As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  Forensic Analysis of SQLite Databases
  
  
• Alexis Brignoni at ‘Initialization Vectors’
  Extraction, Processing, & Querying Apple Unified Logs from an iOS Device
  
  
• Alexander Fehrmann at Amped
  Processing Impression Evidence in Amped FIVE
  
  
• Brian Maloney
  OneDrive Evolution and Schema Updates
  
  
• Christopher Eng at Ogmini
  • DPAPI – Audit DPAPI Activity
  • Remote Desktop Manager – Artifacts
  • Remote Desktop Manager – Artifacts Part 2
  • Remote Desktop Manager – Artifacts Part 3
  • Remote Desktop Manager – Working on SQLECmd Map
  • Remote Desktop Manager – Artifacts Part 4
  • Remote Desktop Manager – Artifacts Part 5
    
    
• Damien Attoe
  The Duck Hunters Guide – Blog #7 – Duck AI Chat (Android)
  
  
• Digital Forensics Myanmar
  Deleted Media Files in Android Phone
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  The Sideways Sidecar
  
  
• Elcomsoft
  • Breaking into the Ecosystem: How One Weak Link Can Unlock a Secure Device
  • The Linux Edition Goes Live
  • Why Every Digital Forensics Lab Needs a Good USB Hub
    
    
• Forensafe
  iOS Burner
  
  
• HackTheBox
  Creating Linux Symbol Tables for Volatility: Step-by-step guide
  
  
• Heather Chapentier
  LogTimeWarp
  
  
• kyjonin
  Velociraptor Dead-Disk Forensics
  
  
• Lionel Notari
  • iOS Unified Logs – Parsing … all my SQL QUERIES!
  • iOS Unified Logs – My parsing tool is out!
    
    
• Amber Schroader at Paraben Corporation
  iOS Hidden & Locked Apps
  
  
• System Weakness
  Android Analysis | Tryhackme
  
  
• The DFIR Report
  Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
  

THREAT INTELLIGENCE/HUNTING

• Abdulrehman Ali
  Velvet Chollima APT Adversary Simulation
  
  
• Yuval Gordon at Akamai
  BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
  
  
• Arctic Wolf
  The Arctic Wolf State of Cybersecurity: 2025 Trends Report
  
  
• ASEC
  • April 2025 APT Group Trends
  • DBatLoader (ModiLoader) Being Distributed to Turkish Users
  • April 2025 Infostealer Trend Report
  • Fast Flux Technique for Concealing Command and Control (C&C) and Evading Detection
  • Etherhide Technique Using Blockchain as C&C Infrastructure
  • PyBitmessage Backdoor Malware Installed with CoinMiner
  • Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate
  • Information Leakage Caused by DB Client Tool
    
    
• AttackIQ
  • Response to CISA Advisory (AA25-141A): Russian GRU Targeting Western Logistics Entities and Technology Companies
  • Response to CISA Advisory (AA25-141B): Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations
  • Emulating the Blazing DragonForce Ransomware
    
    
• Jonathan Nguyen and Gopinath Jagadesan at AWS Security
  How to automate incident response for Amazon EKS on Amazon EC2
  
  
• Silviu Stahie at Bitdefender
  Fake Download of Mission: Impossible – The Final Reckoning Movie Deploys Lumma Stealer
  
  
• Brian Krebs at ‘Krebs on Security’
  • KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS
  • Oops: DanaBot Malware Devs Infected Their Own PCs
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 17 – 23 maggio
  
  
• Chainalysis
  What the Huione Group Shutdown Signals About the Future of Crypto Scam Infrastructure
  
  
• Check Point
  • The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
  • 19th May – Threat Intelligence Report
    
    
• CISA
  • Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companies
  • Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations
  • Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)
    
    
• Cisco’s Talos
  • Duping Cloud Functions: An emerging serverless attack vector
  • UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
  • Scarcity signals: Are rare activities red flags?
    
