As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • P13 Analyzing Safari Browser, Apple Mail Data and Recents Database Artifacts on macOS
  • Intrusion Analysis and Incident Response on macOS: File Quarantine, Antivirus Mechanisms, and…
  • P14 Using APOLLO for macOS investigation
    
    
• Christopher Eng at Ogmini
  • Expectations vs Reality – Digital Forensic Science Master’s Degree Part 7
  • David Cowen Sunday Funday Challenge – Browser Password Extraction Evidence
  • David Cowen Sunday Funday Challenge – Browser Password Extraction Evidence
  • David Cowen Sunday Funday Challenge – Browser Password Extraction Evidence (WebBrowserPassView)
  • Choices – MacBook Air or Google Pixel
  • David Cowen Sunday Funday Challenge – Browser Password Extraction Evidence (HackBrowserData)
  • CISSP – Practice Tests
    
    
• Chris Ray at Cyber Triage
  How to Find Evidence of Network Windows Registry
  
  
• David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
  • Daily Blog #807: Sunday Funday 4/13/25
  • Daily Blog #808: Testing AWS Log latency – ConsoleLogin
  • Daily Blog #809: Testing AWS Log latency – CreateAccessKey
  • Daily Blog #810: Testing AWS Log latency – CreateUser
  • Daily Blog #811: Testing AWS Log latency – Modifying User Permissions
  • Daily Blog #812: Testing AWS Log latency – Removing Users from Groups
  • Daily Blog #813: Solution Saturday 4/19/25
    
    
• Doug Metz at Baker Street Forensics
  Mining for Mismatches: Detecting Executables Disguised as Image Files
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  C2PA and Authentication Updates
  
  
• Forensafe
  Android TeleGuard
  
  
• Kevin Pagano at Stark 4N6
  Tracking iOS App Installs and Purchase History with StoreUser DB
  
  
• malwr4n6
  Exploring macOS/iOS DFIR: Free Learning Resources
  
  
• System Weakness
  [TryHackMe Write-up] ExfilNode (Blue Team Room)
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – C2 over NTP (goMESA)
  
  
• Any.Run
  • Malware Trends Report, Q1 2025: Get Your Copy
  • How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats
    
    
• ASEC
  • APT Group Profiles – Larva-24005
  • March 2025 Deep Web and Dark Web Trends Report
    
    
• Ayelen Torello at AttackIQ
  Emulating the Stealthy StrelaStealer Malware
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2025-04-04: KongTuke activity
  • 2025-04-13: Twelve days of scans and probes and web traffic hitting my web server
    
    
• Brian Krebs at ‘Krebs on Security’
  • Trump Revenge Tour Targets Cyber Leaders, Elections
  • Funding Expires for Key Cyber Vulnerability Database
    
    
• Cado Security
  The Latest Updates to the Ultimate Guide to Incident Response in GCP
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 12 – 18 aprile
  
  
• Check Point
  • Renewed APT29 Phishing Campaign Against European Diplomats
  • Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking
  • 14th April – Threat Intelligence Report
  • Q1 2025 Global Cyber Attack Report from Check Point Software: An Almost 50% Surge in Cyber Threats Worldwide, with a Rise of 126% in Ransomware Attacks
  • PoisonSeed Campaign: New Supply Chain Phishing Attack Targets CRM and Email Providers
    
    
• Cisco’s Talos
  Year in Review: The biggest trends in ransomware
  
  
• CloudSEK
  • Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents
  • Unprotected API Leaks Confidential Data of 33,000 Employee Records—BeVigil Raises the Alarm
    
    
• Christopher Matta at Cofense
  Exploiting SMS: Threat Actors Use Social Engineering to Target Companies
  
  
• Dr. Brian Carrier at Cyber Triage
  How EDR Evasion Works: Attacker Tactics
  
  
• Cyberdom
  Inside the Microsoft Teams Attack Matrix: Unpacking the The Frontier in Collaboration Threats
  
  
• Cybereason
  From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets
  
  
• Cyble
  • DOGE “Big Balls” Ransomware and the False Connection to Edward Coristine
  • Hacktivists Target Critical Infrastructure, Move Into Ransomware
    
    
• Jovana Macakanja at Cyjax
  A new type of infected machine – New DLS emerges for anthrax14
  
  
• Matt Muir, Frederic Baguelin, Nathaniel Beckstead, Greg Foss, and Adrian Korn at Datadog Security Labs
  Datadog threat roundup: Top insights for Q1 2025
  
  
• Detect FYI
  • Advanced KQL Deep Dive: User State Change Tracking
  • Uncovering Device Activities on Wi-Fi and Hotspot Connections
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week15)
  
