As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
Digging into Google Analytics & HubSpot Cookies for Forensics - Christopher Eng at Ogmini
- Cyber Triage
- Digital Forensics Myanmar
Understanding TRIM, DZAT, and DRAT: Hidden Dangers for SSD Forensics - Oleg Afonin at Elcomsoft
Apple Ecosystem: Overlooked Devices - Forensafe
Android Sgallery - Matthew Plascencia
Master in Language Learning Apps and Privacy - Ethan Bowen at NVISO Labs
Tracking historical IP assignments with Defender for Endpoint logs - Haydar Yener Arıcı at Paraben Corporation
Detection, Analysis, and Interpretation of Fake Base Stations (IMSI Catchers) in Mobile Forensics - Sujay Adkesar
Dissecting RDP Activity
THREAT INTELLIGENCE/HUNTING
- 0xMatheuZ
breaking ld_preload rootkit hooks - Adam at Hexacorn
VMwareResolutionSet.exe VMwareResolutionSet.dll lolbin - Adam Chester at XPN
Administrator Protection Review - Any.Run
Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs - ASEC
- May 2025 Threat Trend Report on Ransomware
- May 2025 Infostealer Trend Report
- May 2025 APT Group Trends
- May 2025 APT Group Trends (South Korea)
- May 2025 Trends Report on Phishing Emails
- Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
- Infostealer Disguised as Copyright Infringement Document Distributed in Korea
- Ian Rogers at AttackIQ
Response to CISA Advisory (AA25-163A): Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider - Ayham Assaf
Remote collection of Windows Threat Hunting using Chainsaw and Microsoft Defender for Endpoint. - Bart at Blaze’s Security Blog
Steam Phishing: popular as ever - Brad Duncan at Malware Traffic Analysis
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 giugno - Check Point
- Cisco’s Talos
- Jen Sells and Claudio Jolowicz at Cloudflare
Cloudflare Log Explorer is now GA, providing native observability and forensics - CloudSEK
- Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users
- Part 2: The Iran-Israel Cyber Standoff – The State’s Silent War
- Part 1: The Iran-Israel Cyber Standoff – The Hacktivist Front
- Androxgh0st Continues Exploitation: Operators Compromise a US University For Hosting C2 Logger
- Cofense
- Donato Onofri and Liviu Arsene at CrowdStrike
CrowdStrike Researchers Investigate the Threat of Patchless AMSI Bypass Attacks - Cyber Axe
KPIs and Metrics for Threat Hunting - CyberArmor
Threat Insight: Cybercriminals Abusing Vercel to Deliver Remote Access Malware - Cybereason
Ransomware Gangs Collapse as Qilin Seizes Control - Cyfirma
Weekly Intelligence Report – 20 June 2025 - Adam Price at Cyjax
Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry - John Reeman at Cyooda Security
Highly Malicious Infostealer - Damien Lewke
“The noise isn’t false positives, it’s all the stuff you’re taking action on that didn’t need action in the first place.” - Dark Atlas
Nobitex Breach: $81 Million Theft Under Investigation - Darktrace
Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure - Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
Attack Hunting Using AWS VPC Flow Logs - Detect FYI
Differentiating between IoC , IaC and indicators of fraud - Manuel Winkel at Deyda.net
Checklist for NetScaler (Citrix ADC) CVE-2025-5777 - Disconinja
Weekly Threat Infrastructure Investigation(Week24) - Julia Ibinson at DomainTools
Protected: Part 2: Tracking LummaC2 Infrastructure - DomainTools Investigations
Cybersecurity Reading List – Week of 2025-06-16 - Elastic Security Labs
A Wretch Client: From ClickFix deception to information stealer deployment - Elliptic
Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group - FalconFeeds
- Flare
Ransomware Recap of 2025 So Far (and Context from 2024) - Flashpoint
Escalation in the Middle East: Tracking the Israel–Iran Conflict Across Military and Cyber Domains - Pei Han Liao at Fortinet
Threat Group Targets Companies in Taiwan - g0njxa
Meowsterio: Weaponizing ClickOnce in 2025 - Google Cloud Security Community
- Gabby Roncone and Wesley Shields at Google Cloud Threat Intelligence
What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia - Noah Stone at GreyNoise
GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771 - Group-IB
Declaration trap: Crypto Drainers masquerading as European Tax Authorities - Hudson Rock
Nobitex Breach: Infostealers Expose Critical Employee Credentials in Latest Crypto Exchange Hack - Hunt IO
Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure - Huntress
- IC3
People’s Republic of China Cyber Threat Activity - InfoSec Write-ups
