As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Linux File System Analysis and Linux File Recovery: EXT2/3/4 Techniques Using Debugfs, Ext4magic &…
  • Understanding Linux: Kernel Logs, Syslogs, Authentication Logs, and User Management
    
    
• Alexander Fehrmann at Amped
  Forensic Shoeprint Documentation and Analysis with Amped FIVE
  
  
• Atola Technology
  Tips for Finding Evidence on Linux File Systems & Storage Devices
  
  
• Christopher Eng at Ogmini
  • Revisiting ShimCache/AmCache
  • Microsoft Edge – AutoFill Database
  • Researching RDCMan
  • Researching RDCMan – Part 2
  • RDCMan – Kape Target
  • Researching RDCMan – Part 3
  • Volatility – Plugin?
    
    
• Elcomsoft
  Forensic Implications of BitLocker-by-Default in Windows 11 24H2
  
  
• Erik Hjelmvik at Netresec
  Comparison of tools that extract files from PCAP
  
  
• Forensafe
  iOS Reddit
  
  
• Jason Yung
  What are you doing under your WSL?
  
  
• Lionel Notari
  iOS Unified Logs: The Myth of 30 Days Retention – Analysis of TTLs and log stats Command
  
  
• Mat Fuchs
  Linux Forensics is Harder than Windows (Here’s Why)
  
  
• Silver-cpu
  Obsidian.md-1.8.4-Privacy-Forensic-Analysis
  

THREAT INTELLIGENCE/HUNTING

• Adan Alvarez
  TrailAlerts: Take Control of Cloud Detection in AWS
  
  
• Kyle Lefton at Akamai
  Here Comes Mirai: IoT Devices RSVP to Active Exploitation
  
  
• Francis Guibernau at AttackIQ
  Emulating the Infestive Termite Ransomware
  
  
• Eric Russo at Barracuda
  SOC Threat Radar — May 2025
  
  
• Bogdan Botezatu at Bitdefender
  Inside the Ransomware Supply Chain: The Role of Initial Access Brokers in Modern Attacks
  
  
• Brian Krebs at ‘Krebs on Security’
  Pakistani Firm Shipped Fentanyl Analogs, Scams to US
  
  
• BushidoToken
  Ransomware Tool Matrix Project Updates: May 2025
  
  
• CERT-AGID
  • Nuova campagna MintsLoader diffonde il malware Stealc attraverso caselle PEC compromesse
  • Campagna di phishing SPID tramite falso dominio AgID
  • Sintesi riepilogativa delle campagne malevole nella settimana del 3 – 9 maggio
    
    
• Check Point
  • 5th May – Threat Intelligence Report
  • Inferno Drainer Reloaded: Deep Dive into the Return of the Most Sophisticated Crypto Drainer
  • DragonForce Ransomware: Redefining Hybrid Extortion in 2025
  • April 2025 Malware Spotlight: FakeUpdates Dominates as Multi-Stage Campaigns Blend Commodity Malware with Stealth
  • Authentication Breach Alert: OAuth Flaw Enables “Perfect Phishing” Campaign
    
    
• Cisco’s Talos
  • Proactive threat hunting with Talos IR
  • Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
    
    
• Jacob Malimban at Cofense
  Using Blob URLs to Bypass SEGs and Evade Analysis
  
  
• Cyble
  • Ransomware Attacks April 2025: Qilin Emerges from Chaos 
  • India Experiences Surge in Hacktivist Group Activity Amid Military Tensions
    
    
• Cyfirma
  Weekly Intelligence Report – 09 May 2025
  
  
• Andrea Draghetti at D3Lab
  Cresce il Phishing ai danni di Binance: analisi di una campagna ben congegnata
  
  
• Dark Atlas
  LockBit Ransomware: From Cybercriminal Glory to a Critical OPSEC Failure
  
  
• Matt Muir and Frederic Baguelin at Datadog Security Labs
  RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale
  
  
• Detect FYI
  • Detection Engineering Lifecycle: An Integrated Approach to Threat Detection and Response
  • A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure
  • Detection Response by tracing File Lineage with KQL Queries
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week18)
  
  
• Elastic Security Labs
  Bit ByBit – emulation of the DPRK’s largest cryptocurrency heist
  
  
• Esentire
  Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One
  
  
• Flashpoint
  • The Top Threat Actor Groups Targeting the Financial Sector
  • Operation PowerOFF: Law Enforcement Seizes 9 DDoS-for-Hire Webpages as Part of Global Crackdown
    
    
• Sai Molige and Luca Barba at Forescout
  Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor
  
  
• Google Cloud Security Community
  Actionable threat hunting with Google Threat Intelligence (I) – Hunting malicious desktop files
  
  
• Google Cloud Threat Intelligence
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
    
    
• Noah Stone at GreyNoise
  Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches
  
