As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
Jump List Changes in Windows 10 & 11: What You Need to Know - Christopher Eng at Ogmini
- Thinking about that Windows Notepad
- Windows Notepad – Application Hive Markdown Setting
- Zeltser Challenge – Sixth Month Accomplishments
- Windows Notepad – Forced Save on Detecting Manipulation?
- Windows Notepad – Forced Save Regression Testing
- Windows Notepad – Markdown Support Limitations
- Registry Hive – Data Types Part 5
- Cyber Triage
Windows Registry Forensics 2025 - Oleg Afonin at Elcomsoft
Installing and Troubleshooting the Extraction Agent (2025) - Forensafe
- Matthew Plascencia
They are Still Together!: iOS Unified Logs II - Zawadi Done at Hunt & Hackett
Turning incident response challenges into scalable solutions - Ian Whiffin at DoubleBlak
- Mat Fuchs
Debunking DFIR Myths: 5 Things You Think You Know (That Are Wrong) - The DFIR Report
Hide Your RDP: Password Spray Leads to RansomHub Deployment
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- ANSSI
Houken: Seeking a path by living on the edge with zero-days - Arctic Wolf
- ASEC
Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation - Mehmet Ergene at Blu Raven Academy
Your Logs are Lying: How Network Infrastructure Impacts EDR Network Telemetry - Brad Duncan at Malware Traffic Analysis
2025-07-02: Lumma Stealer infection with follow-up Rsockstun malware - Brian Krebs at ‘Krebs on Security’
- Nathan Richards at Bridewell
Who are DragonForce Ransomware Group? - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 28 giugno – 4 luglio - Chainalysis
OFAC Sanctions Aeza Group for Hosting Global Bulletproof Service which Enabled Cybercriminals and Technology Theft, Includes Crypto Address in Designation - Check Point
29th June – Threat Intelligence Report - CISA
Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest - Omid Mirzaei at Cisco’s Talos
PDFs: Portable documents, or perfect deliveries for phish? - Max Gannon and Jacob Malimban at Cofense
Spain TLD’s Recent Rise to Dominance - Confiant
D-Shortiez: Inside the Criminal Network Behind Those Fake ‘You Won!’ Pop-Ups - CrowdStrike
CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries - Cyber Axe
Complete Guide: On How to Evaluate an EDR - Andy Thompson at CyberArk
Scattered Spider Unmasked: How an identity-focused APT is redefining cyber threats - Cyberdom
Entra ID Incident Response: Advanced PowerShell Techniques - Cybereason
Introducing the Cybereason TTP Briefing: Frontline Threat Intelligence Insights - Cyble
Top Ransomware Groups June 2025: Qilin Reclaims Top Spot - Cyfirma
Weekly Intelligence Report – 3 July 2025 - Adam Price at Cyjax
A Pressing Matter Part I – The Simplification of Ransomware Crime Development Through Cybercriminal Forums - Damien Lewke
Nothing Funny About It… - Sergio Albea at Detect FYI
Identifying Ransomware Final Stage activities with KQL Queries - Disconinja
Weekly Threat Infrastructure Investigation(Week26) - DomainTools Investigations
Iran’s Intelligence Group 13 - Dr. Web
- Elastic Security Labs
Taking SHELLTER: a commercial evasion framework abused in-the-wild - ExtensionTotal
- FalconFeeds
- Samuel Vojtáš at Gen
Ransomware Inc. The Business Model Behind LockBit’s Millions - Genians
Analysis of the threat case of kimsuky group using ‘ClickFix’ tactic - Seemant Bisht, Chris Sistrunk, Shishir Gupta, Anthony Candarini, Glen Chason, and Camille Felx Leduc at Google Cloud Threat Intelligence
Protecting the Core: Securing Protection Relays in Modern Substations - Group-IB
- GuidePoint Security
How Ransomware Groups Exploit “Business as Usual” in FinServ - HackTheBox
How Active Directory (AD) attacks have evoved—and what that means for blue teamers - Huntress
Remote Monitoring and Management Tools: A Gateway for Bulk Attacks on MSP Customers - Hussam Shbib at Cyber Dose
Be a better detective #3 – ExFAT Creation Timezone Code - InfoSec Write-ups
- Intel 471
Pro-Russian hacktivism: Shifting alliances, new groups and risks - Ruben Madar at Intrinsec
Pakistani freelancers building cracking websites for stealer-delivery - Adam Goss at Kraven Security
