As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
Forensic Differences Between Windows 10 and Windows 11 - Arman Gungor at Metaspike
How to Prove That An Email Was Received - Chris Sanders
A Standard for Human-Centered Investigation Playbooks - Christopher Eng at Ogmini
- Registry Hive – Data Types Part 4
- Windows Notepad – Modifying TabState or WindowState Files
- Windows Notepad – Windows State Editor Pre-Release
- BelkaCTF 7 – Stranger Dfings
- Expectations vs Reality – Digital Forensic Science Master’s Degree Part 9
- RDP Timelining Tool
- Windows Notepad – Markdown Support
- Damien Attoe
The Duck Hunters Guide – Blog #8 – Downloads (Android) - Derek Eiri
NVMe Serial Numbers with the Guardonix & USB Stabilizer - Digital Forensics Myanmar
- Oleg Afonin at Elcomsoft
Extracting and Analyzing Apple Unified Logs - Forensics With Matt
- Ian Whiffin at DoubleBlak
THREAT INTELLIGENCE/HUNTING
-
- Bill Stearns at Active Countermeasures
Extracting Lines of Interest From Zeek Logs - Maor Dahan at Akamai
Cryptominers? Anatomy: Shutting Down Mining Botnets - Vishal Raj at Altered Security
Initial Access Attack in Azure – Understanding and Executing the Illicit Consent Grant Attack in 2025 - Any.Run
How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox - Apophis
PowerShell loads SectopRAT & HijackLoader - Brittany Bodane, Product Marketing Manager, AppOmni at AppOmni
How to Investigate Suspicious User Activity Across Multiple SaaS Applications - Arctic Wolf
GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations - Artem Baranov
Setting up Claude MCP for TI with Kaspersky TIP as a case study - Paul Reid at AttackIQ
Iranian Cyber Threat Escalation: Preparing for Asymmetric Response through Adversarial Validation Emulation - Tony Burgess at Barracuda
New series: Malware Brief - Brad Duncan at Malware Traffic Analysis
2025-06-26: Lumma Stealer infection with follow-up malware - CERT Ukraine
Кібератаки UAC-0001 (APT28) у відношенні державних органів із застосуванням BEARDSHELL та COVENANT - CERT-AGID
- Check Point
- Defeating PumaBot: How Check Point Quantum IoT Protect Nano Agent Shields Surveillance Devices
- 23rd June – Threat Intelligence Report
- In the Wild: Malware Prototype with Embedded Prompt Injection
- Iranian Educated Manticore Targets Leading Tech Academics
- AI Evasion: The Next Frontier of Malware Techniques
- Marcin Noga at Cisco’s Talos
Decrement by one to rule them all: AsIO3.sys driver exploitation - Adam Martin at Cofense
CapCut Con: Apple Phishing & Card-Stealing Refund Ruse - Ashish Malpani at Corelight
EDR Evasion: How Attackers Evade EDR & How to Detect Them | Corelight - Cyberknow
Iran-Israel War Cyber Tracker - Cyfirma
Weekly Intelligence Report – 26 June 2025 - Dark Atlas
- Darktrace
Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36) - Manuel Arrieta at Detect FYI
Hunting Fileless Malware in the Windows Registry - Digital Defense Institute
Detection Forge - Disconinja
Weekly Threat Infrastructure Investigation(Week25) - DomainTools Investigations
CyberAv3ngers: From Infrastructure Hacks to Propaganda Machines in the Iran-Israel Cyber War - Eclypsium
The Cisco Vulnerability Salt Typhoon Weaponized Against Canadian Telcos and Viasat - Elastic Security Labs
Microsoft Entra ID OAuth Phishing and Detections - Oren Yomtov at ExtensionTotal
Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork - FalconFeeds
French Authorities Dismantle BreachForums Core Team: A Deep Dive into Cybercrime Enforcement and Ecosystem Resilience - Flare
The State of Ransomware in 2025: Extortion-Only Struggles and New Tactics - Flashpoint
Serial Hacker “IntelBroker” Charged For Causing $25 Million In Damages To Victims - Fortinet
Welcome to the New Cyber Battleground - Google Cloud Security Community
Stop SMS Toll Fraud Before It Starts: Introducing reCAPTCHA SMS defense - Noah Stone at GreyNoise
Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity - Group-IB
Middle East Cyber Escalation: From Hacktivism to Sophisticated Threat Operations - Hudson Rock
Hy-Vee Hacked: Infostealers Enable Stormous Group’s 53GB Atlassian Data Heist - Meggi Deltrap & Tom Moester at Hunt & Hackett
Rising Cyber Tensions: NoName057(16)’s hacktivist activities reach the Netherlands - Hunt IO
Threat Hunting Across 10.6B URLs: Find Payloads, C2s, and Exposed Assets with URLx - Andrew Schwartz and Charlie Clark at Huntress
Recutting the Kerberos Diamond Ticket - InfoSec Write-ups
- 80% of Phishing Clues Are in the Header, PhishHound Finds Them with YAML Logic
