summary of SANS AI Cybersecurity Summit 2025
  • Account Takeovers and Emotional Predators | Ouch! Podcast | April 2025
    
    
• Semantics 21
  S21 Offline Location Analysis (Preview)
  
  
• SentinelOne
  LABScon24 Replay | A Walking Red Flag (With Yellow Stars)
  
  
• The Cyber Mentor
  TCM Security – SOC 101 (10+ Hours of Content!)
  
  
• Threat Forest
  Klikkien korjausta ja oraakkeleita
  
  
• Three Buddy Problem
  NSA director fired, Ivanti’s 0day screw-up, backdoor in robot dogs
  
  
• Triskele Labs
  TL Blue | Episode 15
  

MALWARE

• Any.Run
  • Salvador Stealer: New Android Malware That Phishes Banking Details & OTPs
  • How to Hunt and Investigate Linux Malware 
    
    
• ASEC
  • Phishing Emails Impersonating the National Tax Service (NTS)
  • SVG Phishing Malware Being Distributed with Analysis Obstruction Feature
  • Remcos RAT Malware Disguised as Major Carrier’s Waybill
  • BeaverTail and Tropidoor Malware Distributed via Recruitment Emails
    
    
• CyberArmor
  Uncovered: How Cybercriminals Scam Each Other Using Fake USDT Sender Software
  
  
• Amit Assaraf at Koi Security
  A Month Of Malware In The Chrome Web Store
  
  
• Lab52
  Grandoreiro Stealer Targeting Spain and Latin America: Malware Analysis and Decryption Insights
  
  
• Linkcabin
  Analysing a malicious Android APK with Ukrainian military themes
  
  
• Leandro Fróes and Jan Michael Alcantara at Netskope
  New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile
  
  
• Yaniv Allender and Anna Sirokova at Rapid7
  A Rebirth of a Cursed Existence? Examining ‘Babuk Locker 2.0’ Ransomware
  
  
• Reverse Engineering
  Cracking the Crackers
  
  
• RexorVc0
  DarkCloud
  
  
• Socket
  • Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks
  • Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
    
    
• System Weakness
  Digitally Signed Malware: What It Is, How It Works, and Why You Should Be Concerned
  
  
• Killian Raimbaud and Paul Rascagneres at Volexity
  GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically
  
  
• Zhassulan Zhussupov
  Malware and cryptography 40 – encrypt/decrypt payload via RC5. Simple Nim example.
  
  
• Muhammed Irfan V A at ZScaler
  Analyzing New HijackLoader Evasion Tactics
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  • Nemesis-888
  • Boramae
    

MISCELLANEOUS

• Lukasz Kozubal at Adventures in the Zero Trust Cloudland
  Entra ID – tokens and cookies – a different perspective.
  
  
• Allan Liska at ‘Ransomware Sommelier’
  No One Cares About Ransomware
  
  
• Brian Krebs at ‘Krebs on Security’
  Cyber Forensic Expert in 2,000+ Cases Faces FBI Probe
  
  
• Cellebrite
  • Navigating the Twists and Turns of IP Theft Investigations 
  • Cellebrite Digital Justice Awards: 10 “Justies” Awarded to Best-in-Class Professionals
    
    
• Patrick Seltmann
  Session token lifetime: require reauthentication every time
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 03/31/25
  
  
• Magdalena Karwat at EclecticIQ
  Bring Your Own LLM: Total control over AI in threat intelligence
  
  
• Forensic Focus
  • The Hidden Toll Of Digital Forensics: A Serving Digital Investigator’s Story
  • Digital Forensics Round-Up, April 02 2025
  • Before Techno Security Kicks Off, Join Amped Connect US For Free In Wilmington
  • Introducing Semantics 21: The Best Kept Secret In Digital Forensics
  • Forensic Focus Digest, April 04 2025
    
    
• Forensicfossil
  Netstat Command In Linux
  
  
• Inginformatico
  La diferencia entre usar herramientas forenses y realizar Análisis Forense Digital
  
  
• Jeffrey Appel
  Automated incident triage with Security Copilot and Microsoft Sentinel/ Defender XDR
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (4/1/2025)
  
  
• Lesley Carhart
  What’s My Daily Life Like (in OT DFIR)?
  
  
• Oxygen Forensics
  Drone Forensics with Oxygen Forensic® Detective
  
  
• Patrick Siewert at ‘The Philosophy of DFIR’
  Mind Your Own DF/IR Business
  
  
• SANS
  SANS Skill Quest by NetWars—The Self-Paced Cyber Range That Works for You
  
  
• VMRay
  What is Credential Harvesting? Detection & Prevention Techniques
  

SOFTWARE UPDATES

• Alex Johnson
  Windows Defender Quarantine Dumper
  
  
• Amped
  Amped DVRConv and Engine Update 36924
  
  
• C.Peter
  UFADE 0.9.8
  
  
• Cellebrite
  Now Available: Cellebrite Endpoint Inspector SaaS 2.6
  
  
• Crowdstrike
  Falconpy Version 1.4.8
  
  
• Damien Attoe
  SQBite Beta 3 Release
  
  
• Davide Ciacciolo
  SysInfo Stealer Parser
  
  
• Digital Sleuth
  winfor-salt v2025.4.5
  
  
• Erik Hjelmvik at Netresec
  NetworkMiner 3.0 Released
  
  
• Jorge Suarez
  Microsoft Graph Console GUI Search Tool
  
  
• Microsoft
  msticpy – Maintenance release QueryEditor, PrismaCloudDriver
  
  
• Passware
  Passware Kit 2025 v2 Now Available
  
  
• Phil Harvey
  ExifTool 13.26
  
  
• PuffyCid
  Artemis v0.13.0 – Released!
  
  
• Security Onion
  Security Onion 2.4.141 now available including several fixes!
  
  
• Securityjoes
  Crowdstrike-Deploy 1.1v
  
  
• SigmaHQ
  pySigma v0.11.20
  
  
• Xways
  X-Ways Forensics 21.5 Preview 8
  
  
• Yamato Security
  Hayabusa v3.2.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!