As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
- Understanding Rootkits: The Ultimate Cybersecurity Nightmare and Direct Kernel Object Manipulation
- Understanding Userland Hooks and Rootkits in Real-World Investigations
- Extracting Memory Objects with MemProcFS/Volatility3/Bstrings: A Practical Guide
- Disk Imaging (Part 1) : Memory Acquisition & Encryption Checking
- Digital Forensics (Part 2): The Importance of Rapid Triage Collection — Kape vs FTK Imager
- Amped
- Belkasoft
Windows Event Log Forensics: Techniques, Tools, and Use Cases - Cellebrite
The Growing Role of Mobile Data in Legal Proceedings - Christian Peter
Logs in a Sysdiagnose – It’s about time… - Christopher Eng at Ogmini
- David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
Daily Blog #815: I missed a day - Forensafe
iOS Google Meet - Magnet Forensics
- Mat Fuchs
The Impact of Microsoft’s ReFS on DFIR - Nasreddine Bencherchali
Eventlog Compendium - Nicolas Bourras at Orange Cyberdefense
Investigating an in-the-wild campaign using RCE in CraftCMS
THREAT INTELLIGENCE/HUNTING
- Andrew Petrus
Stego-Campaign delivers AsyncRAT - Arctic Wolf
Ransomware Without the Ransom - ASEC
- Francis Guibernau at AttackIQ
Emulating the Hellish Helldown Ransomware - Brian Krebs at ‘Krebs on Security’
- CERT-AGID
Campagne di Phishing a tema PagoPA – false sanzioni stradali - CH. Nesrine
Hunting Scheduled Tasks - Check Point
- Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White at Cisco’s Talos
Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs - Cofense
Thinking of Smishing Your Employees? Think Twice. - Cyb3rhawk
Lumma Stealer — Threat Hunting and Infrastructure Analysis - Cyfirma
Weekly Intelligence Report – 25 Apr 2025 - Andrea Draghetti at D3Lab
SuperCard X: la nuova truffa che colpisce gli utenti italiani - Dark Atlas
Akira Ransomware Road To Glory - Darktrace
Obfuscation Overdrive: Next-Gen Cryptojacking with Layers - Detect FYI
- Disconinja
Weekly Threat Infrastructure Investigation(Week16) - DomainTools
- Dr. Web
Android spyware trojan targets Russian military personnel who use Alpine Quest mapping software - Elastic Security Labs
Now available: the 2025 State of Detection Engineering at Elastic - Esentire
- FBI
Internet Crime Report 2024 - FIRST
Black Basta Ransomware Leak: Key Findings and Insights - Flashpoint
- Forensicfossil
Detecting Persistence with Open Source Tools - Google Cloud Threat Intelligence
M-Trends 2025: Data, Insights, and Recommendations From the Frontlines - Noah Stone at GreyNoise
9X Surge in Ivanti Connect Secure Scanning Activity - Group-IB
Toll of Deception: Where Evasion Drives Phishing Forward - Alon Gal at Hudson Rock
Stealing the Future: Infostealers Power Cybercrime in 2025 - Hunt IO
Track APT34-Like Infrastructure Before It Strikes - Huntress
- InfoSec Write-ups
- Yuval Guri at Intezer
Emerging Phishing Techniques: New Threats and Attack Vectors - Jon DiMaggio at Analyst1
The Art of Attribution -A Ransomware Use-Case - Kevin Beaumont at DoublePulsar
- Adam Goss at Kraven Security
How to Prioritize Customer Needs: Priority Intelligence Requirements - Danny Bradbury at Malwarebytes
Zoom attack tricks victims into allowing remote access to install malware and steal money - Microsoft Security
Understanding the threat landscape for Kubernetes and containerized assets - MikeCyberSec
- Mitiga
- MITRE ATT&CK
ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures - Michael Gorelik at Morphisec
ELENOR-corp Ransomware: A New Mimic Ransomware Variant Attacking the Healthcare Sector - Muhammad Nameer
Proactive Threat Hunting for Persistence: Startup Folder Abuse in Windows Environments - Navneet
A Deep Dive Into a Multi-Stage Malware Campaign Potentially Linked to DPRK’s Konni Group - Oleg Skulkin at ‘Know Your Adversary’
- 112. State-Sponsored Threat Actors Adopted ClickFix Technique
- 113. Adversaries Abuse Trend Micro and Bitdefender to Load Malicious DLLs
