As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Adam at Hexacorn
  Minority (forensic) report aka defending forward w/o hacking back
  
  
• Akash Patel
  • Creating a Timeline for Linux Triage with fls, mactime, and Plaso (Log2Timeline)
  • Understanding Linux Service Management Systems and Persistence Mechanisms in System Compromise
  • Timestomping in Linux: Techniques, Detection, and Forensic Insights
    
    
• Belkasoft
  Skype Forensics Postmortem: Why DFIR Specialists Should Still Care
  
  
• Christopher Eng at Ogmini
  • Windows Notepad – Version Changes (11.2409.9.0)
  • macOS Forensics Books/Resources
  • Thoughts from a Developer on the Truth in Data Podcast
  • Release – Windows Notepad Parser v1.0.4
  • CISSP Practice Questions
  • Zeltser Challenge – Fourth Month Accomplishments
  • KAPE Module – Windows Notepad Parser
    
    
• Cyber Social Hub
  Native File Format: A Must for Social Media Evidence
  
  
• Chris Ray at Cyber Triage
  ShimCache and AmCache Forensic Analysis 2025
  
  
• Django Faiola at ‘Appunti di Informatica Forense’
  iOS BeReal – Photos & Friends Daily (Cache.db & EntitiesStore.sqlite)
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Hello my perverted friend
  
  
• Forensafe
  iOS GroupMe
  
  
• Cesar Quezada at Hexordia
  Digital Forensic Investigations involving Cryptocurrency Wallets Installed on Mobile Devices
  
  
• Kinga Kieczkowska
  iPhone Backup Forensics 101
  
  
• M4shl3
  Heavy USB Forensics
  
  
• Mat Fuchs
  Apples to Apples: Why macOS Forensics Can Be Easier Than Windows
  
  
• Reliance Cyber
  The Good, the bad, and the ugly of Microsoft Edge’s autofill databases
  
  
• Rebekah Brown, Marcus Michaelsen, Matt Brooks, and Siena Anstis at The Citizen Lab
  Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
  

THREAT INTELLIGENCE/HUNTING

• Abdulrehman Ali
  Wicked Panda APT Adversary Simulation
  
  
• Faan Rossouw at Active Countermeasures
  The Beginner’s Guide to Command and Control Part 2 – The Role of C2 in Modern Threat Campaigns
  
  
• Andrea Fortuna
  Digital breadcrumbs: tracking Threat Actors through Favicon hashes
  
  
• Apophis
  Blacked-E Hacking Tool and NUSO Stealer
  
  
• Arctic Wolf
  Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims
  
  
• Barracuda
  • The rising threat of email attachments: Insights from Barracuda’s 2025 Email Threats Report
  • Email Threat Radar – April 2025
  • A closer look at Fog ransomware
    
    
• Shannon Mong at Binary Defense
  Analyzing LummaStealer’s FakeCAPTCHA Delivery Tactics
  
  
• Brian Krebs at ‘Krebs on Security’
  • Alleged ‘Scattered Spider’ Member Extradited to U.S.
  • xAI Dev Leaks API Key for Private SpaceX, Tesla LLMs
    
    
• Joshua Penny and Yashraj Solanki at Bridewell
  Operation Deceptive Prospect: RomCom Targeting UK Organisations through Customer Feedback Portals
  
  
• Cado Security
  The Latest Updates to the Ultimate Guide to Incident Response in GCP
  
  
• Censys
  Scouting a Threat Actor
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 26 aprile – 2 maggio
  
  
• Chainalysis
  Organized Crime Shows High Level of Professionalization, Low Level of Crypto Sophistication
  
  
• Check Point
  28th April – Threat Intelligence Report
  
  
• Cisco’s Talos
  • IR Trends Q1 2025: Phishing soars as identity-based attacks persist
  • Year in Review: AI based threats
  • State-of-the-art phishing: MFA bypass
    
    
• Sourajeet Majumder at CloudSEK
  Inside the BWSSB Incident : How An Exposed Environment File Enabled the Sale of 290K+ Applicant Records and Database Root Access
  