  
• Jean-Pierre Mouton, Gabe Renfro, and Lee Kirkpatrick at GuidePoint Security
  Interesting Interlock Intrusion: How Interlock Achieves Encryption
  
  
• Hunt IO
  • Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io
  • APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux
    
    
• Huntress
  • Do Tigers Really Change Their Stripes?
  • Utilizing ASNs for Hunting & Response
    
    
• IC3
  Cyber Criminal Services Target End-of-Life Routers to Launch Attacks and Hide Their Activities
  
  
• Infoblox
  Telegram Tango: Dancing with a Scammer
  
  
• Invictus Incident Response
  Cloud Incident Readiness: Critical infrastructure for cloud incident response
  
  
• Kasada
  • Q1 2025 Quarterly Threat Report
  • Kasada’s Q1 2025 Threat Intel Report Uncovers ALTSRUS “Reverse Robin Hood” Fraud Syndicate
    
    
• Kijo Ninja
  DLL injection fundamental — Part2
  
  
• Bert-Jan Pals at KQL Query
  Investigating ClickFix Incidents
  
  
• Adam Goss at Kraven Security
  Threat Profiling 101: How to Create a Threat Profile
  
  
• Anish Bogati at Logpoint
  Tricked by trust: How OAuth and device code flows get abused
  
  
• Lumen
  Classic Rock: Hunting a Botnet that preys on the Old
  
  
• Mitiga
  • No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt
  • Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust
    
    
• Mohammad Al-Aqeel(AlJawarneh)
  Maturities modules for Cyber Threat Intelligence Program
  
  
• Shmuel Uzan at Morphisec
  New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 125. Hunting for More_eggs Backdoor
  • 126. Adversaries Bypass EDR Protection with Bring Your Own Installer Technique
  • 127. Detecting RMMs from Ransomware Affiliate’s Toolkit: Supremo
  • 128. Hunting for Charming Kitten
  • 129. Ransomware Operators Abuse Employee Monitoring Software
  • 130. Cactus Ransomware Gang Abuses Microsoft Quick Assist
  • 131. Adversaries Abuse SFTP to Deliver Lumma Stealer
    
    
• OSINT Team
  • Understanding Threat Actors, Motivations, and Attack Vectors with real life examples
  • Advanced Persistent Threats (APT): How to Detect and Respond to Sophisticated Cyber Attacks
  • Phoenix Summit CTF 2025 — Forensics Writeups
    
    
• Palo Alto Networks
  • Lampion Is Back With ClickFix Lures
  • Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation
  • Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources
    
    
• Adithya Vellal at Petra Security
  How “Many Failed Login” Alerts Can Bury the Signal That Matters
  
  
• Positive Technologies
  Positive Technologies: 80% of cyberattacks in the Middle East result in confidential data breaches
  
  
• Proofpoint
  CoGUI Phish Kit Targets Japan with Millions of Messages
  
  
• Dan Green at Push Security
  Scattered Spider: TTP evolution in 2025
  
  
• Saeed Abbasi at Qualys
  Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
  
  
• Rain Ginsberg
  Code That Crawls: A Psychogeography of Malware Ecosystems
  
  
• Resecurity
  Smishing on a Massive Scale: “Panda Shop” Chinese Carding Syndicate
  
  
• SANS Internet Storm Center
  • Python InfoStealer with Embedded Phishing Webserver, (Tue, May 6th)
  • “Mirai” Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th)
  • Example of “Modular” Malware, (Wed, May 7th)
  • No Internet Access? SSH to the Rescue!, (Thu, May 8th)
  • Steganography Challenge: My Solution, (Sat, May 10th)
    
    
• Fabio Assolini, Maher Yamout, Marc Rivero, and Dmitry Galov at Securelist
  State of ransomware in 2025
  
  
• Den Iuzvyk and Tim Peck at Securonix
  Hunting Kerbrute: Analysis, Detection and Mitigation of Kerberos Attacks in Active Directory
  
  
• SentinelOne
  • FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
  • Insider Risk Revisited: Espionage, Encryption & Economics
    
    
• Siddhant Mishra
  • When Developers Hack Themselves: The Blue Team’s New Nightmare
  • Measuring What Matters: A Mindset Shift in Blue Teams
    
    
• Silent Push
  New Finance Scheme Discovered Abusing Niche X/Twitter Advertising Loophole
  
  
• Simone Kraus
  Project FREIHEIT: The Cultural Resistance Index
  
  
• SOCRadar
  GrassCall: The Malware Draining Crypto Wallets Through Fake Job Interviews
  
  
• Sophos
  • NICKEL TAPESTRY expands fraudulent worker operations
  • Lumma Stealer, coming and going
    
    
• Specops Software
  • Scattered Spider service desk attacks: How to defend your organization
  • DragonForce: Inside the Ransomware-as-a-Service group
    
    
• Alex Orleans and Richard Nelson at Splunk
  Imposters at the Gate: Spotting Remote Employment Fraud Before It Crosses the Wire
  
  
• Brian Baskin and Brandon Webster at Sublime Security
  ScreenConnect as malware via Canva abuse and DocuSign impersonation
  
  
• SuspectFile
  • Ransomware group Silent claims to have found a buyer for the data stolen from Versa Networks
  • Who is behind “xoxo From Prague”? An attack on LockBit inspired by the Prague Spring?
    