- 114. Adversaries Abuse Magnet RAM Capture to Extract Credentials
- 115. Here’s How Threat Actors Abuse PowerShell for Reconnaissance and Credentials Access
- 116. That’s How Earth Kurma Abuses PowerShell for Data Collection
- Palo Alto Networks
- Adithya Vellal at Petra Security
Compromised, then Weaponized: Anatomy of a OneDrive Phishing Campaign - Porthas
Breaking the B0 ransomware: Investigation & Decryption - Alexander Badaev and Elena Furashova at Positive Technologies
Crypters And Tools. Part 2: Different Paws — Same Tangle - ptwistedworld
HRSword: EDR Killer - Luke Rusten at Recon Infosec
Detecting Fake CAPTCHA Campaigns: ClickFix, ClearFake, and Etherhide - Recorded Future
The Massive, Hidden Infrastructure Enabling Big Game Hunting at Scale - Red Canary
- Red Piranha
Qilin Ransomware: All You Need To Know - Rob Harrand
- Melissa DeOrio and Jack Hay at S-RM
Ransomware in Focus: Meet IMN Crew - SANS Internet Storm Center
- It’s 2025… so why are obviously malicious advertising URLs still going strong?, (Mon, Apr 21st)
- xorsearch.py: “Ad Hoc YARA Rules”, (Tue, Apr 22nd)
- Honeypot Iptables Maintenance and DShield-SIEM Logging, (Wed, Apr 23rd)
- Example of a Payload Delivered Through Steganography, (Fri, Apr 25th)
- Attacks against Teltonika Networks SMS Gateways, (Thu, Apr 24th)
- Steganography Analysis With pngdump.py, (Sat, Apr 26th)
- Securelist
- Nitish Singh and Nikhil Kumar Chadha at Securonix
Securonix Threat Labs Monthly Intelligence Insights – March 2025 - Sekoia
Detecting Multi-Stage Infection Chains Madness - Silent Push
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie - Kirill Boychenko at Socket
The Bad Seeds: Malicious npm and PyPI Packages Pose as Developer Tools to Steal Wallet Credentials - SOCRadar
Dark Web Market: WeTheNorth Market - Michael Clark at Sysdig
Detecting and Mitigating io_uring Abuse for Malware Evasion - System Weakness
- [LetsDefend Write-up] Obfuscated JavaScript (Network Drive mapping to MSI installation)
- Malicious Packages in NPM and PyPI: How Typosquatting Threatens Developers
- Inside the Mind of an Attacker: How APTs Plan and Execute Targeted Attacks
- Packet Analysis using Wireshark
- Beyond the Surface Web: Understanding Tor’s Architecture Through a Practical Onion Service…
- [HTB Sherlocks Write-up] Heartbreaker-Denouement (Web Attack to data exfiltration on AWS)
- [LetsDefend Write-up] NTFS Forensics (Parsing Master File Table to discover keylogger)
- Clément Notin at Tenable
Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse - Keith Hoodlet at Trail of Bits
How MCP servers can steal your conversation history - THOR Collective Dispatch
- Mohideen Abdul Khader at Trellix
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation - Truesec
Sophisticated Chinese Cyber Espionage Actor - Megan Nilsen at TrustedSec
The Necessity of Active Testing – Detection Edition - Tom Neaves at Trustwave SpiderLabs
Agent In the Middle – Abusing Agent Cards in the Agent-2-Agent (A2A) Protocol To ‘Win’ All the Tasks - Lucie Cardiet and Renaud Leroy at Vectra AI
How Attackers Use Shodan & FOFA by Lucie Cardiet - Verizon
Verizon’s 2025 Data Breach Investigations Report: Alarming surge in cyberattacks through third-parties - Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster at Volexity
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows - Phil Muncaster at WeLiveSecurity
How fraudsters abuse Google Forms to spread scams - Deepen Desai, Rohit Hegde, and Diana Shtil at ZScaler
Beyond the Inbox: ThreatLabz 2025 Phishing Report Reveals How Phishing Is Evolving in the Age of GenAI - Блог Solar 4RAYS
UPCOMING EVENTS
- Behind the Binary by Google Cloud Security
EP08 Roman Hussy – Inside AbuseCH: A Community’s Fight Against Malware - Belkasoft
Powershell or CMD: What to Use in Windows? - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-04-28 #livestream #infosec #infosecnews - Gerald Auger at Simply Cyber