    
• Coalition
  Explore the latest cyber risks and claims trends from Coalition
  
  
• Cofense
  • Phishing in the Multiverse: Analyzing a Malicious Email Targeting Apple and Yahoo Users
  • New Weapon of Choice – How Threat Actors Hijack Legitimate Remote Access Tools
    
    
• CrowdStrike
  CrowdStrike 2025 Latin America Threat Landscape Report: A Deep Dive into an Evolving Region
  
  
• CTF导航
  • 近距离接触实战威胁情报：暗网威胁情报评估
  • 针对APT29的高级技战法训练：利用TeamCity漏洞进行实战演练
    
    
• Jane Ginn at Cyber Threat Intelligence Training Center
  Challenges and Considerations in Adopting Vector Databases for Cyber Threat Intelligence
  
  
• Cyfirma
  Weekly Intelligence Report – 23 May 2025
  
  
• Joe Wrieden at Cyjax
  A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign
  
  
• Damien Lewke
  Controlled Chaos: How Coinbase Turned a Breach into a Blueprint
  
  
• Darktrace
  From Rockstar2FA to FlowerStorm: Investigating a Blooming Phishing-as-a-Service Platform
  
  
• Tesnim Hamdouni, Ian Kretz, Andy Giron, and Eslam Salem at Datadog Security Labs
  The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions
  
  
• Nesrine Cherrabi at Detect FYI
  Hunting Scheduled Tasks
  
  
• DomainTools
  Cluster of Domains Targeting Spotify Job-Seekers
  
  
• Abdulrahman H. Alamri and Lexie Mooney at Dragos
  Dragos Industrial Ransomware Analysis: Q1 2025
  
  
• Arda Büyükkaya at EclecticIQ
  China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability
  
  
• Elastic Security Labs
  De-obfuscating ALCATRAZ
  
  
• Elliptic
  US Treasury takes 311 action against Huione Group: What this means for you
  
  
• Flashpoint
  • Inside the LockBit Leak: Rare Insights Into Their Operations
  • Operation Endgame: Global Law Enforcement Takes Down DanaBot Malware Scheme
    
    
• Forescout
  • Critical Condition: The Growing Threat of Healthcare Data Breaches
  • Infostealer Watch: Will Lumma’s Takedown Help Rhadamanthys’ Rise?
    
    
• Fortinet
  2025 Global Threat Landscape Report
  
  
• Google Cloud Security Community
  Unlocking the Power of Google Threat Intelligence Searches
  
  
• Huntress
  • 2025 Managed ITDR Report: The Rise of Identity Threats in Cybersecurity
  • Traitorware Court: The Case For SigParser
    
    
• FBI
  Silent Ransom Group Targeting Law Firms
  
  
• Jacques Portal and Renée Burton at Infoblox
  Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  
  
• Intel 471
  • SANS 2025 CTI Survey: It’s Business Time for Cyber Risk
  • Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations
  • DanaBot malware disrupted, threat actors named
    
    
• Invictus Incident Response
  Profiling JavaGhost: Tactics, History & Defenses
  
  
• Jason Smart and Robert di Pietro at pwc
  Cyber threats in 2025: What businesses need to know
  
  
• Lexfo
  World Leaks: An Extortion Platform
  
  
• Logpoint
  • The Impacket Arsenal: A Deep Dive into Impacket Remote Code Execution Tools
  • Frontline Intel: Pinpointing GRU’s TTPs in the Recent Campaign
    
    
• Lumen
  Inside DanaBot’s Infrastructure: In Support of Operation Endgame II 
  
  
• Mat Fuchs
  Ghosts in the Endpoint: How Attackers Evade Modern EDR Solutions
  
  
• Microsoft Security
  Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
  
  
• Nisos
  DPRK Employment Scam Network Targets Remote Tech Jobs
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 138. Hunting for File Transfer Sites Access
  • 139. LOLBAS Abused by DBatLoader: Detection Opportunities
  • 140. Hunting for Masqueraded Malicious Files: Adwind
  • 141. Inside 3AM Ransomware Toolkit: GoodSync
  • 142. Detecting RMMs from Ransomware Affiliate’s Toolkit: Syncro Live Agent
  • 143. Hunting for Qemu Emulator Abuse
  • 144. Hunting for Obfuscated PowerShell Scripts
  • 145. Detecting Fake CAPTCHA Attacks
    
    
• Adithya Vellal at Petra Security
  How Attackers Launder Phishing Emails Through Microsoft Infrastructure
  
  
• Proofpoint
  A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame
  
  
• Recorded Future
  • Brand impersonation, online ads, and malicious merchants help purchase scam network prey on victims
  • Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents
    
    
• Red Canary
  Intelligence Insights: May 2025
  
  
• Adam Harrison at SANS
  Shoplifting 2.0: When it’s Data the Thieves Steal
  
  
• SANS Internet Storm Center
  • RAT Dropped By Two Layers of AutoIT Code, (Mon, May 19th)
  • Researchers Scanning the Internet, (Tue, May 20th)
  • New Variant of Crypto Confidence Scam, (Wed, May 21st)
    
    
• Dheeraj Kumar and Sina Chehreghani at Securonix
  Securonix Threat Labs Monthly Intelligence Insights – April 2025
  
  
• Sekoia
  ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse. 
  
