As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Making Sense of macOS Logs(Part1): A User-Friendly Guide
  • A Curious Case with SentinelOne: Same Rule, Different Behavior?
  • P11 macOS Tracking Users Activity, Autoruns and Application-Level Firewall and Forensic Insights
    
    
• Bayaz Net
  Detection — Evidence Of Execution In Linux?
  
  
• Manny Kressel at Bitmindz
  Apple T2 Chip and Silicon Mac Acquisition using NBFTools NETRE
  
  
• Ben Bowman at Black Hills Information Security
  Offline Memory Forensics With Volatility
  
  
• Christopher Eng at Ogmini
  • CISSP – Domain 7
  • CISSP – Domain 8
  • David Cowen Sunday Funday Challenge – Docker Containers on WSL Artifacts
  • The Day Job – Security/DR Planning
  • David Cowen Sunday Funday Challenge – Docker Containers on WSL Artifacts – Part 2
  • David Cowen Sunday Funday Challenge – Docker Containers on WSL Artifacts – Part 3
  • Exploring KQL
    
    
• Chris Ray at Cyber Triage
  UserAssist Forensics 2025
  
  
• Damien Attoe
  The Duck Hunters Guide – Blog #6 – Fireproof Sites (Android)
  
  
• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #800: Sunday Funday 4/6/25
  • Daily Blog #801: New capabilities of Chat GPT 4o Image Creation
  • Daily Blog #802: Windows Helllo Forensics presentation
  • Daily Blog #803: Getting Chat GPT 4o to make fancy powepoints
  • Daily Blog #804: Introducing Puck!
  • Daily Blog #805: Mount That Thing!
  • Daily Blog #806: Solution Saturday 4/12/25
    
    
• DFRWS
  Official Launch of SOLVE-IT at DFRWS EU 2025
  
  
• Forensafe
  Android Private Photo Vault
  
  
• Forensic-Research
  Everything Artifact Forensic Analysis
  
  
• Heather Chapentier
  • Snapchat Artifacts
  • Android Gallery-Deleted Photos
    
    
• Ranjith A
  Linux Forensics : Analyzing Artifacts from Unix-like Artifacts Collector (UAC)
  
  
• Antonio Sanz at Security Art Work
  • Baklava CTF Writeup – Incident Report Style (I)
  • Baklava CTF Writeup – Incident Report Style (II)
  • Baklava CTF Writeup – Incident Report Style (III)
    

THREAT INTELLIGENCE/HUNTING

• ASEC
  • Statistical Report on Malware Targeting MS-SQL Servers in 1Q 2025
  • Statistical Report on Malware Targeting Windows Web Servers in Q1 2025
  • Statistical Report on Malware Targeting Linux SSH Servers in Q1 2025
  • March 2025 Security Issues in Korean & Global Financial Sector
  • March 2025 APT Group Trends (South Korea)
  • March 2025 Trends Report on Phishing Emails
  • ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor
  • March 2025 Infostealer Trend Report
  • March 2025 Threat Trend Report on Ransomware
    
    
• Ayelen Torello at AttackIQ
  Emulating the Misleading CatB Ransomware
  
  
• Australian Cyber Security Centre
  • BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors
  • BADBAZAAR and MOONSHINE: Technical analysis and mitigations
    
    
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | April 2025
  
  
• RuleHound
  RuleHound
  
  
• bri5ee
  Xintra APT Emulation Lab – Husky Corp
  
  
• Brian Krebs at ‘Krebs on Security’
  China-based SMS Phishing Triad Pivots to Banks
  
  
• CERT Ukraine
  Цільова шпигунська активність UAC-0226 у відношенні осередків інновацій, державних і правоохоронних органів з використанням стілеру GIFTEDCROOK (CERT-UA#14303)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 5 aprile – 11 aprile
  
  
• Check Point
  • 7th April – Threat Intelligence Report
  • March 2025: Malware Spotlight – FakeUpdates and RansomHub Ransomware Group Dominate Cyber Threats
    
    
• ClearSky Cyber Security
  Houthi Influence Campaign
  
  
• Niharika Ray at CloudSEK
  How a Misconfiguration Led to Leaked Customer Data and Security Credentials
  
  
• Cofense
  • Pick your Poison – A Double-Edged Email Attack
  • The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders
  • Amazon Gift Card Email Hooks Microsoft Credentials
    
    
• Cyfirma
  Weekly Intelligence Report – 11 Apr 2025
  
  
• Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
  Hunting AWS Identity Attacks
  