    
• Symantec Enterprise
  Ransomware Attackers Leveraged Privilege Escalation Zero-day
  
  
• System Weakness
  • Vulnerable to Prepared: Building Incident Response Plan
  • SOC141 — Phishing URL Detected — EventID: 86 on LetsDefend
    
    
• THOR Collective Dispatch
  • Stop the Spreadsheet Madness: Visualize Your Atomic Red Team Tests with VECTR
  • Detection-In-Depth
    
    
• Mark Joseph Marti and Sandra Pagkaliwagan at Trellix
  The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You
  
  
• Mihir Bhanushali at Triskele Labs
  The timeline of a real-world MFA bypass case, and how we stopped it
  
  
• Truesec
  CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited
  
  
• Zach Bevilacqua at TrustedSec
  I Got 99 Problems But a Log Ain’t One
  
  
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – April Update
  
  
• Uptycs
  Detect Container Escape Vulnerabilities with Osquery
  
  
• Kenneth Kinion, Tom Hegel, and Sreekar Madabushi at Valdin
  Unmasking the FreeDrain Network
  
  
• VMRay
  Rethinking Cyber Threat Intelligence: A Strategic Shift Toward Resilience
  
  
• Camilo Gutiérrez Amaya at WeLiveSecurity
  Catching a phish with many faces
  
  
• Wiz
  What Analyzing Hundreds of Thousands of Cloud Environments Taught Us About Data Exposure
  
  
• Wordfence
  • Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation
  • 10,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Eventin WordPress Plugin
    

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-05-12 #livestream #infosec #infosecnews
  
  
• Magnet Forensics
  AI Unpacked #2 : Pillars of Magnet Forensics’ approach to AI
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP5: Digital Forensics Overload: How to Escape the Backlog
  
  
• Adversary Universe Podcast
  Inside the CrowdStrike 2025 Latin America Threat Landscape Report
  
  
• BlueMonkey 4n6
  Sumuri PALADIN version 9 release – review for “The Ultimate Forensic Swiss Army Knife”
  
  
• Breaking Badness
  Hacking the Stage: John Donovan on RSAC, BSides SF, and the Human Side of Cybersecurity
  
  
• CactusCon
  CactusCon 13 – All Tracks
  
  
• Cellebrite
  Tip Tuesday: Spring 2025 Release
  
  
• Cloud Security Podcast by Google
  EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025
  
  
• Cyber Social Hub
  • Live from IACIS with Tom from Semantics 21
  • Mobile Minute with Magnet Forensics Ep 2: How to Help Stakeholders use Mobile View in Portable Cases
    
    
• Gerald Auger at Simply Cyber
  (DR Plan) May 6 Daily Cyber Threat Brief – Disaster Recovery Execution
  
  
• InfoSec_Bret
  Challenge – ProcDump
  
  
• Intel 471
  Managing a cyber crisis
  
  
• John Hammond
  • How Hackers Steal Passwords
  • Artificial Intelligence x Cyber Challenge (DARPA Interview)
    
    
• Magnet Forensics
  • Customer story: driving efficiency with SaaS-based forensics in Magnet Nexus
  • More than meets the eye: AI-driven media analysis with Magnet Griffeye & T3K.AI
    
    
• Mahmoud Shaker
  Brute-Force Attack Investigation From CyberDefender Lab Walkthrough (T1110.003) In Arabic
  
  
• MSAB
  E01 Import
  
  
• MyDFIR
  Cybersecurity Project: Active Directory 2.0 | Part 4
  
  
• The Defender’s Advantage Podcast
  UNC5221 and The Targeting of Ivanti Connect Secure VPNs
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 260 – JP Bourget – Bluecycle
  
  
• The Weekly Purple Team
  LSASS Dumping by Defender | Purple Teaming LSASS Dumping
  
  
• Threat Forest
  Höpöttelyä forensiikasta ja viimeaikaisista hyökkäyksistä Brittien vähittäiskaupan sektoriin
  
  
• Three Buddy Problem
  JAGS keynote: The intricacies of wartime cyber threat intelligence
  

MALWARE

• Any.Run
  • Mamona: Technical Analysis of a New Ransomware Strain
  • Nitrogen Ransomware Exposed: How ANY.RUN Helps Uncover Threats to Finance 
    