  
• Toby G at sentinel.blog
  Leveraging Summary Rules in Microsoft Sentinel: A Practical Guide
  
  
• Mary Braden Murphy at SentinelOne
  Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers
  
  
• Silent Push
  • Threat Actor Study:
  • Scanning the public web and dark web for ransomware infrastructure in Silent Push Community Edition 
    
    
• Simone Kraus
  • Gangstalking Networks Have Mutated into Transnational Threats — Irregular Warfare Is the Only…
  • Silent Invasion: How STASI Gangstalking Fuels Germany’s Migration and Drug Crisis
  • From Alerts to Armistice: Why Cybersecurity Without Geopolitics Is a Losing Game
  • Countering Cognitive Warfare: The Need for a Defense Ontology Matrix
  • Summary of “GLORY-BOT: Karaoke from the Deep”
    
    
• SOCRadar
  • Dark Web Profile: Aquatic Panda
  • Dark Web Market: Torzon Market
    
    
• Sophos
  DragonForce targets rivals in a play for dominance
  
  
• Jose Enrique Hernandez at Splunk
  Securing the Network Edge: Cisco Secure Firewall Threat Defense Detections for Splunk
  
  
• sudo rem
  Digging Tunnels – Hunting Adversarial Cloudflared Instances
  
  
• System Weakness
  • Detecting device code phishing in Google Security Operations
  • How I Analyzed My First Security Incident in a SOC
    
    
• Teri Radichel
  How To Spot Data Exfiltration Using AWS Cost Anomaly Detection
  
  
• THOR Collective Dispatch
  • AI is My Bestie: Integrating LLMs Into Your Hunt Team
  • Quiet, Loud, and in the Logfiles: The Detection Duo You Didn’t Know You Needed
    
    
• Tony Lambert
  Squeezing Cobalt Strike Threat Intelligence from Shodan
  
  
• Buddy Tancio, Khristoffer Jocson, Maylein Tom, Lisa Wu, Ariel Renix, Mohamed Fahmy at Trend Micro
  Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain
  
  
• Damian Archer at Trustwave SpiderLabs
  Storm-0558 and the Dangers of Cross-Tenant Token Forgery
  
  
• Vasilis Orlof at Cyber Intelligence Insights
  Profiling Hacktivist Groups,Alliances and Capabilities
  
  
• WeLiveSecurity
  • ESET APT Activity Report Q4 2024–Q1 2025
  • ESET takes part in global operation to disrupt Lumma Stealer
  • Danabot: Analyzing a fallen empire
    
    
• Andy Gill at ZephrSec
  Offensive Threat Intelligence
  
  
• ZScaler
  Operation Endgame 2.0: DanaBusted
  
  
• Блог Solar 4RAYS
  Подробный технический анализ инструментария Obstinate Mogwai. Часть 2: бэкдоры Donnect, DimanoRAT и веб-шелл AntSpy
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-05-27 #livestream #infosec #infosecnews
  
  
• Cellebrite
  Shaping Tomorrow: 2025 Private Sector Trends
  
  
• Gerald Auger at Simply Cyber
  How to Report Phishing Campaign Results to Executives | Lunch & Learn
  
  
• Magnet Forensics
  • Essential mobile data for violent crime and homicide investigations
  • Mobile Unpacked S3:E5 // Talking about Times: Deeper diving file timestamps
  • Leveraging Magnet Solutions for DLP investigations
  • APAC virtual session: Why organizations need digital forensics and incident response (Corporate)
    
    
• SANS
  Shaking up the Ransomware Game: Introducing Scattered Spider
  
  
• Security Onion
  Security Onion Conference 2025 Save the Date and CFP
  
  
• Silent Push
  Webinar – Contagious Interview: How a North Korean APT set up three front companies in the U.S. to conceal their activities
  
