As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Proxies in DFIR– Deep Dive into Squid Log & Cache Forensics with Calamaris and Extraction…
  • BPF Ninja: Making Sense of Tcpdump, Wireshark, and the PCAP World
    
    
• Brian Maloney
  OneDriveExplorer now supports Microsoft.FileUsageSync.db
  
  
• Christopher Eng at Ogmini
  • Reading up on Volatility
  • Pearson – Cyberattack
  • Volatility3 – Windows 11 24H2 Memory Dump issues?
  • WinFE Training – Brett Shavers
  • CISA IR Training – Incident Response Triage – Mitigation (IR218)
  • ChatGPT Desktop – Kape Target
  • Saturday CISSP Prep
    
    
• Derek Eiri
  Exploring X-Ways Forensics 21.5 Beta 3d, BitLocker Decryption
  
  
• Elcomsoft
  • iOS Forensic Toolkit Now Supports All Models of Apple Watch
  • Extraction Agent: Offline Extraction with All Developer Accounts
  • Microsoft Goes Passwordless: Forensic Implications of Passwordless Microsoft Accounts
    
    
• Forensafe
  iOS Google Voice
  
  
• Jason Yung
  You may not want your lastlog in your Linux Forensics journey
  
  
• Salvation DATA
  Understanding BFU and AFU in iPhone Forensics and Encryption
  
  
• Muhammad Abdullahi at System Weakness
  How to Recover Deleted Files with Python
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – C2 over ICMP (ICMP-GOSH)
  
  
• Adam at Hexacorn
  Shell32.dll, #44 lolbin
  
  
• ASEC
  • April 2025 Trends Report on Phishing Emails
  • April 2025 Threat Trend Report on Ransomware
  • April 2025 Threat Trend Report on APT Attacks (South Korea)
  • April 2025 Deep Web and Dark Web Trends Report
    
    
• Ayelen Torello at AttackIQ
  Emulating the Terrorizing VanHelsing Ransomware
  
  
• Lawton Pittenger and Michael Leighty at AWS Security
  Protect against advanced DNS threats with Amazon Route 53 Resolver DNS Firewall
  
  
• Barracuda
  • The SOC case files: Python-armed ransomware gang reemerges to face a wall of XDR defenses
  • Cl0p ransomware: The skeezy invader that bites while you sleep
    
    
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief
  
  
• Lawrence Abrams at BleepingComputer
  iClicker hack targeted students with malware via fake CAPTCHA
  
  
• Bob Rudis
  Suriest: Suricata Rule Validation As A (REST) Service
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2025-05-12: Unidentified malware infection from email attachment
  • 2025-05-06: Raspberry Robin activity
  • 2025-05-06: Raspberry Robin activity
    
    
• Brian Krebs at ‘Krebs on Security’
  Breachforums Boss to Pay $700k in Healthcare Breach
  
  
• CERT-AGID
  • Sintesi riepilogativa delle campagne malevole nella settimana del 10 – 16 maggio
  • Distribuzione mirata in Italia di Adwind
    
    
• ChamX
  Council of Tropical Affairs APT-Inspired Threat Hunting Walkthrough
  
  
• Check Point
  • 12th May – Threat Intelligence Report
  • Ransomware Reloaded: Why 2025 Is the Most Dangerous Year Yet
    
    
• Cisco’s Talos
  • Defining a new methodology for modeling and tracking compartmentalized threats
  • Redefining IABs: Impacts of compartmentalization on threat tracking and modeling
    
    
• Cleafy
  SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
  
  
• Pagilla Manohar Reddy at CloudSEK
  Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge
  
  
• Jason Wood at Corelight
  How to Threat Hunt for Volt Typhoon Using NDR | Corelight
  
  
• Curated Intelligence
  New Community Resource: Attribution to IP
  
  
• Cyfirma
  Weekly Intelligence Report – 16 May 2025
  
  
• Damien Lewke
  Threat Hunting for AI-Generated Malware: A Practical Framework
  
  
• Daniel Koifman
  Detection Pitfalls You Might Be Sleeping On
  
  
• Darktrace
  Catching a RAT: How Darktrace neutralized AsyncRAT
  
  
• Martin McCloskey at Datadog Security Labs
  Tales from the cloud trenches: The Attacker doth persist too much, methinks
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week19)
  