  
• Detect FYI
  • “Invoke-Shadow” — Applying Jungian Psychology to Detection Engineering
  • DNS Response analysis with KQL: queries, answers, TTL, RTT & more
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week14)
  
  
• Joe St Sauver at DomainTools
  Finding Fast Flux Fully Qualified Domain Names Using the SIE DNS Changes Channel
  
  
• Merlyn Albery-Speyer at F5 Labs
  Campaign Targets Amazon EC2 Instance Metadata via SSRF
  
  
• Ian Gray at Flashpoint
  May You Live in Interesting Times: The Rise and Fall of Threat Actors
  
  
• Jason Kao at Fog Security
  The Complexity of Detecting Amazon S3 and KMS Ransomware
  
  
• Carl Windsor at Fortinet
  Analysis of Threat Actor Activity
  
  
• Google Cloud Security Community
  Detecting IngressNightmare Without the Nightmare: A Non-Intrusive Yet Active Methodology
  
  
• Rohit Nambiar at Google Cloud Threat Intelligence
  Windows Remote Desktop Protocol: Remote to Rogue
  
  
• GreyNoise
  GreyNoise Observes 3X Surge in Exploitation Attempts Against TVT DVRs — Likely Mirai
  
  
• Group-IB
  SMS Pumping: How Criminals Turn Your Messaging Service into Their Cash Machine
  
  
• Jim at Grumpy Goose Labs
  Hold Me Closer, TinyPilot
  
  
• Nati Tal at Guardio
  VibeScamming — From Prompt to Phish: Benchmarking Popular AI Agents’ Resistance to the Dark Side
  
  
• GuidePoint Security
  • This Caller Does Not Exist: Using AI to Conduct Vishing Attacks
  • RansomSnub: RansomHub’s Affiliate Confusion
  • Insights from the GRIT 2025 Q1 Ransomware & Cyber Threat Report
    
    
• Raj at Hacking Articles
  • Credential Dumping: GMSA
  • Sapphire Ticket Attack: Abusing Kerberos Trust
    
    
• Hunt IO
  • GoPhish Framework Leveraged to Target Polish Government Regulator and Energy Sector
  • State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure
    
    
• Huntress
  • Credential Theft: Expanding Your Reach
  • How EDR and ITDR Elevate Your Security
  • Ransomware Initial Access Brokers Exposed
    
    
• Huy Kha at Semperis
  NTDS.DIT Extraction Explained
  
  
• InfoSec Write-ups
  • ☠️ Ransomware on AWS: Break It Down. Detect It Fast.
  • SOC Automation Part 3: How to Configure Wazuh and TheHive for Windows Alerts
  • Creating Rules and Alerts in the ELK — Part 4.2
  • Malware Persistence: How Hackers Stay Alive on Your System (And How to Stop Them)
    
    
• Adam Goss at Kraven Security
  The 8 Principles of Intelligence: Foundations for Good CTI
  
  
• Anish Bogati at Logpoint
  From Exploit to Ransomware: Detecting CVE-2025-29824
  
  
• Mark ohalloran
  Analysing CloudTrail User Agents for AWS Forensics and Incident Response
  
  
• Microsoft Security
  • Exploitation of CLFS zero-day leads to ransomware activity
  • Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI
  • How cyberattackers exploit domain controllers using ransomware
    
    
• Oleg Skulkin at ‘Know Your Adversary’
  • 097. Adversaries Abuse PowerShell to Generate Malicious Links
  • 098. Adversaries Keep Abusing Blat for Data Exfiltration
  • 099. Hunting for CLFS Exploit Activity Artifacts
  • 100. The Adversary Abuses Canarytokens to Collect System Information
  • 101. Gamaredon Hides C&C Server Address Under the Registry
  • 102. Hunting for Paper Werewolf
  • 103. Hunting for Paper Werewolf: PowerModul
    
    
• OSINT Team
  • A SOC Analyst Diary: Finding Abnormal Local User Accounts
  • My SIEM-Agnostic Creative Process to Detection Engineering
  • Mastering SIEM Queries: Detecting Threats Like a Pro
  • Bots Don’t Fight Ransomware in Pajamas. Humans with Caffeine Addictions Do.
  • Blue Team: The Unsung Heroes of Cybersecurity
  • Work with Sigma Rules Like a Pro
    
    
• Ryan Hennessee at Praetorian
  ELFDICOM: PoC Malware Polyglot Exploiting Linux-Based Medical Devices
  
  
• Rain Ginsberg
  Mastering YARA: Surgical Threat Detection for Blue Teams
  
  
• Rapid7
  • 2025 Ransomware: Business as Usual, Business is Booming
  • Password Spray Attacks Taking Advantage of Lax MFA
    