  
• The Volatility Foundation
  Announcing FTSCon 2025 & In-person Malware and Memory Forensics Training!
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP7: Bytes and Banter: The Value of Networking in DFIR
  
  
• Arctic Wolf
  Ransomware Without the Ransom
  
  
• Belkasoft
  Applying the Reach Map to Solve a Real Murder Case | Matthew Sorell
  
  
• Black Hills Information Security
  REMASTERED – Log File Analysis: Gleaning Insights From Log Files | Derek & Ethan
  
  
• BSidesCharm
  BSidesCharm 2025
  
  
• Cellebrite
  Tip Tuesday: Media Categorization Confidence
  
  
• Deepanshu Khanna
  • log4j Remote Code Execution demo – CVE2021-44228
  • Meterpreter Reverse Shell Complete EDR Bypass
  • Certificate Signing – Signing malwares with digital certificates to bypass AVs at runtime
  • 🧠 Memory Forensics | Hands-on Ransomware Infected machine | Real-World Memory Analysis like a Pro
    
    
• Huntress
  SOC Incident Walkthrough: How a Compromised ScreenConnect Was Used to Deploy More Malware
  
  
• InfoSec_Bret
  SA – SOC336-314 – Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298)
  
  
• John Hammond
  golang obfuscated malware goes crazy
  
  
• Magnet Forensics
  • Mobile Minute Episode 10: Focus your investigations with Event Snapshots in Magnet Axiom
  • Cyber Unpacked S2:E2 // The insider threat playbook: A case study in sensitive data exfiltration
  • Force Multipliers: Digital Forensics and How to Fund the Crime Fight
    
    
• Matthew Plascencia
  LSB Steganography: How to Hide Text in Images | Hiding Data With Programming
  
  
• MSAB
  XAMN Keywords and Filters
  
  
• MyDFIR
  Why Every SOC Analyst Should Be Using ANY.RUN
  
  
• Off By One Security
  • BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat To International Industries
  • An OpSec look at the DarkNet Dark Web Marketplace DNM Bible Part 3
    
    
• Oxygen Forensics
  How Investigators Crack Passwords with KeyDiver
  
  
• Richard Davis at 13Cubed
  A New(ish) Way to Detect Process Hollowing
  
  
• Sandfly Security
  Eliminating Linux Security Blind Spots: Insights from the CISO Series Podcast
  
  
• SANS
  • Insider Threat with Lisa Forte
  • The Fifth Domain: NATO’s Cyber Frontline with Manfred Boudreaux-Dehmer
    
    
• The Cyber Mentor
  LIVE: 🔎ForenSICK! | Cybersecurity | TryHackme | AMA
  
  
• The Defender’s Advantage Podcast
  Responding to a DPRK ITW Incident
  
  
• The Microsoft Security Insights Show
  The Microsoft Security Insights Show Episode 262 – Microsoft Layoffs
  
  
• Three Buddy Problem
  Russia hacks Ukraine war supply lines, Signal blocks Windows screenshots, BadSuccessor vuln disclosure debate
  
  
• Velocidex Enterprises
  Auscert 2025 Detection Engineering Workshop
  
  
• Volatility Foundation
  FTSCon 2024
  

MALWARE

• 0xMatheuZ
  Bypassing LD_PRELOAD Rootkits Is Easy
  
  
• Any.Run
  • How Adversary Telegram Bots Help to Reveal Threats: Case Study 
  • DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign 
    
    
• Apophis
  PowerShell Script — Tactical RMM Installation
  
  
• Binary Ninja
  5.0 Release 2
  
  
• CyberDefNerd
  • Xworm – Static Analysis (part 1)
  • Xworm – Static Analysis (part 2)
    
    
• Cybereason
  • Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe
  • Genesis Market – Malicious Browser Extension
    
    
• Eclypsium
  Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot
  
  
• Iram Jack
  • IMAGE_NT_HEADERS Dissecting
  • Foundational Techniques for Malware Triage
  • The Art of Static Analysis
  • MalBuster’s Challenge ️‍♀️
  • Ghidra ️
  • Identifying C Code Constructs in Assembly
  • An Overview of Windows API Calls
    
    
• Christopher Lopez at Kandji
  Dissecting the macOS ‘AppleProcessHub’ Stealer: Technical Analysis of a Multi-Stage Attack
  