  
• Dragos
  Dragos Knowledge Pack Update: Strengthen Your Detection of Ransomware Threats 
  
  
• DTex Systems
  i³ Threat Advisory: Inside the DPRK: Spotting Malicious Remote IT Applicants
  
  
• EclecticIQ
  • China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
  • Storm-1516 Deploys AI-Generated Media to Spread Disinformation: Targets European Leaders and Influences Istanbul Peace Talks
    
    
• Elastic Security Labs
  Misbehaving Modalities: Detecting Tools, Not Techniques
  
  
• Elliptic
  • Xinbi: The $8 Billion Colorado-Incorporated Marketplace for Pig-Butchering Scammers and North Korean Hackers
  • The behavioral detection of pig butchering scams on blockchain: Flagging suspect wallets and speeding up investigations
    
    
• Farhan Ahmed Bhutto
  Hunting Hidden Threats in WSL: Key Artifacts & Automated Extraction Script
  
  
• Flashpoint
  Flashpoint Investigation: Uncovering the DPRK’s Remote IT Worker Fraud Scheme
  
  
• Genians
  Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)
  
  
• Google Cloud Security Community
  • Writing to Data Tables from Rules in Google SecOps
  • New to Google SecOps: Building a Rule Using Detection Descriptors
  • AI Runbooks for Google SecOps: Security Operations with Model Context Protocol
    
    
• Google Threat Analysis Group
  TAG Bulletin: Q1 2025
  
  
• GreyNoise
  Ivanti EPMM Zero-Days: Reconnaissance to Exploitation
  
  
• Group-IB
  Disguised Cyber Risks On The Colombian Shore: The Insurance Trap
  
  
• Robert Bell, Patrick Bukowski, and Blake Cifelli at GuidePoint Security
  Navigating Incident Response Documentation
  
  
• Hunt IO
  Shared SSH Keys Expose Coordinated Phishing Campaign Targeting Kuwaiti Fisheries and Telecom Sectors
  
  
• Huntress
  • Time to Ransom is Money
  • Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw
  • Breaking Down Ransomware Attacks and How to Stay Ahead
    
    
• InfoSec Write-ups
  • Understanding Stealer Logs and Their Role in Security Testing — Part 1
  • Understanding Stealer Logs and Their Role in Security Testing: A Focus on Asset Discovery- Part 2
    
    
• Intel 471
  • DragonForce Ransomware
  • CVE-2025-31324 – SAP NetWeaver Vulnerability
  • How an alleged Russian hacker slipped away
  • Threat hunting case study: Medusa ransomware
    
    
• Kaspersky Lab
  The ransomware landscape in 2025 | Kaspersky official blog
  
  
• Kijo Ninja
  DLL injection fundamental — Part3
  
  
• Kroll
  • March Threat Intelligence Spotlight Report
  • PDFast But Luckily Not So Furious
    
    
• Microsoft Security
  Marbled Dust leverages zero-day in Output Messenger for regional espionage
  
  
• Nathan Richards at Birdwell
  Who are Medusa Ransomware Group?
  
  
• Natto Thoughts
  From the World of “Hacker X Files” to the Whitewashed Business Sphere
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 132. Threat Actors Abuse N‑sight RMM to Attack Brazilian Organizations
  • 133. Marbled Dust: What to Hunt for?
  • 134. TrueSightKiller: Another Tool to Kill Your EDR
  • 135. Hunting for DarkCloud Stealer
  • 136. Hunting for Discovery Techniques
  • 137. Hunting for Mshta Abuse
    
    
• Palo Alto Networks
  • Unit 42 Develops Agentic AI Attack Framework
  • DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
    
    
• Proofpoint
  TA406 Pivots to the Front
  
  
• Resecurity
  How Interlock Ransomware Affects the Defense Industrial Base Supply Chain
  
  
• SANS Internet Storm Center
  • It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th)
  • Another day, another phishing campaign abusing google.com open redirects, (Wed, May 14th)
  • Web Scanning SonicWall for CVE-2021-20016 – Update, (Wed, May 14th)
  • xorsearch.py: Python Functions, (Sat, May 17th)
    