  
• Cofense
  • Protecting Your Business from Vishing Threats
  • Global Manufacturing Leader Strengthens Email Security
  • Spain and Portugal Power Outages Spark a Surge in Phishing Attacks
    
    
• Christian Feuchter at Compass Security
  Introducing EntraFalcon – A Tool to Enumerate Entra ID Objects and Assignments
  
  
• Vijit Nair at Corelight
  Edge exploits, EDR blind spots, 51-second breakouts | Corelight
  
  
• Coveware
  The organizational structure of ransomware threat actor groups is evolving before our eyes
  
  
• CTF导航
  • 影聊计划：APT-C-56（透明部落）组织使用新恶意软件进行持久攻击
  • GhidraMCP搭建及核心源码阅读
    
    
• Cyb3rhawk
  Xworm — Defence Evasion and Persistence
  
  
• Cyberknow
  Ongoing Mygov Email Phishing Campaign
  
  
• Cyfirma
  Weekly Intelligence Report – 02 May 2025
  
  
• Darktrace
  • MFA Under Attack: AiTM Phishing Kits Abusing Legitimate Services
  • SocGholish: From loader and C2 activity to RansomHub deployment
    
    
• Detect FYI
  • Can We Stop Documenting Our Detections?
  • Practical Cyber Deception —  Introduction to “Chaotic Good”
  • The Detection Opportunity Cost
    
    
• DeTTECT
  v2.1.0
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week17)
  
  
• Paul Ewing and Jonhnathan Ribeiro at Elastic
  Threat hunting in Elastic with JOINs!
  
  
• Erik Hjelmvik at Netresec
  Decoding njRAT traffic with NetworkMiner
  
  
• Forescout
  The State of State-Sponsored Hacktivist Attacks
  
  
• Fortinet
  • Key Takeaways from the 2025 Global Threat Landscape Report
  • FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure
    
    
• Google Cloud Security Community
  • Google SecOps: Elevate Your Threat Detection Capabilities with Composite Detections
  • Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations
  • New to Google SecOps: Composite Rule Fundamentals
  • From Clicks to Code: Automating Your SecOps Workflow with the Google SecOps SDK and CLI
    
    
• Casey Charrier, James Sadowski, Clement Lecigne, and Vlad Stolyarov at Google Cloud Threat Intelligence
  Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
  
  
• Group-IB
  Ransomware debris: an analysis of the RansomHub operation
  
  
• IC3
  Phishing Domains Associated with LabHost PhaaS Platform Users
  
  
• Darby Wise, Piotr Glaska, and Laura da Rocha at Infoblox
  Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams
  
  
• Ruben Madar at Intrinsec
  IP cluster linking ransomware activity and Eye Pyramid C2
  
  
• Kevin Beaumont at DoublePulsar
  • DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Big Game Ransomware: the myths experts tell board members
    
    
• Kijo Ninja
  DLL injection fundamental — Part1
  
  
• Adam Goss at Kraven Security
  How to Build a Cyber Threat Intelligence Collection Plan
  
  
• Ryan Hicks at Kroll
  The Rapid Evolution of CLEARFAKE Delivery
  
  
• Chris Conrad at Netscout
  Botnets and Familiar Foes Drive DDoS Attack Activity
  
  
• Nextron Systems
  • Active Exploitation of SAP NetWeaver Systems — Our Recommendation for Local Scans
  • Nitrogen Dropping Cobalt Strike – A Combination of “Chemical Elements”
  • YARA Forge Rule Sets Now Available in THOR Cloud and THOR Cloud Lite
    
    
• Nisos
  Assessment of DPRK IT Worker Tradecraft | Nisos Research 2025
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 117. Hunting for Malicious IP Lookups
  • 118. YDArk: Another Tool in a Ransomware Affiliate’s Arsenal
  • 119. RustDesk: An RMM You May Not Heard About
  • 121. Detecting Earth Kasha’s ROAMINGMOUSE
  • 120. IOX: A Port Forwarding Tool You Don’t See Very Often
  • 122. APT36 Abuses PowerPoint PPAM Files to Deliver Crimson RAT
  • 123. Hunting for Golden Chickens’ New Malware
  • 124. That’s How Adversaries Abuse PowerShell for Timestomping
    
    
• Outpost24
  Threat Context monthly, April 2025: EncryptHub & Media Land leak
  
  
• Adithya Vellal at Petra Security
  New Data Center Observed in Widespread AitM Attack Campaign
  
  
• Plainbit
  구글 광고 스크립트 삽입 공격 사례: 당신의 웹 사이트, 누군가 돈을 버는 수단으로 활용하고 있다면?
  