  
• Nextron Systems
  Katz Stealer Threat Analysis
  
  
• Anna Širokova and Ivan Feigl at Rapid7
  NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign
  
  
• Karlo Zanki at ReversingLabs
  Malicious attack method on hosted ML models now targets PyPI
  
  
• Amged Wageh at Securelist
  Dero miner zombies biting through Docker APIs to build a cryptojacking horde
  
  
• Security Onion
  Quick Malware Analysis: SMARTAPESG / NETSUPPORT RAT / STEALC pcap from 2025-03-26
  
  
• Shubho57
  Analysis of Hannibal Stealer (newer version of Sharp Stealer)
  
  
• Socket
  • Malicious Koishi Chatbot Plugin Exfiltrates Messages Triggered by 8-Character Hex Strings
  • Malicious npm Packages Target React, Vue, and Vite Ecosystems with Destructive Payloads
  • 60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign
    
    
• Sucuri
  • Another Fake Cloudflare Verification Targets WordPress Sites
  • Fake Google Meet Page Tricks Users into Running PowerShell Malware
    
    
• Vincent D
  Reverse Engineering Masslogger Variant Packed with AutoIt
  
  
• Wordfence
  • 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme
  • Sophisticated & Stealthy Formjacking Malware Targets E-Commerce Checkout Pages
    
    
• Zhassulan Zhussupov
  AIYA – Mobile malware development book. First edition
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  LCryptorX
  

MISCELLANEOUS

• Brett Shavers at DFIR.Training
  The DF/IR Grind: No One Cares What Tool You Used
  
  
• DFIR Dominican
  DFIR Jobs Update – 05/19/25
  
  
• Forensic Focus
  • Major Step Forward For Public Safety As Forensics Europe Expo Co-Locates With The Blue Light Show
  • Atola Adds iSCSI Support And Enhanced RAID Features To Its TaskForce Imagers
  • Semantics 21 CEO, Dr Liam Owens, Receives Prestigious Outstanding Contribution To Online Child Protection Award At IPPPRI 2025
    
    
• Blake Cifelli at GuidePoint Security
  You’ve Contained the Threat — What Comes Next? From Recovery to Lessons Learned
  
  
• Eddie Rudie at Huntress
  Building an Incident Response Plan That Works
  
  
• Juliana T.
  No Flags, Just Forensics – My Journey Through the Certified CyberDefender Program
  
  
• Magnet Forensics
  That one artifact: Snapshot to justice
  
  
• Oxygen Forensics
  • Target, Pull, and Analyze: How Oxygen Forensics and ModeOne Streamline Civil Investigations
  • Smart Filters: Uncovering the Before and After of Key Events in Oxygen Forensic® Detective
    
    
• Raymond Roethof
  Microsoft Defender for Identity Recommended Actions: GPO assigns unprivileged identities to local groups with elevated privileges
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.150!
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.4.21
  
  
• Alexis Brignoni
  iLEAPP v2.2.0
  
  
• BlueCapeSecurity
  Google DriveFS Forensic Extractor & Metadata Exporter v1.0.0
  
  
• Canadian Centre for Cyber Security
  Assemblyline 4.6.0.3
  
  
• Crowdstrike
  Falconpy Version 1.5.1
  
  
• Digital Sleuth
  winfor-salt v2025.6.0
  
  
• Doug Metz at Baker Street Forensics
  MalChela 2.2 “REMnux” Release
  
  
• Google
  Timesketch 20250521
  
  
• IntelOwl
  v6.4.0
  
  
• jjrboucher
  Chromium-Browser-Artifact-Parser
  
  
• Koen Van Impe
  RansomLook Ticker
  
  
• Nedim Šabić
  fibratus v2.4.0
  
  
• OpenCTI
  6.6.13
  
  
• Phil Harvey
  ExifTool 13.30 (production release)
  
  
• Sandfly Security
  Sandfly 5.4 – Cisco and Juniper Network Device Support
  
  
• Security Onion
  Security Onion 2.4.150 Hotfix 20250522 now available!
  
  
• Sigma
  r2025-05-21
  
  
• Yamato Security
  • Suzaku v0.2.0 – AUSCERT/SINCON Release
  • Hayabusa v3.3.0 – AUSCERT/SINCON Release
  • WELA v1.0.0 – AUSCERT/SINCON Release
    
    
• VirusTotal
  YARA v4.5.3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!