    
• Securelist
  Threat landscape for industrial automation systems in Q1 2025
  
  
• Security Joes
  Modern Incident Response: Tackling Malicious ML Artifacts
  
  
• Thomas Roccia at SecurityBreak
  Inside the AI x Security Arsenal I’ve Built
  
  
• Jim Walter at SentinelOne
  Anti-Ransomware Day 2025: 10 Years of RaaS and the Making of a Billion-Dollar Business
  
  
• Silent Push
  • What is Proactive Threat Hunting? 
  • Locating hidden brand impersonation infrastructure using Silent Push Web Scanner 
    
    
• SOCRadar
  • Stealer Logs: Everything You Need to Know
  • Dark Web Profile: Silent Ransom Group (LeakedData)
    
    
• Sophos
  • Beyond the kill chain: What cybercriminals do with their money (Part 1)
  • Beyond the kill chain: What cybercriminals do with their money (Part 2)
  • Beyond the kill chain: What cybercriminals do with their money (Part 3)
  • Beyond the kill chain: What cybercriminals do with their money (Part 4)
  • Beyond the kill chain: What cybercriminals do with their money (Part 5)
    
    
• Stephan Berger
  Linux Capabilities Revisited
  
  
• Aryan Luthra at Sublime Security
  How ASA thinks: The technical architecture of Sublime’s Autonomous Security Analyst
  
  
• System Weakness
  • This Malware Uses Steam Domains to Steal Your Identity  — A Deep Dive into Azorult
  • Building a Real-World SOC Analyst Lab: Threat Detection, Response Automation & SIEM Integration
  • Logs, Sweat, and Suricata: My Journey to a Real-Time Threat Hunting Powerhouse
  • ️ Hunting IDOR: A Deep Dive into Insecure Direct Object References
  • When Logs Become Lessons: Debugging My Way Through ELK and Life
    
    
• THOR Collective Dispatch
  • Every Event for Itself…Until You Run eventstats
  • Exploring Cybersecurity Career Paths and How They Work Together
    
    
• Pierre Lee, Vickie Su, and Philip Chen at Trend Micro
  Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan
  
  
• Megan Nilsen at TrustedSec
  Purpling Your Ops
  
  
• Matthieu Faou at WeLiveSecurity
  Operation RoundPress
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-05-19 #livestream #infosec #infosecnews
  
  
• Cellebrite
  Fighting Human Trafficking with Digital Intelligence
  
  
• Eclypsium
  Protecting the Exposed Network Edge from APTs, Zero Days, and Ransomware
  
  
• Magnet Forensics
  • Cyber Unpacked S2:E2 // The insider threat playbook: A case study in sensitive data exfiltration
  • Force Multipliers: Digital Forensics and How to Fund the Crime Fight
    
    
• Silent Push
  Workshop – Scanning Dark Web Infrastructure to Detect Hidden Threats With Silent Push
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP6: My Fridge is a Witness? The Wild World of IoT Forensics – Guest Sarah Hayes
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast – S2 E12
  
  
• Anuj Soni
  Malware Analysis with capa & Binary Ninja Plugins (API Hashing)
  
  
• Behind the Binary by Google Cloud Security
  EP09 Thomas Roccia – AI, Data Visualization, and the Future of Security Research
  
  
• Black Hat
  • Reasonable Regs vs Red Tape: How Should Governments Tackle the Cyber Intrusion Market
  • Security analysis of Residential Gateways and ISPs: global network domination is (sneakily) possible
  • When (Remote) Shells Fall Into The Same Hole: Rooting DrayTek Routers Before Attackers Can
  • Unmasking State-Sponsored Mobile Surveillance Malware from Russia, China, and North Korea
  • UNC1860 and The Temple of Oats – Iran’s hidden hand in Middle Eastern Networks
    
    
• BlueMonkey 4n6
  Mounting Bitlockered Drive Images – opening an E01 of a Bitlockered volume using Linux
  
  
• Cellebrite
  Tip Tuesday: Creating Custom Tags in PA
  
  
• Cyacomb
  Guardians for Podcast (Episode 4 with Simon Rose)
  
  
• Cyber Social Hub
  • Edge Pieces Help Solve Puzzles: The Critical Role of Social Media in Modern Investigations
  • The Digital Forensic Divide: Lab-Investigator Collaboration
    
    
• Deepanshu Khanna
  Docker forensics – in-depth threat analysis for threat hunters
  