Breaking Barriers in Cybersecurity with Eddie Miro | S3 E4 - Magnet Forensics
Executive update from MUS 2025: The investigative edge - Silent Push
Webinar – Smishing Triad: Tracking Scammers’ Global Infrastructure Back Home
PRESENTATIONS/PODCASTS
- Hexordia
Ep 3: Frontline Digital Forensics – How On-Scene Collections Affect the Exam - Black Hat
Defending off the land: Agentless defenses available today - Breaking Badness
DFIR Foundations: Real-World Lessons in Containment, Eradication, and Recovery - Cellebrite
- Hazel Burton at Cisco’s Talos
Year in Review: Attacks on identity and MFA - Gerald Auger at Simply Cyber
State of Simply Cyber Q2 2025 - Huntress
- InfoSec_Bret
Challenge – Threat Hunting with Splunk - Lesley Carhart
Interview with Safety Detectives - Magnet Forensics
Mobile Unpacked S3:E4 // Discussing the data drop-off - MyDFIR
Cybersecurity Project: Active Directory 2.0 | Part 2 - Off By One Security
An OpSec look at the DarkNet Dark Web Marketplace DNM Bible Part 2 - SANS
- The Cyber Mentor
LIVE: PowerShell Deobfuscation | Cybersecurity | Blue Team | AMA - The Microsoft Security Insights Show
Join the MSI Show team for the Kusto Detective Agency – Call of the Cyber Duty - The Weekly Purple Team
🔍 Inside CVE-2025-24054: Purple Team Attack Breakdown - Threatscape
How Microsoft DART Handles Real-World Breaches - Three Buddy Problem
Tom Rid joins the show: AI consciousness, TP-Link’s China connection, trust in hardware security - Triskele Labs
TL Blue | Episode 16
MALWARE
- Mauro Eldritch at Any.Run
PE32 Ransomware: A New Telegram-Based Threat on the Rise - Jarosław Jedynak at CERT Polska
Deobfuscation techniques: Peephole deobfuscation - Doug Metz at Baker Street Forensics
MalChela GUI: Visualizing Malware Analysis with Ease - Yuval Ronen at ExtensionTotal
Trust Me, I’m Local: Chrome Extensions, MCP, and the Sandbox Escape - Fortinet
- Harfanglab
Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure - Yuma Masubuchi at JPCERT/CC
DslogdRAT Malware Installed in Ivanti Connect Secure - OSINT Team
Reverse Engineering Malware: Cracking the Code of Digital Predators - Ben Martin at Sucuri
Fake GIF Leveraged in Multi-Stage Reverse-Proxy Card Skimming Attack - Trend Micro
MISCELLANEOUS
- Brett Shavers at DFIR.Training
Too Much Noise in DF/IR - Cado Security
- Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 04/21/25 - Forensic Focus
- Lesley Carhart
I Had Some Adventures with Alice and Bob (Podcast)! Also, what’s next for Auntie Lesley? - Nextron Systems
End of Life Announcement for THOR Version 10.6 - OSINT Team
Blue Team Resources — Cybersecurity Toolkit 2025 - Oxygen Forensics
Decryption of DJI Avata Drone Flight Logs - Paraben Corporation
The new Zandra AI: Revolutionizing Digital Forensics and Incident Response - RSquad Academy
DFIR x Resposta a Incidentes: Entenda a Diferença e Prepare Sua Empresa para o Próximo Ataque - SANS
- Security Onion
Upcoming Change to Elasticsearch Index Management for Multi-Node Deployments - Thomas Roccia at SecurityBreak
Protect Your AI System with NOVA MCP - Sygnia
- Блог Solar 4RAYS
Давайте всё же до майских: что сисадмины и ИБ-специалисты должны сделать, чтобы “длинные” выходные не омрачились кибератаками
SOFTWARE UPDATES
- Alexis Brignoni
- Didier Stevens
- Digital Sleuth
winfor-salt v2025.5.2 - Hasherezade
PE-Bear v0.7.1 - IsoBuster
IsoBuster 5.6 beta released - OpenCTI
6.6.8 - Paraben Corporation
Enhances E3 Forensic Platform with Advanced Data Import and Android Analysis Capabilities - Phil Harvey
ExifTool 13.28 - Sandfly Security
Sandfly 5.4 – Cisco and Juniper Network Device Support - Serviço de Perícias em Informática
IPED 4.2.2 - Truxton
Truxton 4.3.1.50421 - C.Peter
UFADE 0.9.9 - Xways
X-Ways Forensics 21.5 Beta 1 - Yamato Security
suzaku v0.1.1 – AlphaOne Release-2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 