As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  Master Wireshark tool Like a Pro: — The Ultimate Packet Analysis Guide for Real-World Analysts
  
  
• CCL Solutions
  Investigating PolyBuzz on Android
  
  
• Christopher Eng at Ogmini
  • Remote Desktop Manager – Artifacts Part 6
  • Random Thoughts – System Naming
  • RDCMan – Verifying DPAPI Activity
  • WinFE Training – Completed
  • RDCMan – Importance of DPAPI Activity
  • SANS – Ransomware Summit 2025
  • Remote Desktop Manager – LOLRMM
    
    
• Dr. Brian Carrier at Cyber Triage
  SOC Investigations 2025: Clues Are Key
  
  
• Derek Eiri
  Exploring the macOS Native Commands Behind Andrea Lazzarotto’s Fuji
  
  
• Digital Forensics Myanmar
  Breaking into the Ecosystem – How One Weak Link Can Unlock a Secure Device (Myanmar Translation)
  
  
• Oleg Afonin at Elcomsoft
  iOS Extraction Tip: Why Start with Recovery Mode?
  
  
• Forensafe
  iOS Google Maps
  
  
• Heather Chapentier
  Glow&Behold
  
  
• InfoSec Write-ups
  Memory Analysis Introduction | TryHackMe Write-Up | FarrosFR
  
  
• Koen Van Impe
  Incident Response on ESXi
  
  
• kyjonin
  Velociraptor MCP
  
  
• North Loop Consulting
  Introducing Arsenic
  
  
• Aj-Tap at ShinkenSec
  Log Analysis Made Easy: The Swiss Army Knife for Logs – Logtap
  
  
• SJDC
  A Practical Path to Mobile Device Discovery for Private Investigators—Using Free Tools and Smart Workflows
  
  
• Aaron at System Weakness
  Mobile Acquisition | Tryhackme
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Threat Hunting C2 over HTTPS Connections Using the TLS Certificate
  
  
• Adam at Hexacorn
  • shell32.dll, #61
  • mscoree.dll, RunDll32ShimW lolbin
    
    
• Ayelen Torello at AttackIQ
  Emulating the Unyielding Scattered Spider
  
  
• BI.Zone
  Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations
  
  
• Gracie Smith at Binary Defense
  RMM: Tool Convenience and Control Comes with a Cost 
  
  
• Black Cell
  Advanced phishing with legitimate emails
  
  
• Mehmet Ergene at Blu Raven Academy
  Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way Using Microsoft Defender for Endpoint
  
  
• Brian Krebs at ‘Krebs on Security’
  • Pakistan Arrests 21 in ‘Heartsender’ Malware Service
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
    
    
• CERT-AGID
  • AsyncRAT distribuito in Italia tramite componenti steganografici
  • Sintesi riepilogativa delle campagne malevole nella settimana del 24 – 30 maggio
    
    
• Check Point
  • 26th May – Threat Intelligence Report
  • Lumma Infostealer – Down but Not Out?
    
    
• CISA
  New Guidance for SIEM and SOAR Implementation
  
  
• Cofense
  • Fake Course, Real Threat: Learning a Phishing Lesson the Hard Way
  • Behind the Script: Unmasking Phishing Attacks Using Google Apps Script
    
    
• CTF导航
  • Velvet Chollima APT 对手模拟
  • April 2025 APT Group Trends
  • 挂羊头卖狗肉 —— Osiris 恶意浏览器扩展分析
  • 银狐利用快连 vpn 和 QQ 浏览器传播恶意程序 Winos v4.0
  • ViperSoftX 伪装成破解软件
    
    
• Patrick Seltmann at ctrlshiftenter.cloud
  Entra Connect Sync – Attack Surface Reductions
  
  
• Cyber Axe
  Complete Guide On How to Identify A Suspicious Process
  
  
• Jane Ginn at Cyber Threat Intelligence Training Center
  Schema-Free Intelligence: Document Databases as the Backbone of Adaptive CTI Systems
  