  
• Heloise Montini at Porthas
  How Does Ransomware Spread: 12 Common Infection Methods
  
  
• John Stawinski at Praetorian
  Agent of Chaos: Hijacking NodeJS’s Jenkins Agents
  
  
• Proofpoint
  Security Brief: French BEC Threat Actor Targets Property Payments
  
  
• Christiaan Beek at Rapid7
  Why is Ransomware Still a Thing in 2025?
  
  
• Recorded Future
  • Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting
  • TerraStealerV2 and TerraLogger: Golden Chickens’ New Malware Families Discovered
    
    
• Red Canary
  Critical vulnerability in SAP NetWeaver enables malicious file uploads
  
  
• SANS
  • SANS Threat Analysis Rundown in Review: Breaking Down April 2025’s Discussion
  • Inside RSAC 2025: The Five Emerging Attack Techniques That Demand Your Attention
    
    
• SANS Internet Storm Center
  • SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics, (Sun, Apr 27th)
  • Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • More Scans for SMS Gateways and APIs, (Tue, Apr 29th)
  • Steganography Analysis With pngdump.py: Bitstreams, (Thu, May 1st)
  • Steganography Challenge, (Sat, May 3rd)
    
    
• Sansec
  Backdoor found in popular ecommerce components
  
  
• Cristian Souza, Ashley Muñoz, Eduardo Ovalle at Securelist
  Outlaw cybergang attacking targets worldwide
  
  
• Thomas Roccia at SecurityBreak
  Why Prompts Are the New IOCs You Didn’t See Coming!
  
  
• Toby G at sentinel.blog
  • Part 6 – Beyond Passwords: Strengthening Security with Zero Trust and Phishing-Resistant Authentication
  • Part 1 – Modularising Logic Apps: Building Reusable Cloud Automation Solutions
    
    
• SentinelOne
  • Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries
  • DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
    
    
• Simone Kraus
  • Exposing the Weaponization of Psychiatry and Disinformation Against Democratic Security Experts in…
  • “Algorithmic Obedience: The Chinese Social Credit System in Baden-Württemberg”
  • “Digital Chains: The Covert Implementation of China’s Social Credit System in German Education”
    
    
• SOC Fortress
  ️ Smarter Detections: Creating SIGMA Exclusion Rules in CoPilot for Velociraptor Alerts
  
  
• Socket
  NPM targeted by malware campaign mimicking familiar library names
  
  
• SOCRadar
  • Global Ransomware Chronicles: Key Trends for Professionals
  • Major Cyber Attacks in Review: March 2025 
    
    
• Gabor Szappanos at Sophos
  Finding Minhook in a sideloading attack – and Sweden too
  
  
• Splunk
  Cloak and Firewall: Exposing Netsh’s Hidden Command Tricks
  
  
• Sublime Security
  • Key findings from the Q1 2025 Sublime Email Threat Research Report
  • Figma abuse from compromised vendor used in credential theft attack
    
    
• The DFIR Report
  Navigating Through The Fog
  
  
• Third Eye intelligence
  IntelScope Pyramid: Connecting the Dots Between Threats and Strategy
  
  
• THOR Collective Dispatch
  • Z-Scoring Your Way to Better Threat Detection
  • Dispatch Debrief: April 2025
  • Ask-a-Thrunter: The Recap Is Here 🐏
    
    
• Hara Hiroaki at Trend Micro
  Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan
  
  
• Sina Kheirkhah at watchTowr Labs
  SonicBoom, From Stolen Tokens to Remote Shells – SonicWall SMA100 (CVE-2023-44221, CVE-2024-38475)
  