- Mastering Malware Analysis: A SOC Analyst’s Guide to Dynamic Analysis with AnyRun
- Keystroke Forensics 101: Extracting Secrets from USB Traffic
- Case Management with TheHive: Streamline Your Incident Response
- Mastering Threat Hunting with Criminal IP: The Dorks Query Playbook (Part 2)
- Intel 471
- Invictus Incident Response
Profiling TradeTraitor: Tactics, History & Defenses - Isaac Dunham
The Top Ten Investigative Questions in Security Operations, and How to Answer Them - Joshua Wright at Tech Target
Authorization sprawl: Attacking modern access models | TechTarget - Kevin Beaumont at DoublePulsar
CitrixBleed 2: Electric Boogaloo — CVE-2025–5777 - Kijo Ninja
How Fast Does ZAP Work in Exchange Online Protection? - Lab52
Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations - mr d0x
FileFix – A ClickFix Alternative - Natto Thoughts
Butian Vulnerability Platform: Forging China’s Next Generation of White Hat Hackers - Oleg Skulkin at ‘Know Your Adversary’
- 173. Adversaries Abuse Docker Remote API Servers and Tor Network
- 174. Adversaries Abuse Python to Sideload a Backdoor
- 175. Hunting Koi Loader Installation Routine
- 176. Adversaries Abuse Vercel to Deliver RATs
- 177. Hunting for SideCopy’s DRAT V2
- 178. Hunting for Another Tunneler: Revsocks
- 179. Hunting for Ladon
- 180. Threat Actors Abuse Legitimate Java Utility to Load Snake Keylogger
- Abdellaoui Ahmed at OSINT team
Understanding and Detecting Windows Services: A Deep Dive for Blue and Red Teams - Lidia López Sanz at Outpost24
Analyzing the Gonjeshke Darande attack on Iranian crypto exchange Nobitex - Tom Fakterman and Guy Levi at Palo Alto Networks
Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector - Push Security
- Recorded Future
- Resecurity
Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games - Sandfly Security
SCTP Protocol Attack Risks on Linux - SANS Internet Storm Center
- Security Scorecard
Unmasking A New China-Linked Covert ORB Network: Inside the LapDogs Campaign – SecurityScorecard - Simone Kraus
UAC-0001 (APT28) Cyber Attacks on Government Agencies Using BEARDSHELL and COVENANT - SOCRadar
What Are Initial Access Brokers (IABs)? - Sophos
- Brandon Webster at Sublime Security
Using the X/Twitter link shortener (t.co) to hide an AITM credential phishing payload - Michael Clark at Sysdig
Sysdig Threat Bulletin: Iranian Cyber Threats - System Weakness
- Review — CyberWarFare Labs : Certified Purple Team Analyst [CPTA v2], My First Purple Team…
- ️Incident Response Case File: Macro Malware with Persistence via Active Directory
- Cyber Kill Chain | Tryhackme
- Incident Report: Lumma Stealer Deployment via Click Fix Phishing (DLL Side-Loading)
- Windows Logging for SOC |Tryhackme
- How to Use SafePoint Cyber Threat Intelligence API
- Lefebvre Fabien at Tehtris
Rage Against the Powershell – Qilin in the Name - Tenable
- Ryan G. Cox at The Cybersec Café
How to Actually Leverage the MITRE ATT&CK Framework in Security Operations - Sydney Marrone at THOR Collective Dispatch
- Trellix
- Antonia Böhm at Truesec
- Trustwave SpiderLabs
- Tom Barnea at Varonis
Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails - Vasilis Orlof at Cyber Intelligence Insights
Lumma meets LolzTeam - Vishal Thakur
Warhead: A Deep Dive into Payload Execution through Atom Tables - WeLiveSecurity
ESET Threat Report H1 2025 - Manisha Ramcharan Prajapati and Meghraj Nandanwar at ZScaler
Black Hat SEO Poisoning Search Engine Results For AI to Distribute Malware - Блог Solar 4RAYS
Ландшафт вредоносных атак: аналитика с сенсоров и ханипотов
- Bill Stearns at Active Countermeasures
UPCOMING EVENTS
- Cellebrite
IU Uncovered: Beyond the Basics - Huntress
Tradecraft Tuesday | Hacking in Hollywood: What It Gets Wrong (and Right) about Cybersecurity - Magnet Forensics
- SANS
Stay Ahead of Ransomware: How Threat Actor Profiling Can Help Prevent Ransomware Attacks
PRESENTATIONS/PODCASTS
- Hexordia
Truth in Data: EP10: Exploring Digital Scams: The Many Faces of Online Deceit - Alexis Brignoni
Digital Forensics Now Podcast – S2 E13 - Anuj Soni
The Static File Analysis Tools I Trust for Malware Analysis - Behind the Binary by Google Cloud Security
EP11 Tracing Lazarus: Greg Sinclair on Attributing North Korean Cyber Threats Through Binary Similarity - Breaking Badness
The Multi-Cloud Mess: Why Complexity Is Killing Visibility - Cellebrite
- Clint Marsden at the TLP – Digital Forensics Podcast