    
• ASEC
  • Atomic Stealer Malware Disguised as Crack Program (macOS)
  • Distribution of IIS Malware Targeting Web Servers (Larva-25003)
  • AhnLab Detection Information on BPFDoor Exploited in Recent Hacking Attacks and KISA Hash Notice
    
    
• Dr Josh Stroschein
  • 02 – C++ Nane Mangling – Creating Multiple Object Files
  • 01 – C++ Name Mangling – Investigating Overloaded Functions
  • 03 – C++ Name Mangling – Identifying Operator New in IDA Pro
    
    
• Ran Mizrahi at Fortinet
  Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware
  
  
• Alex Gartner at Kandji
  Kandji Quarterly Threat Intelligence Report: May 2025
  
  
• Netscout
  • Profiling DieNet: A New Hacktivist Threat
  • New DOGE Big Balls Ransomware Tools in the Wild
    
    
• Nikhil Gupta
  Process AtomBombing — From Tables to Shellcode
  
  
• Shubho57
  Analysis of a APT36 Variant(Transparent Tribe)
  
  
• Socket
  • Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
  • Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
  • Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials
    
    
• Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, Neljorn Nathaniel Aguas at Trend Micro
  Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
  

MISCELLANEOUS

• Belkasoft
  Building a Timeline: A Case for Belkasoft X
  
  
• Brett Shavers
  From Why to What: The Decline of Investigative Thinking in DF/IR
  
  
• Brett Shavers at DFIR.Training
  How Incident Response Procedures Eroded Investigative Thinking
  
  
• Cellebrite
  • Accelerating Investigations with AI-Powered Media Classification 
  • Accelerating Investigations with Cellebrite’s Spring 2025 Innovations
  • How Agencies Are Using the Cloud to Accelerate Investigations
    
    
• Chuan-lun (Johnson) Chou
  Auditing Microsoft Azure with Prowler: A Step-by-Step Guide
  
  
• Decrypting a Defense
  Surveillance as Digital Detention, Age Verification Harm, POST Act Updates, The Algorithmic Informant & More
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 05/05/25
  
  
• Agapios Tsolakis at Falcon Force
  Why is no one talking about maintenance in detection engineering?
  
  
• Forensic Focus
  • Cellebrite’s 2025 DFIR Industry Survey – Key Insights
  • UPCOMING WEBINAR – Navigating The Evolving Landscape Of Computer Forensics (Part 1)
  • Cellebrite Unveils Spring 2025 Release To Accelerate Global Investigations
  • Digital Forensics Round-Up, May 07 2025
    
    
• Maxim Suhanov
  Disk encryption: wide-block modes, authentication tags aren’t silver bullets
  
  
• Oxygen Forensics
  • 10 ROI Benefits of Targeted Remote Data Collection Using Oxygen Forensics
  • Remote Slack Data Collection from Android Devices
  • Shortcuts to Nirvana
    
    
• Stephanie Honore at Paraben Corporation
  Building Hypervisor-Grade AI Isolation and Forensics on Oracle Cloud Infrastructure
  
  
• Nir Ohfeld, Deror Czudnowski, Avigayil Mechtinger at Wiz
  Introducing The Cloud Hunting Games CTF: Test Your Cloud Incident Response Skills
  

SOFTWARE UPDATES

• Acquired Security
  Forensic Timeliner v2.011.0
  
  
• Apache
  Tika – Release 2.9.4 – 4/29/2025
  
  
• Atola
  TaskForce 2025.4 update — iSCSI support, new RAID features, Hex Viewer
  
  
• Cellebrite
  Cellebrite Unveils Spring 2025 Release to Accelerate Global Investigations
  
  
• Cyber Triage
  3.14 Release Brings New UIs, Hayabusa, Baselining, and Much More
  
  
• Didier Stevens
  • Update: myjson-filter.py Version 0.0.7
  • Update: oledump.py Version 0.0.81
    
    
• Digital Sleuth
  winfor-salt v2025.5.6
  
  
• Doug Metz at Baker Street Forensics
  CyberPipe v5.1 – Streamlined Profiles, Better Flexibility
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Erki Suurjaak
  Skyperious v5.9.1
  
  
• MALCAT
  0.9.10 is out: CFG recovery, MIPS & UI improvements
  
  
• Metaspike
  FEC Remote Authenticator 1.50.6
  
  
• MISP
  MISP v2.4.206 and v2.5.8 Released – new workflow modules, improved graph object relationship management and many other improvements
  
  
• OpenCTI
  6.6.10
  
  
• Passmark Software
  OSForensics V11.1 build 1007 6th May 2025
  
  
• Rizin Organization
  v2.4.1
  
  
• Xways
  • X-Ways Forensics 21.4 SR-5
  • X-Ways Forensics 21.5 Beta 3d
    
    
• Yogesh Khatri
  mac_apt 20250506 (v1.13.6)
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!