  
• Cyfirma
  Weekly Intelligence Report – 30 May 2025
  
  
• Damien Lewke
  Threat Hunting the DPRK’s Remote Workers
  
  
• Darktrace
  PumaBot: Novel Botnet Targeting IoT Surveillance Devices
  
  
• Johann Aydinbas, Bennet Conrads, Moaath Oudeh and Denis Szadkowski at DCSO CyTec
  SafePay: The new kid on the block
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week21)
  
  
• DomainTools
  • Using DomainTools Iris to Enhance Classic Whois and RDAP
  • Tracking LummaC2 Infrastructure with Cats 
    
    
• Arda Büyükkaya & Alon Gal at EclecticIQ
  Pakistan Telecommunication Company (PTCL) Targeted by Bitter APT During Heightened Regional Conflict
  
  
• Esentire
  When Samsung’s Magic Turns Tragic: A Tale of Unauthorized Mining
  
  
• Flashpoint
  Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
  
  
• Sai Molige at Forescout
  Cybersecurity in Manufacturing: Threats, Trends, and Preparation
  
  
• FourCore
  Threat-informed defense with HarfangLab EDR and FourCore ATTACK
  
  
• Gen
  Gen Q1/2025 Threat Report
  
  
• Google Cloud Security Community
  New to Google SecOps: Building a Rule Using Match and Outcome Variables
  
  
• Google Cloud Threat Intelligence
  • Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  • Mark Your Calendar: APT41 Innovative Tactics
    
    
• Noah Stone at GreyNoise
  Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
  
  
• GreyNoise Labs
  AyySSHush: Tradecraft of an emergent ASUS botnet
  
  
• Hudson Rock
  • Russian ‘Laundry Bear’ Hackers Breach Dutch Police Using Infostealers
  • Meet Enki: Hudson Rock’s AI Breakthrough for Infostealer Analysis
    
    
• Hunt IO
  How to Track Threat Actors Through Real-World IOC Pivoting
  
  
• Huntress
  • Detecting Malicious Security Product Bypass Techniques
  • “Advanced” Intrusion Targeting Critical Marketing Research Company
    
    
• IC3
  Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams between October 2023 and April 2025
  
  
• David Sardinha at Intrinsec
  BtHoster: Identifying noisy networks emitting malicious traffic through masscan servers
  
  
• Kijo Ninja
  BEC Starts Here: Tracing the First Entry Technique
  
  
• Lab52
  Some thoughts about Laundry Bear
  
  
• Lookout
  What Is the MITRE ATT&CK Framework? Mapping to Today’s Defensive Controls
  
  
• Daniel Jeremiah
  Threat Hunting on Windows Server 2016: Uncovering Hidden C2 Malware Using Elastic SIEM
  
  
• Microsoft Security
  • New Russia-affiliated actor Void Blizzard targets critical sectors for espionage
  • Defending against evolving identity attack techniques
    
    
• Natebair
  A Midnight Blizzard Special: Simulating an RDP Phishing Campaign — PT 1
  
  
• Natto Thoughts
  From Humble Beginnings: How a Vocational College Became a Vulnerability Powerhouse
  
  
• Netscout
  Decoding TCP SYN for Stronger Network Security
  
  
• Pierre-Henri Pezier at Nextron Systems
  Stealth in 100 Lines: Analyzing PAM Backdoors in Linux
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 146. Adversaries Abuse Haihaisoft PDF Reader to Deliver Rhadamanthys Stealer
  • 147. Detecting a macOS Stealer
  • 148. Base64? And What About Base85?
  • 149. Adversaries Abuse Free Web Hosting Infrastructure
  • 150. Adversaries Abuse Internet Query Files
  • 151. Adversaries Abuse MST Transforms to Install Malware
  • 152. Beyond Good Ol’ Windows Command Shell
    
    
• Miri Mohammed at OSINT Team
  Inside the Scam Unpacking a Real Phishing Email Attempt
  