  
• DomainTools
  • Leveraging DomainTools for Early Detection of Russian Disinformation Operations
  • The Role of Domain and DNS Intelligence in Fighting Online Threats
    
    
• Justin Higdon at Elastic
  • Hunting with Elastic Security: Detecting command and scripting interpreter execution
  • Hunting with Elastic Security: Exfiltration over C2 channel
    
    
• Ervin Zubic
  Fast Flux: The DNS Botnet Technique Alarming National Security Agencies
  
  
• Google Cloud Security Community
  • Detecting the Execution of IngressNightmare via Security Command Center
  • Getting Started with Data Tables in Google Security Operations
    
    
• Group-IB
  Typical Dark Web Fraud: Where Scammers Operate and What They Look Like
  
  
• Huntress
  Tales of Too Many RMMs
  
  
• InfoSec Write-ups
  • Mastering C2 Redirectors: A Red & Blue Teamer’s Guide
  • “Sysmon Unleashed: Tracking and Tackling Malicious Activity on Windows”
    
    
• Bukar Alibe at INKY
  Fresh Phish: Targeted DHS Impersonations Spike Amid U.S. Deportation Surge
  
  
• Intel 471
  • Understanding and threat hunting for RMM software misuse
  • LabHost: A defunct but potent phishing service
  • Threat-hunting case study: Windows Management Instrumentation abuse
    
    
• Adam Goss at Kraven Security
  IPCE + PESTLE Analysis: Intelligence Preparation of the Cyber Environment
  
  
• Lily Hay Newman at Wired
  Black Basta: The Fallen Ransomware Gang That Lives On
  
  
• Kaushik Raj Panta at Logpoint
  Kubernetes Threat Hunting using API Server Audit Logs
  
  
• Malware-Hunter
  Nothing in Run Keys. No Tasks. No Services. But Malware Was There.
  
  
• Microsoft Security
  Threat actors misuse Node.js to deliver malware and other malicious payloads
  
  
• MISP
  • MISP reporting
  • Information sharing and cooperation enabled by GDPR
  • How MISP enables stakeholders identified by the NISD to perform key activities
  • MISP as supporting platform for sharing information, following ISO/IEC 27010:2015
    
    
• Morphisec
  • New Malware Variant Identified: ResolverRAT Enters the Maze
  • ValleyRAT Malware and the Evolving Landscape of Ransomware Threats 
    
    
• Natto Thoughts
  Wars without Gun Smoke: China Plays the Cyber Name-and-Shame Game on Taiwan and the U.S.
  
  
• NSB Cyber
  Frontline Insights – Ransomware Q1 2025 Report
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 104. Hunting for Paper Werewolf: FlashFileGrabber
  • 105. Hunting for Gremlin Wolf (OldGremlin)
  • 106. Hunting for NodeJS Abuse
  • 107. APT29 Abuses PowerPoint for Side-Loading
  • 108. IronHusky Abuses Piping Server for C&C
  • 109. Another AV/EDR Killer in a Ransomware Gang’s Toolkit: ZammOcide
    
    
• OSINT Team
  • Top 10 Threat Intelligence Tools Every Cybersecurity Professional Should Know
  • How to Integrate Threat Intelligence Tools Into Your Security Operations
  • Threat Hunting Explained: What It Is and How to Do It
    
    
• Palo Alto Networks
  • Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
  • Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis
    
    
• Adithya Vellal at Petra Security
  That Android 6 Login? It Was Actually Windows 10.
  
  
• Proofpoint
  Around the World in 90 Days: State-Sponsored Actors Try ClickFix
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, February 2025 (ENG)
  
  
• Resecurity
  Cyber Threats Against Energy Sector Surge as Global Tensions Mount
  
  
• James Tytler at S-RM
  Ransomware in focus: Meet Cl0p
  
  
• SANS Internet Storm Center
  • xorsearch.py: Searching With Regexes, (Mon, Apr 14th)
  • Online Services Again Abused to Exfiltrate Data, (Tue, Apr 15th)
  • RedTail, Remnux and Malware Management [Guest Diary], (Wed, Apr 16th)
    
    
• Securelist
  • Streamlining detection engineering in security operation centers
  • IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
    
    
• Sekoia
  Interlock ransomware evolving under the radar
  
  
• Toby G at sentinel.blog
  • Part 4 – Building Resilient Defences with Microsoft Security: A Multi-layered Approach
  • Breach Defence Automation: Creating Your Hybrid Account Kill Switch with Microsoft Sentinel and Logic Apps
  • Blog Update: Reflecting on Our First 30 Days
  • Part 5 – Advanced Phishing Detection and Response with Microsoft Sentinel and the Unified SOC
    