  
• Huntress
  • The Expectation Flywheel: Mentoring, Leading, and Accountability Explained | Community Fireside Chat
  • Rogue Apps: The Hidden Threat Lurking in Your Tenants
    
    
• InfoSec_Bret
  SA – SOC338-316 – Lumma Stealer – DLL Side-Loading via Click Fix Phishing
  
  
• John Hammond
  • Team Shellphish AIxCC Interview
  • The Gremlin Stealer Malware
    
    
• Magnet Forensics
  AI Unpacked #2 : Pillars of Magnet Forensics’ approach to AI
  
  
• Matthew Plascencia
  • How to Root IodéOS on Pixel 8 | Android Forensics 9
  • Intro to IodeOS | Android Forensics 10
    
    
• Michael Haggis
  • ClickGrab Analysis: 4 Suspicious URLs, PowerShell Payloads & Clipboard Mischief!
  • 🔍 Fake CAPTCHA Teardown: How Malicious Sites Trick You
    
    
• Microsoft Security Community
  Advanced Threat Detection with Defender XDR Community Queries
  
  
• Microsoft Threat Intelligence Podcast
  BadPilot: Inside Seashell Blizzard’s (AKA Sandworm) Global Cyber Espionage Campaign
  
  
• MSAB
  GK Import
  
  
• MyDFIR
  Cybersecurity Project: Active Directory 2.0 | Part 5
  
  
• Nuix
  • Nuix Neo Discover with CogAI Enrichment
  • On-Demand Webinar //Transform FOI & DSAR Management: Faster, Smarter, Transparent
    
    
• Sandfly Security
  Eliminating Linux Security Blind Spots: Insights from the CISO Series Podcast
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 261 – Michael Fiorina, Tanium
  
  
• The Weekly Purple Team
  Crippling Defender with DefendNot | Purple Team Attack & Detection Walkthrough
  
  
• Three Buddy Problem
  A Coinbase breach with bribes, rogue contractors and a $20M ransom demand
  

MALWARE

• Any.Run
  Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline
  
  
• Deep Instinct
  Excel(ent) Obfuscation: Regex Gone Rogue
  
  
• Tonmoy Jitu at Denwp Research
  More_Eggs? A Venom Spider Backdoor Targeting HR
  
  
• Dr Josh Stroschein
  🎙️NEW episode of Behind the Binary featuring Thomas Roccia!
  
  
• Fortinet
  • Horabot Unleashed: A Stealthy Phishing Threat
  • Ransomware Roundup – VanHelsing
    
    
• G Data Security
  • Printer company provided infected software downloads for half a year
  • Sit, Fetch, Steal – Chihuahua Stealer: A new Breed of Infostealer
    
    
• Iram Jack
  • 2. Malware Meets x86
  • Easy Peasy Malware Analysis Series:
  • 3. X86 Assembly Basics
  • Arithmetic and Logical Instructions in Assembly
  • Processes, Threads, and Virtual Memory
  • DLLs and the Portable Executable Format
  • IMAGE_DOS_HEADER Dissecting
    
    
• Alon Shekalim at Morphisec
  Breaking Down Ransomware Encryption: Key Strategies, Algorithms and Implementation Trends 
  
  
• Pulsedive
  Albabat 2.0.0 Decoded: A Config-Driven Design
  
  
• Akshay Thorve at Qualys
  Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT
  
  
• Karlo Zanki at ReversingLabs
  • Same name, different hack: PyPI package targets Solana developers
  • Backdoor implant discovered on PyPI posing as debugging utility
    
    
• Shubho57
  Analysis of Kimsuky APT Group (Powershell Payloads one of them attributed to XWorm RAT)
  
  
• Socket
  • The Landscape of Malicious Open Source Packages: 2025 Mid‑Year Threat Report
  • Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts
    
    
• Technical Outcast
  Obfuscated JavaScript in Phishing Kits
  
  
• István Márton at Wordfence
  • 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme
  • 50,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Uncanny Automator WordPress Plugin
  • 10,000 WordPress Sites Affected by Remote Code Execution Vulnerability in UiPress lite WordPress Plugin
    
    
• Yasser Magdy
  Dissecting an Obfuscated PowerShell Dropper: Evasion Techniques & Detection Tactics
  
  
• Zhassulan Zhussupov
  Malware development trick 47: simple Windows clipboard hijacking. Simple C example.
  