  
• Outpost24
  Threat Context Monthly May 2025: Scattered Spider & Lumma Stealer  
  
  
• Abian Morina at Permiso
  CloudTrail Logging Evasion: Where Policy Size Matters
  
  
• Adithya Vellal at Petra Security
  When A Tesla Looks Like an Attacker
  
  
• Practical Security Analytics
  Profiling User Activity with EventLogs
  
  
• SANS Internet Storm Center
  • SVG Steganography, (Mon, May 26th)
  • Securing Your SSH authorized_keys File, (Tue, May 27th)
  • Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary], (Wed, May 28th)
  • [Guest Diary] Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack, (Wed, May 28th)
  • Usage of “passwd” Command in DShield Honeypots, (Fri, May 30th)
  • A PNG Image With an Embedded Gift, (Sat, May 31st)
  • YARA 4.5.3 Release, (Sun, Jun 1st)
    
    
• Antonio Villalón at Security Art Work
  Algunas reflexiones sobre Laundry Bear
  
  
• Siddhant Mishra
  • Leveraging Sysmon to Complement EDR and Address Evasion Techniques
  • TRIAGE³: A Revolutionary Framework for SOC Signal Management
    
    
• Simone Kraus
  • The Illusion of Intelligence — How Superficial Analysts Undermine Cybersecurity
  • Autonomous Rethinking as War Crime & Public Warfare
  • Neuroweapons in Cognitive Warfare
  • Dismantling the Semantics of Zersetzung
    
    
• SOCRadar
  Dark Web Profile: NightSpire Ransomware
  
  
• Anthony Bradshaw, Hunter Neal, Morgan Demboski, and Sean Gallagher at Sophos
  DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers
  
  
• Josh “Soup” Campbell and Brandon Murphy at Sublime Security
  Detecting an email-based ClickFix attack that delivers DCRat malware payload
  
  
• Manish Rawat at System Weakness
  From Clueless to Clued-In: How YARA Helps You Hunt Malware Like a Pro
  
  
• The Raven File
  Lumma Stealer Still Active? After FBI Crackdown!
  
  
• THOR Collective Dispatch
  • Making Your Hunts Matter: Introducing Threat Hunting Relevancy Factors
  • Dispatch Debrief: May 2025
    
    
• Tom Hacker
  LOLFS
  
  
• Cris Tomboc and King Orande at Trustwave SpiderLabs
  PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec’s Operations
  
  
• Varonis
  • Scattered Spider: What You Need to Know
  • The Role of Telemetry in Cloud Security: Unlocking the Secrets of the Cloud 
    
    
• István Márton at Wordfence
  15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro WordPress Plugin
  
  
• Блог Solar 4RAYS
  Webrat шпионит за жертвой через веб-камеру и похищает аккаунты и криптокошелки
  

UPCOMING EVENTS

• Dr. Ashar Neyaz and Elena Chertova at Belkasoft
  Carving in DFIR: Data Recovery and Detection of Anti-Forensic Measures
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-06-02 #livestream #infosec #infosecnews
  
  
• Huntress
  Tradecraft Tuesday | AI: Friend or Faux?
  
  
• George Glass and Keith Wojcieszek at Kroll
  April Threat Intelligence Spotlight Report
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Catching Up on Cloud Attack Paths with Cloud Threat Specialist Sebastian Walla
  
  
• Archan Choudhury at BlackPerl
  Threat Intelligence for SOC Analysts | ANY.RUN New TI Lookup and Feed
  
  
• Belkasoft
  Connecting the Dots: How Sparse Data Solves Real-World Crimes | Matthew Sorell
  
  
• Breaking Badness
  It Takes a Village to Secure AI
  
  
• Cellebrite
  Tip Tuesday: PA Installation
  
  
• Clint Marsden at the TLP – Digital Forensics Podcast
  Episode 19: AI Data Poisoning: How Bad Actors Corrupt Machine Learning Systems for Under $60
  
  
• Cloud Security Podcast by Google
  EP227 AI-Native MDR: Betting on the Future of Security Operations?
  