    
• Simone Kraus
  • Awakening the West: Countering China’s Silent War on Democracy, Industry, and Truth
  • From Leipzig to Pyongyang: How Authoritarian Nostalgia Fuels Today’s Enemies
  • Modern Psychiatry Terrorism & Institutional Warfare
  • Invisible Battles, Real Scars: The Human Cost of Cyber Defense
  • CYBERGUARDIAN PROGRAM
  • The Hidden Threat Within: Criminal Influence and Apathy in Cybersecurity Companies
  • Inside Black Basta: Ransomware Resilience and Evolution After the Leak
    
    
• SOCRadar
  • Dark Web Market: STYX Market
  • Dark Web Profile: Flax Typhoon
    
    
• Sophos
  • Sophos Annual Threat Report appendix: Most frequently encountered malware and abused software
  • The Sophos Annual Threat Report: Cybercrime on Main Street 2025
    
    
• Sublime Security
  Elastic + Sublime: Adding email to your security and observability stack
  
  
• Marco A. De Felice aka amvinfe at SuspectFile
  Massive Data Breach Hits Fall River Public Schools: Over 170,000 Documents in the Hands of Cybercriminals
  
  
• Symantec Enterprise
  Billbug: Intrusion Campaign Against Southeast Asia Continues
  
  
• Alessandra Rizzo at Sysdig
  UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
  
  
• THOR Collective Dispatch
  • Simulate. Detect. Tune. Repeat
  • How Communication Shapes the Outcome of Cybersecurity Incidents
    
    
• Travis Green
  Hunting for browser extension abuse
  
  
• Trend Micro
  • BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets
  • CrazyHunter Campaign Targets Taiwanese Critical Sectors
    
    
• Pawel Knapczyk and Dawid Nesterowicz at Trustwave SpiderLabs
  • Proton66 Part 1: Mass Scanning and Exploit Campaigns
  • Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns
    
    
• Christian Ali Bravo and Tomáš Foltýn at WeLiveSecurity
  CapCut copycats are on the prowl
  

UPCOMING EVENTS

• Cellebrite
  Navigating the Evolving Landscape of Computer Forensics (Part 2)
  
  
• Gerald Auger at Simply Cyber
  Detection Engineering 101
  
  
• Magnet Forensics
  Mobile Unpacked S3:E4 // Discussing the data drop-off
  
  
• Paraben Corporation
  Paraben E3 Forensic Platform Release version 4.3
  
  
• SANS
  SANS Threat Analysis Rundown with Katie Nickels | April 2025
  

PRESENTATIONS/PODCASTS

• Hexordia
  Episode 2: Sextortion and Digital Evidence — Protecting Victims in the Digital World
  
  
• Archan Choudhury at BlackPerl
  Threat Hunting Course- Finding Outliners with ML, Data Driven Hunting
  
  
• Belkasoft
  Which Training Helps Start with Automation?
  
  
• Black Hat
  My other ClassLoader is your ClassLoader: Creating evil twin instances of a class
  
  
• Breaking Badness
  DFIRside Chat: Lessons from the Frontlines of Incident Response
  
  
• Cellebrite
  Tip Tuesday: Updated Location Cheat Sheet
  
  
• Cloud Security Podcast by Google
  EP219 Beyond the Buzzwords: Decoding Cyber Risk and Threat Actors in Asia Pacific
  
  
• Cyacomb
  Guardians for Good Podcast (Episode 3 with Jim Cole)
  
  
• Cyber Social Hub
  • Mobile Minute with Magnet Forensics Ep 1: Intro to Mobile View
  • Breaking Down Silos: Dave Ryberg on Truxton’s Unified Forensic Revolution
    
    
• InfoSec_Bret
  Challenge – VoIP
  
  
• Magnet Forensics
  • Mobile Minute Episode 9: Share evidence to Magnet Review from Axiom Process
  • AI Unpacked #1 : An introduction to AI in digital forensics
    
    
• Microsoft Threat Intelligence Podcast
  Star Blizzard Shifts Tactics to Spear-Phishing on Whatsapp
  
  
• MSAB
  XAMN Pro Project VIC
  
  
• MyDFIR
  Cybersecurity Project: Active Directory 2.0 | Part 1
  
  
• Oxygen Forensics
  Oxygen Tech Byte – Creating a “Case To-Go”
  
  
• Paraben Corporation
  Meet Zandra AI the Digital Investigators Helper
  
  
• Richard Davis at 13Cubed
  Getting Started with Fuji – The Logical Choice for Mac Imaging
  
  
• SANS
  SANS New2Cyber Summit 2025
  
  
• Security Unlocked
  From Facebook-phished to MVR Top 5 with Dhiral Patel
  
  
• The Defender’s Advantage Podcast
  Windows Remote Desktop Protocol: Remote to Rogue
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 257 – Nathan Swift
  