  
• Andy Gill at ZephrSec
  Common Tool Errors – Kerberos
  
  
• Rikvduijn at Zolder
  AiTM for WHFB persistence
  
  
• ZScaler
  I StealC You: Tracking the Rapid Changes To StealC
  
  
• Genians
  BPFDoor 리눅스 악성파일 분석 보고서
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-05-05 #livestream #infosec #infosecnews
  
  
• Cellebrite
  Cellebrite Inseyets: Latest Updates and Capabilities Tips & Tricks (June)
  
  
• Gerald Auger at Simply Cyber
  The Ultimate Guide to Detection as Code and Blue Team Tactics with David French | S3 E5
  
  
• Huntress
  Tradecraft Tuesday | Infostealers: A Crash Course
  
  
• Magnet Forensics
  • More than meets the eye: AI-driven media analysis with Magnet Griffeye & T3K.AI
  • Customer story: driving efficiency with SaaS-based forensics in Magnet Nexus
    
    
• Silent Push
  Workshop – Beginner’s Guide to Threat Hunting With Silent Push
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP4: Beyond the GUI: Mastering Forensics with Open Source and Code
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast – S2 E11
  
  
• Anuj Soni
  Shellcode Analysis: Strings, Deobfuscation & YARA (Malware Analysis & Reverse Engineering)
  
  
• BlueMonkey 4n6
  Mounting Bitlockered Drive Images – opening an E01 of a Bitlockered volume in Windows
  
  
• Breaking Badness
  Inside Morphing Meerkat and Proton66: How Cybercrime Is Getting Easier
  
  
• Cellebrite
  Tip Tuesday: Hex Searching Explained
  
  
• Cloud Security Podcast by Google
  EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends
  
  
• Cyber Social Hub
  • Live From IACIS with Matt Danner
  • Live from IACIS in Orlando FL
    
    
• Huntress
  • Stealthware: The Rise of Malicious OAuth Apps in Microsoft 365
  • Traitorware: How Hackers Abuse Legitimate Apps to Hijack Microsoft 365
    
    
• InfoSec_Bret
  Challenge – Windows Registry
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Virut, a polymorphic file infector
  
  
• Microsoft Threat Intelligence Podcast
  Inside THOR Collective, a Dispersed Team Delivering Open-Source Research
  
  
• MSAB
  • XRY Device Overview
  • Forensic Fix Episode 20
    
    
• MyDFIR
  Cybersecurity Project: Active Directory 2.0 | Part 3
  
  
• Nuix
  NUIX NEO WALK THROUGH
  
  
• SANS Cloud Security
  Backdooring AI Models with Ahmed Abugharbia | SANS Webcast
  
  
• The DFIR Journal
  Puzzle Pieces: RDP Bitmap Cache
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 259 – Rick Kotlarz
  
  
• The Weekly Purple Team
  8 Ways to Attack & Detect Lateral Movement – Rapid Fire Edition
  
  
• Three Buddy Problem
  Signalgate redux, OpenAI’s Aardvark, normalizing cyber offense
  
  
• Triskele Labs
  RansomHub implodes, DragonForce moves in.
  
  
• Uriel Kosayev
  Nmap & NBTscan – SOC Analyst Professional – Foundations Course
  
  
• Yaniv Hoffman
  Hijacked in Seconds: How Hackers Steal Your Online Sessions
  

MALWARE

• Alina Markova at Any.Run
  Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities 
  
  
• ASEC
  XLoader Info-stealer Distributed Using MS Equation Editor Vulnerability (CVE-2017-11882)
  
  
• Dr Josh Stroschein
  What Are Relocations? Exploring the Relocation Table
  
  
• Pranay Kumar Chhaparwal and Benjamin Chang at Palo Alto Networks
  Gremlin Stealer: New Stealer on Sale in Underground Forum
  
  
• Benjamin Adolphi at Promon
  Promon discovers FjordPhantom, Android banking malware
  
  
• S2W Lab
  Detailed Analysis of BPFDoor targeting South Korean Company
  
  
• Trustwave SpiderLabs
  • Yet Another NodeJS Backdoor (YaNB): A Modern Challenge
  • A Deep-Rooted Infestation: How the ILOVEYOU Bug Continues its Legacy in Modern Worms
    
    
• Facundo Muñoz at WeLiveSecurity
  TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
  
  
• Marco Wotschka at Wordfence
  Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
  
  
• Zhassulan Zhussupov
  Malware development trick 46: simple Windows keylogger. Simple C example.
  