  
• ZScaler
  Technical Analysis of TransferLoader
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  • HexaLocker
  • HexaCrypt
  • LockZ
  • PyTemp
  • Bert
  • Desolator
    

MISCELLANEOUS

• Douglas Holland at Akamai
  Locked Out and Held for Ransom: A City’s Battle Against Cybercrime
  
  
• Belkasoft
  Navigating the Future: Top 6 Trends Shaping Modern DFIR in 2025
  
  
• Manny Kressel at Bitmindz
  Why Using a Processing Engine is Better than a Forensic Workstation
  
  
• Black Cell
  The Ransomware Attack Lifecycle: 7 Stages to Know
  
  
• Brett Shavers
  The Two Bulls of DF/IR: Why Charging Ahead Still Loses the Case
  
  
• DFIR Dominican
  • DFIR Jobs Update – 05/12/25
  • New DFIRDominican.com Contributor Update!
  • How To Break Into DFIR (Part 3 of 5) – Windows Memory Forensics
    
    
• Forensic Focus
  • Accelerating Investigations With AI-Powered Media Classification
  • Hexordia’s Jessica Hyde: Navigating The Future Of Digital Forensics
  • “You Knew What You Were Signing Up For” – A Harmful Narrative In DFIR?
  • Amped Authenticate Update Empowers Investigators With Expanded Tools For Deepfake Detection And Video Integrity Analysis
  • Digital Forensics Round-Up, May 14 2025
  • Forensic Focus Digest, May 16 2025
    
    
• Denis Nagayuk & Francisco Dominguez at Hunt & Hackett
  Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
  
  
• Magnet Forensics
  Underfunded and overlooked: Why your DFIR team deserves a seat at the table  
  
  
• Mat Fuchs
  • Choosing an Incident Response Partner: Red Flags, Must-Haves, and Deal‑Breakers
  • Why Being a Tier 1 SOC Analyst Is Practically Impossible (And What to Do About It)
    
    
• Oxygen Forensics
  • Set It and Forget It: How Oxygen Forensics’ Automated Task Scheduling Elevates Convenient Data Collection
  • Remotely Collect WhatsApp Chats Using Oxygen Remote Explorer
  • Biometric Target Data
  • Inside Oxygen Remote Explorer: Your Quick-Start Video Guide to Remote Collections
    
    
• Sam Straka at Red Canary
  Getting started with Conditional Access: Comparing Entra ID Conditional Access with Okta
  
  
• SANS
  OT Ransomware on the Rise: What You Need to Know and How to Prepare
  
  
• SecurityAura
  Looking Back On #100DaysOfKQL
  
  
• Taggart Tech
  ClickFix Fixes Ranked
  

SOFTWARE UPDATES

• Amped
  Amped Replay Update 37369: New Report Design, New Hide Features, Improved Audio/Video Loading, and More!
  
  
• Datadog Security Labs
  GuardDog v2.6.0
  
  
• Digital Detective
  NetAnalysis® 4: Boost Your Digital Forensics with Advanced Browser Analysis
  
  
• Digital Detective
  NetAnalysis v4.0
  
  
• Elcomsoft
  iOS Forensic Toolkit 8.70: expanded Apple Watch support and offline agent installation
  
  
• Lethal Forensics
  Microsoft-Analyzer-Suite v1.5.0
  
  
• Magnet Forensics
  Magnet Witness 1.8: Wyze support, multi-stream file formats, and improving review 
  
  
• MISP
  • MISP 2.4.210 / 2.5.13 released with many improvements, UI enhancement and various fixes
  • MISP v2.4.209 and v2.5.11 Released with new features, security fixes and improvements in workflow engine.
    
    
• MSAB
  Now available: XRY 11.0.1
  
  
• OpenCTI
  6.6.11
  
  
• Security Onion
  Security Onion 2.4.150: Celebrating Mother’s Day with MoM (Manager of Managers)
  
  
• SigmaHQ
  pySigma v0.11.23
  
  
• Xways
  X-Ways Forensics 21.5 Beta 4
  
  
• Brian Maloney
  OneDriveExplorer v2025.05.13
  
  
• IsoBuster
  IsoBuster 5.6 released
  
  
• The Volatility Foundation
  Announcing the Official Parity Release of Volatility 3!
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!