  
• Three Buddy Problem
  China doxxes NSA, CVE’s funding crisis, Apple’s zero-day troubles
  
  
• Triskele Labs
  The Medusa ransomware gang has targeted over 300 organisations across critical infrastructure
  
  
• Yaniv Hoffman
  Medusa The Ransomware Paralyzing Companies | With OTW
  

MALWARE

• Andrew Petrus at Andrew Petrus
  JScript to PowerShell: Breaking Down a Loader Delivering XWorm and Rhadamanthys
  
  
• Guy Korolevski at JFrog
  Malicious PyPI Package Hijacks MEXC Orders, Steals Crypto Tokens
  
  
• Nick Zolotko, Christopher Lopez, & Adam Kohler at Kandji
  PasivRobber: Chinese Spyware or Security Tool?
  
  
• Psyrun
  WannaCry Malware Reverse Engineering Step-by-Step
  
  
• Security Onion
  Quick Malware Analysis: Kongtuke Web Inject pcap from 2025-04-04
  
  
• Socket
  • Malicious npm Package Disguised as Advcash Integration Triggers Reverse Shell
  • npm Malware Targets Telegram Bot Developers with Persistent SSH Backdoors
    
    
• Sucuri
  • Ad-Jacked: Cybercriminals Inject Google Adsense into WordPress
  • When Good Software Goes Bad
    
    
• Lynn Zhou at VMRay
  Malware Obfuscation Techniques: Advanced Detection & Prevention Strategies
  
  
• Sudeep Singh at ZScaler
  • Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2
  • Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1
    
    
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Vico, Miokawa
  

MISCELLANEOUS

• Belkasoft
  • Special Offer: Annual Training Pass to all 8 Belkasoft Сourses
  • Unlocking Android Devices with Brute-Force
    
    
• Cado Security
  Incident Response: Why Preparation is the Key to Cyber Resilience
  
  
• Cellebrite
  • From Pocket to Courtroom: The Legal Significance of Mobile Data
  • 10 Best Practices for Digital Evidence Collection
    
    
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 04/14/25
  
  
• Forensic Focus
  • Reclaiming Control: Mobile Device Investigations In A Decentralized World
  • S21 LASERi-X: Transforming CSAM Investigations With Cutting-Edge Technology And Global Intelligence
  • AI Unpacked: Magnet Forensics’ New Series On AI In DFIR
  • GMDSOFT Tech Letter Vol 10. Artifact Analysis Of Google Maps Timeline
  • Digital Forensics Round-Up, April 16 2025
  • Navigating The Twists And Turns Of IP Theft Investigations
  • Preventative Vs Reactive Approaches To Mental Health In Digital Forensics
  • S21 Global Alliance Database (S21 GAD): Revolutionising CSAM Investigations With Unmatched Global Intelligence
  • Forensic Focus Digest, April 18 2025
    
    
• Magnet Forensics
  Meet the Magnet Forensics Training Team: Jay Murphy
  
  
• Nikolaos Grigoropoulos at NVISO Labs
  Crisis Management – Beacon in the Storm
  
  
• Oxygen Forensics
  Extracting Drone Data from the Cloud
  
  
• Salvation DATA
  Ensuring File Extraction Integrity with SHA and MD5 Checksum
  
  
• SANS
  Building a Better OT Ransomware Response Plan: A Simple Framework for ICS Environments
  
  
• SJDC
  Case Study: Establishing Recklessness Through Digital Forensics in a Florida Vehicular Homicide Case
  
  
• Sygnia
  What is Incident Response? Process, Plan, and Complete Guide (2025)
  
  
• Phil Muncaster at WeLiveSecurity
  Attacks on the education sector are surging: How can cyber-defenders respond?
  

SOFTWARE UPDATES

• Acquired Security
  Forensic Timeliner v1.0.0
  
  
• Autopsy
  Autopsy 4.22.1
  
  
• Crowdstrike
  Falconpy Version 1.4.9
  
  
• Didier Stevens
  Update: xorsearch.py Version 0.0.3
  
  
• Digital Sleuth
  winfor-salt v2025.5.1
  
  
• Hasherezade
  PE-Bear v0.7.0.4
  
  
• Jonathan Peters
  GitHub Backdoor Scanner
  
  
• Kevin Stokes
  Tool Fetcher
  
  
• Magnet Forensics
  Magnet Witness 1.7 unlocks investigative leads with audio support and performance improvements
  
  
• Mark Baggett
  SRUM-DUMP 3.0 Release
  
  
• OpenCTI
  6.6.6
  
  
• Rapid7
  Velociraptor v0.74.2
  
  
• Serviço de Perícias em Informática
  IPED 4.2.1
  
  
• SigmaHQ
  pySigma v0.11.21
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!