MISCELLANEOUS

• Brett Shavers
  Your Mood Is Murdering Your DF/IR Investigation and You Don’t Even Know It
  
  
• Cado Security
  • The Fourth Phase of the Incident Response Lifecycle: Eradication
  • Incident Response: Recovery
  • The Final Phase of the Incident Response Lifecycle: Lessons Learned
    
    
• Cellebrite
  • Crime Has No Borders: Breaking Language Barriers with Translation Automation
  • 8 Ways to Accelerate your Digital Investigations 
    
    
• Shail Yadav at Cyjax
  A Brief History of Threat Intelligence: How We Got Here 
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 04/28/25
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  Bellingcat Challenge – April 2025
  
  
• Forensic Focus
  • Oxygen Forensics Launches ‘Tech Bytes’ Webinar Series
  • After Europol’s Record CSAM Takedown: Who Protects The Investigators?
  • The Growing Role Of Mobile Data In Legal Proceedings
  • Semantics 21 Introduces The World’s First Offline School Badge Lookup Tool
  • Passware Kit Mobile 2025v2 Accelerates MediaTek Decryption And Displays MD5 As Integrity Proof
  • Digital Forensics Round-Up, April 30 2025
  • Texplained To Present ChipJuice At Techno Security & Digital Forensics Conference 2025
  • Forensic Focus Digest, May 02 2025
    
    
• Huntress
  • The 36 Most Common Cyberattacks [2025] | Huntress
  • Applying Criminal Justice Principles to Detection Engineering
    
    
• Magnet Forensics
  Reducing enterprise costs with SaaS-based digital forensics solutions 
  
  
• Oxygen Forensics
  • Discover What Makes Oxygen Cloud Extractor the Industry’s Best
  • How to Import and Analyze Google Takeout-Type User Account Data
  • For the love of logging
    
    
• Salvation DATA
  How VIP2.0 Enhances Multi-Channel Video Investigation
  
  
• Siddhant Mishra
  • Why Red-Teaming Your Own Detection Rules is the Best Career Lesson
  • Starting the Journey: Why Detection Engineering Needs to Evolve Beyond the Basics
    
    
• Sygnia
  ​​11 Incident Response Best Practices For Foolproof Organizations in 2025
  
  
• Patrick Siewert at ‘The Philosophy of DFIR’
  Due Diligence In The Search For & Practice of Digital Forensics
  

SOFTWARE UPDATES

• Acquired Security
  Forensic Timeliner v2.0.0
  
  
• Amped
  Amped Authenticate Update 37236: Coding Tree Units Filter, RIFF Viewer, Extended Deepfake Detection, and More!
  
  
• Andrew Rathbun
  KAPE-EZToolsAncillaryUpdater 4.4
  
  
• Canadian Centre for Cyber Security
  Assemblyline 4.6.0.1
  
  
• Crowdstrike
  Falconpy Version 1.5.0
  
  
• Didier Stevens
  • Update: oledump.py Version 0.0.80
  • Update: pdf-parser.py Version 0.7.2
  • Update: re-search.py Version 0.0.23
  • Update: xorsearch.py Version 0.0.5
    
    
• Digital Sleuth
  winfor-salt v2025.5.4
  
  
• Doug Metz at Baker Street Forensics
  MalChela v2.1 Released: Smoother Workflows, Easier Tool Integration
  
  
• Elcomsoft
  What’s New in Elcomsoft System Recovery 8.34: More Data, Faster Imaging, BitLocker Key Extraction
  
  
• Erki Suurjaak
  Skyperious v5.9
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.1.423.1108
  
  
• OpenCTI
  6.6.9
  
  
• Passmark Software
  OSForensics – V11.1 build 1006 29th April 2025
  
  
• Passware
  Passware Kit Mobile 2025 v2 Now Available
  
  
• Rizin Organization
  cutter 2.4.0-rc1
  
  
• Xways
  X-Ways Forensics 21.5 Beta 2b
  
  
• Phil Harvey
  ExifTool 13.29
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!