Demystifying Source Reliability: How to Ensure Credible CTI - Microsoft Security
Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations - Oleg Skulkin at ‘Know Your Adversary’
- 181. Hunting for Mustang Panda’s Claimloader
- 182. Adversaries Abuse Microsoft Dev Tunnels for C2
- 183. Using Staging Folders For Threat Hunting
- 184. Ransomware Gangs Abuse PowerShell to Install Level RMM
- 185. Using Process Parent and Children Relationships for Detection and Hunting
- 186. Pinggy: Another Tunneling Solution Abused by Adversaries
- 187. Scattered Spider Started to Abuse Teleport
- AbhirupKonwar at OSINT Team
WebShell Threat Hunting using FOFA - Lidia López Sanz at Outpost24
How hacktivist cyber operations surged amid Israeli-Iranian conflict - Palo Alto Networks
- Adithya Vellal at Petra Security
Why Travel Allowlists Cause More Pain Than Protection - Praetorian
GitPhish: Automating Enterprise GitHub Device Code Phishing - Proofpoint
10 Things I Hate About Attribution: RomCom vs. TransferLoader - Pulsedive
Collection through Correlation: Operationalizing IP and Domain Indicators of Compromise - Dan Green at Push Security
3 key takeaways from the Scattered Spider attacks on insurance and aviation firms - John Tuckner at Secure Annex
These Vibes Are Off - TobyG at sentinel.blog
SentinelCodeGuard: A Journey from Concept to VS Code Plugin - Silent Push
- Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands
- Improve Global Threat Detection Using STIX and TAXII within Silent Push
- Numerous Western Companies May Still Need to Ban FUNNULL Admin Accounts to Comply with U.S. Treasury Sanctions
- Simone Kraus
When Neighborly Terror Meets Cybercrime - Kush Pandya at Socket
8 More Malicious Firefox Extensions: Exploiting Popular Game Recognition, Hijacking User Sessions, and Stealing OAuth Credentials - François Labrèche and Sean Gallagher at Sophos
Using AI to identify cybercrime masterminds - Splunk
- Machine Learning in Splunk Enterprise Security: Unleashing Hidden Detection Power
- XWorm’s Shape-Shifting Arsenal: Loader and Stager Variants in the Wild
- Hunting for Threats in VPCFlows
- Hunting with SA-Investigator & Splunk Enterprise Security (SIEM)
- Using CloudTrail Data for Security Operations and Threat Hunting
- Threat Hunting with TLS/SSL Certificates
- When Installers Turn Evil: The Pascal Script Behind Inno Setup Malware Campaign
- Josh “Soup” Campbell at Sublime Security
Living Off Trusted Sites: Zoom service abuse to deliver credential phishing attack - Will Thomas at Team Cymru
Uncovering DPRK Remote Workers: Detecting Hidden Threats Through Internet Telemetry - THOR Collective Dispatch
- Trellix
- Nikita Kazymirskyi at Trustwave SpiderLabs
The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – June Update - Sina Kheirkhah, Jake Knott and Aliz Hammond at watchTowr Labs
How Much More Must We Bleed? – Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) - WeLiveSecurity
UPCOMING EVENTS
- Belkasoft
Registration Open for BelkaCTF #7: Stranger Dfings! - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-07-07 #livestream #infosec #infosecnews - Magnet Forensics
- Silent Push
Webinar – Mapping the Dark: Exposing the Depths of Bulletproof Hosting Providers
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
Ask Us (Almost) Anything: Threat Intel, Adversaries, and More - Belkasoft
Challenges in Locating and Verifying Evidence | Jan Collie - Breaking Badness
From Newsroom to Threat Room: Audra Streetman’s Journey into Cybersecurity - Cellebrite
Tip Tuesday: Table Date Filter - Cyber Secrets
CFT: Operation NightWing – The Trade at Hollow Pine - Cyberwox
Building A Cyber Threat Intelligence Career with Nigel Boston | EP 26 - Deepanshu Khanna
Office Docs based malware analysis- Click to Exploit: Office documents - Hexordia
- Huntress
SOC Incident Walkthrough: How a Kitchen Sink Attack Used Kernel Drivers and Credential Harvesting - InfoSec_Bret
IR – SOC330 – HTran network tunneling potentially associated with APT10 (MENUPASS) was detected - Insane Forensics
Beyond the Breach: How Smart IR Keeps You Compliant | OT Office Hours - John Hammond
- Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Virut’s file infection, part 3 - LockBoxx
Bootcamp #27: Real-World Phishing Response and Malware Triage - Magnet Forensics
Levelling up with training and certification for law enforcement - MSAB
XRY Device Processing - MyDFIR
The SOC Analyst Learning Curve: What to Expect in Your First Year - Parsing the Truth: One Byte at a Time
Part 2: Voyeurism, Drugs, Blackmail, & a Masked Man on a Bicycle - Proofpoint
Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook - SANS Cyber Defense
Secure Your Fortress: Building Robust and Resilient Defenses for 2025 - Sumuri
How to Install Paladin LTS on a USB Drive with Rufus | Step-by-Step Guide - The Cyber Mentor
- Three Buddy Problem
Who’s hacking who? Ivanti 0-days in France, China outs ‘Night Eagle’ APT - Triskele Labs
Cybeers: Operational Technology
MALWARE
- Mauro Eldritch at Any.Run
DEVMAN Ransomware: Analysis of New DragonForce Variant - Cedric Brisson
2025-06-29 – Supper is served - Cryptax
Malware W32/SkyAI uses AI? So do I. - Erik Hjelmvik at Netresec
PureLogs Forensics - Fortinet
- Suresh Reddy at K7 Labs
@mentalpositive’s New macOS Stealer: AMOS Repackaged or a New Cyber Threat? - Haizhou Wang, Ashkan Hosseini and Ashutosh Chitwadgi at Palo Alto Networks
Windows Shortcut (LNK) Malware Strategies - Security Onion
Quick Malware Analysis: Lumma Stealer pcap from 2025-06-26 - Phil Stokes & Raffaele Sabato at SentinelOne
macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware - Shubho57
Analysis of Rhadamanthys Stealer (.js script) - Kayleigh Martin at Sucuri
Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection - Max Kersten at Trellix
Automagic Reverse Engineering - Walmart
Janela RAT and a stealer extension delivered together - István Márton at Wordfence
600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin - Zhassulan Zhussupov
MISCELLANEOUS
- Belkasoft
Effective Evidence Sharing with Belkasoft Evidence Reader - Sophie Bovy at Binalyze
The Multi-Agent Future for Investigation and Response Automation - Brett Shavers
DF/IR Lemonade - Brett Shavers at DFIR.Training
Evidence or Uptime? The Objective Divide in DF/IR. - Cellebrite
The Next Evolution of Digital Evidence: Streamline Investigations with Digital Innovation - Danny Zendejas
Linux Resources - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 06/30/25 - Forensic Focus
- Sophie Mortimer, Revenge Porn Helpline Manager, SWGfL
- Event Recap: Forensics Europe Expo 2025
- S21 Spotlight CCTV – Trouble With CCTV Review? There’s A Better Way.
- Digital Forensics Jobs Round-Up, July 01 2025
- Exterro Releases INFORM 2025: A Comprehensive Digital Forensics Magazine For The Global Investigations Community
- Davinder Sangha, Enhanced Digital Media Investigator, Staffordshire Police
- Amped Software Releases Powerful New Amped FIVE Update, Featuring Writing Queue, Camera Calibration, RIFF Viewer, And More
- Digital Forensics Round-Up, July 02 2025
- Kevin Pagano at Stark 4N6
Forensics StartMe Updates (7/1/2025) - Kevin Stokes
OSDFIR in K8s - Magnet Forensics
- Oxygen Forensics
- Patrick Siewert at ‘The Philosophy of DFIR’
DF/IR: This *Stuff* Isn’t For Everybody - Salvation DATA
Understanding the Checkm8 - Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.4.160! - Ryan G. Cox at The Cybersec Café
Cloud Security Fundamentals: IAM, RBAC, PoLP, and more… - Antonia Böhm at Truesec
Don’t Destroy Evidence – Handle Data and Systems Carefully During Incident Response
SOFTWARE UPDATES
- Belkasoft
Belkasoft X v.2.8 Released: New Addon—BelkaGPT Hub, Massive BelkaGPT Improvements with Multi-Modal Support, Audio Forensics, Decryption Updates and Visual SQL Query Builder! - C.Peter
UFADE 1.0 - Canadian Centre for Cyber Security
Assemblyline 4.6.0.8 - Cellebrite
Introducing Inseyets 10.6: Delivering Smarter Digital Investigations - Digital Sleuth
winfor-salt v2025.9.6 - Erik Hjelmvik at Netresec
CapLoader 2.0.1 Released - OpenCTI
6.7.3 - Phil Harvey
ExifTool 13.32 - Rapid7
Velociraptor v0.74.5 - WithSecure Labs
Kanvas - Xorhex
mlget v3.4.5 - Xways
X-Ways Forensics 21.5 SR-2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 