- Volt Typhoon APT Walkthrough — TryHackMe Room Investigation Using Splunk & Threat Hunting…
- $ Mass Hunting with FOFA Dorking
- CyberDefender: “PsExec Hunt Lab” Challenge Writeup
- CyberDefender: “DanaBot Lab” Challenge Writeup
- Investigating HTTP Basic Auth Attack from a PCAP: A SOC Analyst’s Walkthrough
- Fileless Malware: The Ghost in Your Machine
- Mastering Threat Hunting with Criminal IP: The Dorks Query Playbook (Part 1)
- Bukar Alibe at INKY
Fresh Phish: How to Stay a Step Ahead of the Latest QR Code Phishing Scam - Intel 471
A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator - Kaido Järvemets
Query Your AD Delegations Like Security Events - LCSC-IE
Identifying North Korean Kimsuky (APT43) Infrastructure - LevelBlue
Stories from the SOC – ClickFix and Chill, Now Here’s the Ransomware Bill - Michael Haag
- Michalis Michalos
Insights from the trenches: building audit capacity for Microsoft Sentinel & Defender XDR - Florian Roth at Nextron Systems
The Blind Spot Scanner – Why THOR Detects What Others Miss - Oleg Skulkin at ‘Know Your Adversary’
- 166. Detecting Windows Problem Reporting Abuse
- 168. Adversaries Abuse LLM to Generate Malicious Scripts
- 167. Adversaries Use Weaponized GitHub Repositories to Deliver Malware
- 169. Regular Stealer – Lots of Detection and Hunting Opportunities
- 171. Detecting BlueNoroff’s Indicator Removal Techniques
- 170. Hunting for Mocha Manakin
- 172. Another Curious ClickFix PowerShell Command
- OSINT Team
- Parveen Vashishtha
Renewed Interest in MassLogger Among Malicious Actors - Adithya Vellal at Petra Security
BECs Don’t Always Target Your Emails - Qi’anxin X Lab
- Ken Dunham at Qualys
Lessons from Qilin: What the Industry’s Most Efficient Ransomware Teaches Us - Michael Robertson at Recon Infosec
Prolific Phishing Campaign Leveraging Zoom’s Infrastructure - Recorded Future
Threats to the 2025 NATO Summit - Red Canary
- Robert Simmons at ReversingLabs
Threat actor Banana Squad exploits GitHub repos in new campaign - Sandfly Security
- SANS Internet Storm Center
- Securonix
- Prashil Moon at Seqrite
Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry - Siddhant Mishra
Behavior Before Volume: A Smarter Approach to Alert Tuning - Simone Kraus
- SOCRadar
Tycoon 2FA: An Evolving Phishing Kit Powering PhaaS Threats - Sublime Security
Community Spotlight: Email Detection Rules built by the Sublime Community - Marco A. De Felice aka amvinfe at SuspectFile
Update: Asheville Eye Associates, Attorneys General in Several U.S. States Notified Following November 2024 Ransomware Attack. Data Breach May Involve 147,116 Individuals - Stefano Chierici at Sysdig
Dangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories - System Weakness
- John Scott-Railton, Rebekah Brown, and Bill Marczak at The Citizen Lab
Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords - THE RAVEN FILE
BERT RANSOMWARE - THOR Collective Dispatch
- Threatmon
Understanding Pulsar RAT – ThreatMon - Trishaan Kalra at Trellix
Hidden Malware Discovered in jQuery Migrate: A Stealthy Supply Chain Threat - Trunc
Investigating the ‘slince_golden’ WordPress Backdoor - Trustwave SpiderLabs
The Digital Front Line: Israel and Iran Turn the Internet into a Covert Combat Zone - Kenneth Kinion at Valdin
Zooming through BlueNoroff Indicators with Validin - Gearóid Ó Fearghaíl and Tiffany Nip at Vectra AI
Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate by Gearóid Ó Fearghaíl - Shay Berkovich and Rami McCarthy at Wiz
Leaking Secrets in the Age of AI - István Márton at Wordfence
UPCOMING EVENTS
- Black Hills Information Security
- Cellebrite
- Dr Josh Stroschein
Unveiling Go Malware: Analysis Challenges & Expert Techniques with Kyle Cucci - Simply Cyber
Fast Track to Domain Dominance | Lunch & Learn - Lesley Carhart
I’m in Melbourne, and PancakesCon 6 is On! - Magnet Forensics
Magnet User Summit 2026: Redefining and rediscovering what’s possible in DFIR
PRESENTATIONS/PODCASTS
- Hexordia
Truth in Data: EP9: Cracking the Code: Entering the DFIR Field - Adversary Universe Podcast
When the Adversary Shows Up in Person - Belkasoft
Qualifications and Role of an Expert Witness | Jan Collie - Breaking Badness
Attribution in the Age of AI: Cloud Threats, Real Attacks,and Zero-Knowledge Adversaries - Cellebrite
Tip Tuesday: Media Origin - Chris Sienko at the Cyber Work podcast
From FBI Cyber Agent to Police Tech Innovator | Andre McGregor - Cloud Security Podcast by Google
EP230 AI Red Teaming: Surprises, Strategies, and Lessons from Google - Cyber Social Hub