Episode 22:AI Chat Forensics: How to Find, Investigate, and Analyse Evidence from ChatGPT, Claude & Gemini - Cloud Security Podcast by Google
EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise - Cyber Social Hub
The Digital Forensic Divide: Lab-Investigator Collaboration - Dr Josh Stroschein
🎙️NEW episode of Behind the Binary featuring Greg Sinclair! - Huntress
How Ransomware Attacks Happen: Full Breakdown from the Huntress SOC - InfoSec_Bret
IR – SOC337 – Lazarus Phishing Campaign Detected (APT38) - Insane Forensics
Securing OT Networks Anywhere: Flyaway Kits & TAP Technology | OT Office Hours - John Hammond
How You Can Impersonate Anyone in Active Directory (with Shikata!) - Lesley Carhart
The National Cryptologic Foundation Podcast - Magnet Forensics
- Mahmoud Shaker
هل كورس CCD (Certified CyberDefenders) يستحق ؟ — نظرة شاملة على المحتوى - Marcus Hutchins
Cyberwar With Iran: How Bad Could It Get? | Hacker Explains - Microsoft Threat Intelligence Podcast
The Art and Science of Microsoft’s Red Team - MSAB
XAMN Pro Tab Control - MyDFIR
Are You Making These SOC Analyst Mistakes? - Oxygen Forensics
- Parsing the Truth: One Byte at a Time
Voyeurism, Drugs, Blackmail, & a Masked Man on a Bicycle Part 1 - SANS
- The Weekly Purple Team
BYOVD Attack: Stealth LSASS Memory Extraction with Doppelganger
MALWARE
- ASEC
Case of Attacks Targeting South Korean Web Servers Using MeshAgent and SuperShell - Xiaopeng Zhang and John Simmons at Fortinet
Dissecting a Malicious Havoc Sample - Karsten Hahn at G Data Software
ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware - Microsoft Security
Unveiling RIFT: Enhancing Rust malware analysis through pattern matching - Leandro Fróes at Netskope
DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery - RevEng.AI
Unmasking KorPlug: Journey into a Chinese Cyberattack – Part 1 - Sergey Puzan and Dmitry Kalinin at Securelist
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play - Shubho57
Analysis of a LegionLoader variant - Socket
- Sucuri
- Satyajit Daulaguphu at Tech Zealots
Living off the AI: The New Cyber Threat Hiding in Plain Sight (2025 Guide) - Paolo Tresso at Wordfence
A Deep Dive into a Modular Malware Family - Zhassulan Zhussupov
MISCELLANEOUS
- Mehmet Ergene at Blu Raven Academy
Querying Azure Resource Graph Without Limits Using KQL - Brett Shavers at DFIR.Training
- Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 06/23/25 - Oleg Afonin at Elcomsoft
The 16 Billion Passwords Panic: What Really Happened and Why It Matters (Or Doesn’t) - Florian Roth
The Inefficiency in Digital Forensics - Forensic Focus
- West Midlands Police Reinvents Digital Forensics With Exterro FTK Central
- ISFCE Launches Affordable, Instructor-Guided 10-Module CCE Digital Forensics Course After Acquisition By Tino Kyprianou
- MD-LIVE: Advanced Mobile Forensics For Triage Investigation
- Your Forensics, Your Way: Flexible Deployment For Real-Time Results
- Tom Oldroyd From Semantics 21 On Protecting Investigators And Reducing CSAM Exposure
- Well-Being Interventions For Forensic Practitioners – Have Your Say
- Global Call For Papers Now Open: Share Your Knowledge At Magnet User Summit & Magnet Virtual Summit
- Digital Forensics Round-Up, June 25 2025
- Introducing S21 Spotlight Sessions: Try The Tools. Skip The Sales Pitch.
- Forensic Focus Digest, June 27 2025
- Google Cloud Security Community
The Hard Truths of SOC Modernization - Magnet Forensics
- Oxygen Forensics
How to Privilege Data With A Password Using Oxygen Forensics - Kelly Jang at Plainbit
2025 DFIR TREND REPORT: 핵심 트렌드로 본 디지털 포렌식과 사고 대응 - Salvation DATA
TAC Phone Number And Digital Forensics - TobyG at sentinel.blog
SentinelCodeGuard: Revolutionising Microsoft Sentinel Rule Development - SOC Fortress
- System Weakness
My Thoughts on Cyber5W Certified Digital Forensics Foundations (CCDFF) — a solid foundation exam…
SOFTWARE UPDATES
- Airbus CERT
indx-rs - Andrew Rathbun
KAPE-EZToolsAncillaryUpdater 4.5 - Breakpoint Forensics
Live Browser Password Collections - Brian Maloney
OneDriveExplorer v2025.06.27 - Digital Sleuth
winfor-salt v2025.9.4 - F-Response
F-Response 8.7.1.35 Now Available - Lethal Forensics
MemProcFS-Analyzer v1.2.0 - MISP
MISP 2.4.213 & 2.5.15 Released – A Double Dose of Security, Search, and Stability - OpenCTI
6.7.1 - Security Onion
Security Onion 2.4.160 now available including Playbooks, Guided Analysis, MCP Server, and more! - Ulf Frisk
MemProcFS Version 5.15 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 