    
• Ryan Morton at Red Canary
  Creating user baseline reports to identify malicious logins
  
  
• Resecurity
  Cybercriminals Attacked National Social Security Fund of Morocco – Millions of Digital Identities at Risk of Data Breach
  
  
• Tom Crooke at S-RM
  Crackdowns and takedowns: Disrupting ransomware in 2025
  
  
• HuiSeong Yang, HyeongJun Kim, ByeongYeol An, and SeungHo Lee at S2W Lab
  Ransomware Landscape in H2 2024: Statistics and Key Issues
  
  
• Mari DeGrazia at SANS
  Are Ransomware Victims Paying Less? Insights from the Latest Stay Ahead of Ransomware Live Stream
  
  
• SANS Internet Storm Center
  • New SSH Username Report, (Sun, Apr 6th)
  • XORsearch: Searching With Regexes, (Mon, Apr 7th)
  • Obfuscated Malicious Python Scripts with PyArmor, (Wed, Apr 9th)
  • Network Infraxploit [Guest Diary], (Wed, Apr 9th)
  • Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th)
    
    
• John Tuckner at Secure Annex
  Searching for something unknow
  
  
• Toby G at sentinel.blog
  • Bonus – The Growing Threat of Token Theft: How Attackers Exploit Stolen Authentication After Successful Phishing
  • Building an Automated Sentinel Incident Reporting System with Azure Logic Apps
    
    
• SentinelOne
  • AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
  • Re-Assessing Risk | Subdomain Takeovers As Supply Chain Attacks
    
    
• Silent Push
  • Scattered Spider: Still Hunting for Victims in 2025
  • Why are Indicators of Future Attack (IOFA)™ more effective at stopping threats than IOCs? 
  • Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
    
    
• Simone Kraus
  • DOTMLPF to Counter Cognitive Warfare in Cyberspace
  • Chinese Cyber Operations targeting Critical Infrastructure
    
    
• Socket
  • PyTorch Lightning Exposes Users to Remote Code Execution via Deserialization Vulnerabilities
  • Turtles, Clams, and Cyber Threat Actors: Shell Usage
    
    
• SOCRadar
  • Storm-2372: Russian APT Using Device Code Phishing in Advanced Attacks
  • Dark Web Profile: Babuk/Babuk2
    
    
• Soumyadeep Basu
  Hunting for Atomic Stealer (MacOS malware)
  
  
• SpecterOps
  • An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
  • The Renaissance of NTLM Relay Attacks: Everything You Need to Know
  • The SQL Server Crypto Detour
    
    
• Sublime Security
  • $500K financial fraud built on BEC, a domain lookalike, and a fake thread
  • TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign
    
    
• Marco A. De Felice aka amvinfe at SuspectFile
  • HellCat, Rey, and grep: Internal Dynamics and Conflicting Claims in the Orange and HighWire Press Cases
  • Ransomware Attack on Pulse Urgent Care: What We Know About the Stolen Healthcare Data
  • NASCAR Targeted by Medusa Ransomware: Over One Terabyte of Data Exfiltrated
  • DragonForce Breach Exposes Personal Data of Over 6,900 Dermatology Solutions Patients
    
    
• Sygnia
  Ransomware Attacks in 2024: The Most Devastating Year Yet?
  
  
• Symantec Enterprise
  Shuckworm Targets Foreign Military Mission Based in Ukraine
  
  
• Syne’s Cyber Corner
  PERFECTDATA SOFTWARE Rebrands to Mail_Backup
  
  
• System Weakness
  • [HackTheBox Sherlocks Write-up] Heartbreaker-Continuum
  • Responding to the Oracle Cloud Breach: Essential Steps
  • [HackTheBox Sherlocks Write-up] NeuroSync-D (Next.js middleware bypass investigation)
  • Automated Detection Pipeline: Unlocking the Power of Automation in Security Detection
  • Windows Event Log Threat Hunting
    
    
• THOR Collective Dispatch
  • Because Logs Don’t Hunt Themselves – A Deep Dive into tstats
  • The Power of the Trio – Part 2
    
    
• Truesec
  Threat Intelligence Report Q1 2025 – Quarterly Summary
  
  
• Trustwave SpiderLabs
  • Inside Black Basta: Uncovering the Secrets of a Ransomware Powerhouse
  • Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks
  • Tycoon2FA New Evasion Technique for 2025
    
    
• Kenneth Kinion at Valdin
  Not Reality: Exploring Meta-themed Phishing with Validin
  