  
• Deepanshu Khanna
  Complete Cyber Threat Intelligence (CTI) Masterclass | Learn and Hunt APT36 espionage group
  
  
• Dr Josh Stroschein
  AI Prompt Hunting with NOVA and the YARA Tool Kit – Guest Thomas Roccia
  
  
• Endace
  Integrating Always-On Packet Capture with Microsoft Sentinel
  
  
• InfoSec_Bret
  Challenge – SpiceRAT
  
  
• Intel 471
  Fingerprinting threat actors by their anonymity techniques
  
  
• John Hammond
  • FAKE Gambling Cheat Runs Malware
  • hackers weaponize… really long filenames??
  • Malware & Hackers Evade Antivirus with Windows Sandbox
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Virut’s NTDLL Hooking and Process Infection, Part 2
  
  
• Microsoft Threat Intelligence Podcast
  Call of the Cyber Duty (A Global Cyber Challenge)
  
  
• MSAB
  • XAMN Pro – Compare Feature
  • Forensic Fix Episode 21
    
    
• MyDFIR
  SOC Analyst Job Description Review (What Skills You Actually Need)
  
  
• Nuix
  Sprint to success: Conversation with software leaders with AWS and Nuix
  
  
• Parsing the Truth: One Byte at a Time
  BTK Killer and the Purple Floppy Disk
  
  
• SANS
  • Inside Pacific Rim with Ross McKerchar
  • Visual Summary of SANS Ransomware Summit 2025
    
    
• The Cyber Mentor
  How Hackers Establish Persistence
  
  
• The Weekly Purple Team
  🛡️ Deep Dive: BadSuccessor – Full Active Directory Compromise
  
  
• Threat Forest
  Uhkametsän APT-uutiset ja Tuo Oma Haavoittuva Ajurisi
  
  
• Three Buddy Problem
  The dark hole of ‘friendlies’ and Western APTs
  

MALWARE

• Any.Run
  • How to Analyze Node.js, Python, Android, and Linux Malware with ANY.RUN 
  • How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN 
    
    
• ASEC
  Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea
  
  
• Sean Shirley at LevelBlue
  Hunting Malware with MSHTA and CyberChef: A Deep Dive into Obfuscation in Malicious Scripts and Credential Theft
  
  
• Chetan Raghuprasad at Cisco’s Talos
  Cybercriminals camouflaging threats as AI tool installers
  
  
• Hendrik Eckardt at cyber.wtf
  Notes on Pyarmor BCC Mode
  
  
• Elastic Security Labs
  Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns
  
  
• Fatih Yilmaz
  • JavaScript Malware Analysis
  • JavaScript Zararlı Yazılım Analizi
    
    
• Fortinet
  • Infostealer Malware FormBook Spread via Phishing Campaign – Part II
  • Deep Dive into a Dumped Malware without a PE Header
    
    
• Banu Ramakrishnan at G Data Software
  Reborn in Rust: AsyncRAT
  
  
• g0njxa
  Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader
  
  
• Iram Jack
  • Process Hollowing
  • Malware analysis in a VM
  • Debugging
  • Debugging in Practice
  • Anti-Debugging
  • VM Detection
  • Malware Packers
    
    
• Leandro Fróes at Netskope
  PureHVNC RAT Using Fake High-level Job Offers from Fashion and Beauty Brands
  
  
• Leandro Cuozzo at Securelist
  Zanubis in motion: Tracing the active evolution of the Android banking malware
  
  
• Sekoia
  The Sharp Taste of Mimo’lette: Analyzing Mimo’s Latest Campaign targeting Craft CMS
  
  
• Aj-Tap & johnKim at ShinkenSec
  Brain Cipher Ransomware: Analysis of a Lockbit 3.0 variant
  
  
• Shubho57
  Analysis of DarkComet RAT (Synaptics Touchpad Driver)
  
  
• Socket
  • Monkey-Patched PyPI Packages Use Transitive Dependencies to Steal Solana Private Keys
  • Malicious npm Package Wipes Codebases with Remote Trigger
    
    
• SquareX Labs
  Safari Vulnerability Enables Attackers to Steal Credentials with Fullscreen BitM Attacks
  
  
• Sucuri
  • Fake Java Update Popup Found in Malicious WordPress Plugin
  • What Motivates Website Malware Attacks?
    