Mastering Social Media OSINT: SMI Aware’s Secrets to Cyber Sleuthing - Deepanshu Khanna
Automate – Kubernetes Digital Forensics & Incident Response | Threat Detection + Forensics + Report - Huntress
- InfoSec_Bret
Challenge – HTTP/2 Rapid Reset - Insane Forensics
Abusing the Everyday: How LOTL Attacks Exploit OT Environments | OT Office Hours - John Hammond
Evading Antivirus Detection in C (with Dahvid Schloss) - Michael Haggis
- MSAB
Export File System - MyDFIR
Want Cybersecurity Experience But No Job? Watch This. - Off By One Security
Breaking into a Cyber Security Career in 2025 - Paraben Corporation
- Parsing the Truth: One Byte at a Time
The Expert Witness - Proofpoint
Signatures and Surprises: Inside the Emerging Threats Team - SANS
- SANS Cloud Security
Full SANS Webcast | Decoding the Shared Responsibility Model: Securing Cloud Environments Together - SANS Cyber Defense
Agentic AI and Security - The DFIR Report podcast
DFIR Discussions: Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware - Three Buddy Problem
Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, destructive bank hacks
MALWARE
- Doug Metz at Baker Street Forensics
MalChela v3.0: Case Management, FileMiner, and Smarter Triage - Harfanglab
SadFuture: Mapping XDSpy latest evolution - Baran S at K7 Labs
SpyMax – A Fake Wedding Invitation App Targeting Indian Mobile Users - Malvuln
RansomLordNG v1.0 updates and de-weaponize POC - Mohamed Sultan
Exfiltrate Without Borders - NCSC
- Marine Pichon and Alexis Bonnefoi at Orange Cyberdefense
From SambaSpy to Sorillus: Dancing through a multi-language phishing campaign in EuropeFrom SambaSpy to Sorillus: Dancing through a multi-language phishing campaign in Europe) - Palo Alto Networks
- Hassan Faraz at Porthas
Akira Ransomware: In-Depth Technical Analysis - Proofpoint
Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication - Shubho57
Analysis of LCRYX Ransomware (.vbs script) - Olivia Brown at Socket
Protestware in JavaScript UI Toolkits on npm Target Russian Language Sites - Puja Srivastava at Sucuri
Analysis of a Malicious WordPress Plugin: The Covert Redirector - Matt Morrow at Sucuri
Malicious WordPress Plugin Creates Hidden Admin User Backdoor - Zhassulan Zhussupov
MISCELLANEOUS
- Anton Chuvakin
Output-driven SIEM — 13 years later - Brett Shavers
We don’t rise to the level of our DF/IR certs and degrees. We fall to the level of our experience and training. - Brett Shavers at DFIR.Training
- Cellebrite
Cellebrite + Corellium: The Unmatched Partnership Explained - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 06/16/25 - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Building Bridges and Working Across Silos with Legal Data Intelligence - Forensic Focus
- Oxygen Tech Bytes In May 2025
- Digital Forensics Jobs Round-Up, June 16 2025
- Now Available: XRY 11.2, XAMN 8.2, UNIFY 25.5, XEC 7.14, And KTE 11.2
- Magnet Forensics Acquires Dark Circuit Labs, Enhancing Vulnerability Research & U.S. Federal Support
- Meet Forensic Focus at Forensics Europe Expo 2025
- Amped User Days 2025: Advancing Forensic Expertise In A Changing Digital World
- GMDSOFT Tech Letter Vol.12: Artifact Analysis Using Telegram Data Exports
- Hussam Shbib at Cyber Dose
Be a Better Detective #1 - Adam Goss at Kraven Security
CyberChef 101: A Quick Guide to The Most Versatile Cyber Tool - Lab52
CYBER GRU: Russian military intelligence in cyberspace - Magnet Forensics
Meet the Magnet Forensics Training Team: Anthony Reince - Frank Tobia, Ike Okoro, Matt Pfeiffer and Dan Aschwanden at Open Source DFIR
Unlocking Fleetspeak Large Scale and Reliability with Cloud Spanner - Oxygen Forensics
- TobyG at sentinel.blog
Simplifying Azure Log Analytics Table Retention Management: A Modern Approach - Ryan G. Cox at The Cybersec Café
The Playbook for Playbooks - The Mitten Mac
Threat Hunting macOS
SOFTWARE UPDATES
- Acquired Security
Forensic Timeliner v2.2 - Amped
Amped FIVE Update 37757: Writing Queue, Camera Calibration, RIFF Viewer, Timing Source for Video Writer and Much More - Crowdstrike
Falconpy Version 1.5.3 - Didier Stevens
Update: teeplus.py Version 0.0.2 - Digital Sleuth
winfor-salt v2025.9.3 - Metaspike
Forensic Email Intelligence 2.2.472 Release Notes - MSAB
Now available: XRY 11.1, XAMN 8.2, UNIFY 25.5, XEC 7.14 and KTE 11.1 - North Loop Consulting
Key Programmer Parser v3.2 - OpenCTI
6.6.18 - Phil Harvey
ExifTool 13.31 - Rahmat Nurfauzi
TTPMapper - Xorhex
mlget v3.4.3
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 