  
• Joseph Avanzato at Varonis
  RansomHub – What You Need to Know About the Rapidly Emerging Threat 
  
  
• Weldon_Araujo
  Threat Hunting investigação além dos IOCs
  
  
• István Márton at Wordfence
  100,000 WordPress Sites Affected by Administrative User Creation Vulnerability in SureTriggers WordPress Plugin
  

UPCOMING EVENTS

• Black Hills Information Security
  • Introducing EchoThreat – Expedite Detection Engineering w/ Hal Denton
  • Exploring ClickOnce and .NET Hijacking for SSH Initial Access
    
    
• Cellebrite
  • IBTD Part 32 – Navigating the Evolving Landscape of Computer Forensics (Part 1 of 2)
  • DFU Decoded : Deep dive into Facebook
    
    
• Cyber5W
  Threat Actor Desktop – Kali Linux
  
  
• Gerald Auger at Simply Cyber
  • Incident Response in ICS / OT / SCADA | S1 E5
  • Navigating the Cybersecurity Landscape with Edna Johnson: From Developer to Threat Hunter | S3 E2
    
    
• Magnet Forensics
  AI Unpacked #1 : An introduction to AI in digital forensics
  

PRESENTATIONS/PODCASTS

• Hexordia
  • Tricks & Tips: Pod Classic for Forensics!
  • Truth in Data: EP1: Evidence Gone: The Perils of Delayed Mobile Acquisition
    
    
• Adrian Crenshaw
  CounterSurveil: Unmasking Moloch -The Mind Behind Sliver C2
  
  
• Adversary Universe Podcast
  OCULAR SPIDER and the Rise of Ransomware-as-a-Service
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast – S2 E10
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-04-14 #livestream #infosec #infosecnews
  
  
• Breaking Badness
  How Russian Disinformation Campaigns Exploit Domain Registrars and AI
  
  
• Cellebrite
  Tip Tuesday: Sending Cryptocurrency Artifacts to Chainalysis
  
  
• Cisco’s Talos
  • Year in Review: Key vulnerabilities, tools, and shifts in attacker email tactics
  • Year in Review: In conversation with the report’s authors
    
    
• Cloud Security Podcast by Google
  EP218 IAM in the Cloud & AI Era: Navigating Evolution, Challenges, and the Rise of ITDR/ISPM
  
  
• Cyber Social Hub
  Behind the Lens: Melissa Kimbrell Reveals Forensic Video Secrets
  
  
• Cyberwox
  23 Things I Have Learned As a 23 Year Old Cybersecurity Engineer ~ Day’s Engineering Diary EP14
  
  
• Clint Marsden at DFIR Insights
  AI in the SOC: What Works, What Doesn’t, and How to Start Today
  
  
• InfoSec_Bret
  Challenge – Obfuscated JavaScript
  
  
• John Hammond
  Screenshot.jpg (When They Got Hacked)
  
  
• John Hubbard at ‘The Blueprint podcast’
  From Special Forces to Cybersecurity: Rich Greene on Communication and Persuasion in Infosec
  
  
• Magnet Forensics
  • Unlocking DFIR: Free resources for efficient triage and acquisition
  • Streamlined mobile workflows with Magnet Axiom 9.0
    
    
• Mahmoud Shaker
  • Splunk:Dashboards and Reports In Arabic
  • Ransomware case From CyberDefenders lab ( REvil ) In Arabic
    
    
• Marcus Hutchins
  NSA Says Fast Flux Is A National Security Threat, But What Is It?
  
  
• MSAB
  XAMN Pro Improved Persons
  
  
• MyDFIR
  Cybersecurity Project: Active Directory 2.0 | Intro
  
  
• Off By One Security
  A Hacker’s look at the DarkNet Marketplace (DNM) Bible: Part 1
  
  
• The Cyber Mentor
  • LIVE: Memory Forensics | Volatility | Cybersecurity | Blue Team | AMA
  • Malicious AI Chatbots Running on Cheap Hardware!
    