    
• Srini Seethapathy at Trellix
  A Flyby on the CFO’s Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment
  
  
• Joseph C Chen at Trend Micro
  Earth Lamia Develops Custom Arsenal to Target Multiple Industries
  
  
• Jason Reaves at Walmart
  ARC Stealer Hiding in the Ether
  
  
• Zhassulan Zhussupov
  Malware and cryptography 42 – encrypt/decrypt payload via Speck cipher. Simple C example.
  

MISCELLANEOUS

• Dr. Erdal Ozkaya at Binalyze
  Platform power or precision tools? The EDR investigation gap
  
  
• Manny Kressel at Bitmindz
  Nvidia Blackwell Architecture – The New KING of Decryption Engines
  
  
• Brett Shavers
  The Bitter Pill of DF/IR Hindsight
  
  
• Cellebrite
  Connect the Dots: Guide to Investigations with Multiple Digital Devices 
  
  
• Cyberbit
  • Introducing Quests: No Handholding. Just Skills. 
  • New Month, New Missions: Cyberbit’s Freshest Content is Live 
    
    
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 05/26/25
  
  
• Forensic Focus
  • Forensics Europe Expo Returns To London With Cutting-Edge Focus On Digital Innovation, Interoperability And Next-Gen Forensics
  • Oxygen Tech Bytes In April 2025
  • Digital Forensics Round-Up, May 28 2025
  • Oxygen Forensic® Detective v.17.3 Is Available Now
  • Forensic Focus Digest, May 30 2025
  • GMDSOFT Tech Letter Vol 11 Artifact Analysis Using Instagram Data Exports
    
    
• Julien Houry
  From Alert to Insight: The Art of Incident Qualification
  
  
• North Loop Consulting
  Getting Started with Arsenic
  
  
• Oxygen Forensics
  Cutting Costs While Adding Capabilities: Targeted Remote Data Collection Using Oxygen Forensics
  
  
• Lance Cody-Valdez at Paraben Corporation
  Speaking Their Language: How Investigators Can Connect with Anyone
  
  
• Jaikumar Vijayan at ReversingLabs
  Detection as code: How to enhance your real-time threat detection
  
  
• Salvation DATA
  How to Recover the Deleted DVR Footage with VIP2.0
  
  
• Toby G at sentinel.blog
  Simplifying Azure Log Analytics Table Retention Management: A Modern Approach
  

SOFTWARE UPDATES

• Antonio Formato at Antonio Formato
  What’s new in TI Mindmap | May 2025
  
  
• Apache
  26 May 2025: Apache Tika Release 3.2.0
  
  
• Brian Maloney
  OneDriveExplorer v2025.05.30
  
  
• Crowdstrike
  Falconpy Version 1.5.2
  
  
• Didier Stevens
  • Update: process-binary-file.py Version 0.0.11
  • Update: oledump.py Version 0.0.82
  • Update: myjson-filter.py Version 0.0.8
    
    
• Digital Sleuth
  • winfor-salt v2025.8.7
  • WIN-FOR v10.2.0
    
    
• Doug Metz at Baker Street Forensics
  Hashes for the Masses: Finding What Matters in a Sea of Samples
  
  
• Metaspike
  • Remote Authenticator for Mac 2.2.0 Release Notes
  • Forensic Email Collector (FEC) Changelog – 4.1.455.1255
    
    
• OpenCTI
  6.6.14
  
  
• PuffyCid
  Artemis v0.14.0 – Released!
  
  
• Rapid7
  Velociraptor v0.74.3
  
  
• Yamato Security
  suzaku v0.2.1 – AUSCERT/SINCON Release 2
  
  
• YARA
  v4.5.4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!