    
• Triskele Labs
  The AFS Licensee was accused of insufficient planning, technical safeguards, and training | TL Blue
  

MALWARE

• BI.Zone
  Sapphire Werewolf refines Amethyst stealer to attack energy companies
  
  
• CTF导航
  • VortexCrypt勒索病毒样本分析
  • Ghidra基于脚本的恶意软件分析
  • Vanhelsing勒索病毒样本分析
    
    
• CTF导航
  从UTF-16到%MÃja:~XX,1%：解剖BAT木马的混淆伎俩
  
  
• Hendrik Eckardt at cyber.wtf
  .NET Deobfuscation
  
  
• Yuval Ronen at ExtensionTotal
  Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign
  
  
• Jenna Wang at Fortinet
  Malicious NPM Packages Targeting PayPal Users
  
  
• G Data Security
  • Vidar Stealer: Revealing A New Deception Strategy
  • 100 Days of YARA: Writing Signatures for .NET Malware
    
    
• Lucija Valentić at ReversingLabs
  Atomic and Exodus crypto wallets targeted in malicious npm campaign
  
  
• Securelist
  • How ToddyCat tried to hide behind AV software
  • Attackers distributing a miner and the ClipBanker Trojan via SourceForge
  • GOFFEE continues to attack organizations in Russia
    
    
• Kayleigh Martin at Sucuri
  Fake Font Domain Used to Skim Credit Card Data
  
  
• TRAC Labs
  Autopsy of a Failed Stealer: StealC v2
  
  
• Zhassulan Zhussupov
  Malware and cryptography 41 – encrypt/decrypt payload via TEA. Simple Nim example.
  
  
• Блог Solar 4RAYS
  • Android-троян Mamont: всё ещё живой
  • Подробный технический анализ инструментария Obstinate Mogwai. Часть 1: Новая версия бэкдора KingOfHearts
    

MISCELLANEOUS

• Atola Technology
  Exploring Linux Forensics: Must-Have DFIR Resources and Training
  
  
• Brett Shavers
  • Why Acting Like Jack Reacher in DF/IR Will Land You in Court, Not on a Bestseller List
  • DF/IR was built in a garage
  • Mistake. Error. Misconduct.
    
    
• Cellebrite
  A Murder in the Bayou: How Digital Forensics Connected the Case Hundreds of Miles Away 
  
  
• Yoav Shualy at Cyberbit
  Introducing Quests: No Handholding. Just Skills. 
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 04/07/25
  
  
• DFIR Insights
  AI Prompt Engineering for Blueteamers and DFIR professionals
  
  
• Erik Hjelmvik at Netresec
  How to Install NetworkMiner in Linux
  
  
• Forensic Focus
  • Detego Global Partners With Go Heroes To Empower Veterans Entering The DFIR Space
  • Simplify Complex Mobile Data Investigations With Exterro Remote Mobile Discovery
  • Supercharge Your Techno Security Experience With MSAB’s Exclusive Pre-Conference Training
  • S21 CCTV: Revolutionising Video Review In Digital Forensics
  • Detego Global Announces Webinar Unveiling Rapid Triage & Selective Data Extraction Techniques
  • Digital Forensics Round-Up, April 09 2025
    
    
• Yumi Orito at JPCERT/CC
  ICS Security Conference 2025
  
  
• Florian Roth at Nextron Systems
  Forwarding Profiles in THOR Cloud Enterprise: Direct Log Delivery from Endpoints
  
  
• Oxygen Forensics
  • Import via Command Line Interface: Streamlining Automation
  • Inside Oxygen Forensic Detective: Your Quick-Start Video Guide
    
    
• Salvation DATA
  10 Benefits of AFA9500 — The Key to 10X Faster Mobile Forensics in 2025
  
  
• SANS
  FOR508 Evolves as Threat Hunting Shifts In-House
  
  
• SentinelOne
  An Official Statement in Response to the April 9, 2025 Executive Order
  
  
• Studio d’Informatica Forense
  GPT custom personalizzati per digital forensics e perizie informatiche
  
  
• UnderDefense
  • What Is Cyber Threat Hunting?
  • What Is EDR (Endpoint Detection and Response)?
    
    
• WMC Global
  2025 Industry Predictions
  

SOFTWARE UPDATES

• Alexis Brignoni
  iLEAPP v2.1.2
  
  
• Berla
  iVe Software v4.11 Release
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.6.0.0
  
  
• Forensic Focus
  Announcing Exterro FTK 8.2: Revolutionizing Digital Forensics With Remote Mobile Discovery
  
  
• Gaffx
  Volatility MCP
  
  
• Google
  Timesketch 20250408
  
  
• Martin Korman
  Regipy 5.2.0
  
  
• Microsoft
  msticpy – Compatibility release – Bokeh, VirusTotal, AzureCredentials
  
  
• Nikos Mantas at Falcon Force
  dAWShund – framework to put a leash on naughty AWS permissions
  
  
• OpenCTI
  6.6.3
  
  
• Phil Harvey
  ExifTool 13.27
  
  
• Xways
  • X-Ways Forensics 21.4 SR-4
  • X-Ways Forensics 21.5 Preview 9
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!