As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• AbdulRhman Alfaifi
  Exploring Windows Artifacts : Jumplist Files
  
  
• Akash Patel
  The Importance of Memory Acquisition in Modern Digital Forensics
  
  
• Christopher Eng at Ogmini
  • Registry Hive – Data Types Part 6
  • Registry Hive – Data Types Part 7
  • DFIR Review – Acceptance on Windows Notepad Research
  • Cleanup / Linting / Updating
  • Registry Hive – Data Types Part 8
  • All the Things I’m Working On (a.k.a. Too Many Pokers in the Fire)
  • Windows Store/UWP Application Data – Versioning
    
    
• Chris Hargreaves & Eoghan Casey at DFRWS
  SOLVE-IT Alpha Release 0.2025.07: July 2025
  
  
• Elcomsoft
  • AI-Driven Password Recovery: Myth or Reality?
  • Issues Affecting Forensic Disk Imaging
    
    
• Forensafe
  iOS Slack
  
  
• Kevin Pagano at Stark 4N6
  Introducing ASP – App Store Package Search
  
  
• Kevin Stokes
  OSDFIR in K8s — Part 2: OSDFIR Lab
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – Multi-Modal C2 Communication – Numinon C2
  
  
• Adam at Hexacorn
  • Beyond good ol’ Run key, Part 149
  • 1 little known secret of advpack.dll, LaunchINFSection
    
    
• Arctic Wolf
  Breaches Mid-Year Review: The Most Noteworthy of 2025 (so far)
  
  
• ASEC
  • XwormRAT Being Distributed Using Steganography
  • June 2025 Trend Report on the Deep Web & Dark Web
  • Statistics Report on Malware Targeting Linux SSH Servers in Q2 2025
  • Statistics Report on Malware Targeting Windows Web Servers in Q2 2025
  • June 2025 Trends Report on Phishing Emails
  • Statistics Report on Malware Targeting Windows Database Servers in Q2 2025
  • CoinMiner Attacks Exploiting GeoServer Vulnerability
  • June 2025 Security Issues in Korean & Global Financial Sector
    
    
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief
  
  
• Brian Krebs at ‘Krebs on Security’
  UK Arrests Four in ‘Scattered Spider’ Ransom Group
  
  
• CERT-AGID
  • Vulnerabilità critica in Citrix riscontrata su host italiani
  • Il tema SPID sfruttato per una nuova campagna di phishing
  • Sintesi riepilogativa delle campagne malevole nella settimana del 5 – 11 luglio
    
    
• Check Point
  • 6th July – Threat Intelligence Report
  • Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
  • June 2025 Malware Spotlight: Discord Exploits Lead to Rising Threats
    
    
• Cybereason
  • Deploying NetSupport RAT via WordPress & ClickFix
  • BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption
    
    
• Cyble
  • Ongoing Phishing Campaign Utilizes LogoKit for Credential Harvesting
  • Phishing, Pivots, and Persistence: A Look into Japan’s Q1 2025 Cyber Threat Landscape 
  • Hacktivist Attacks on Critical Infrastructure Grow as New Groups Emerge 
    
    
• Cyfirma
  Weekly Intelligence Report – 11 July 2025
  
  
• Dale Hobbs at Black Hills Information Security
  Getting Started with NetExec: Streamlining Network Discovery and Access
  
  
• Darktrace
  Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace
  
  
• Delivr.to
  FileFixed — Detecting and Preventing FileFix Exploitation
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week27)
  
  
• DomainTools
  RDAP and BGP in Investigative Journalism
  
  
• DomainTools Investigations
  Where Everybody Knows Your Name: Observing Malice-Complicit Nameservers
  
  
• Idan Dardikman at ExtensionTotal
  Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.
  
  
• FalconFeeds
  • When Hackers Go Loud: How Telegram Is Powering the New Age of DDoS and Defacement Claims
  • Beyond the Breach: What Hacker Forums Reveal About Your Exposed Data
  • From the Shadows to the Surface: Tracking Ransomware Leaks Across the Dark Web
    
    
• Flashpoint
  The Rising Threat of macOS Infostealers: What You Need to Know to Defend Against Them
  
  
• Google Cloud Security Community
  Actionable threat hunting with GTI (II) – Analyzing a massive phishing campaign
  
  
• GreyNoise
  GreyNoise Identifies New Scraper Botnet Concentrated in Taiwan
  
  
• Group-IB
  Combolists and ULP Files on the Dark Web: A Secondary and Unreliable Source of Information about Compromises
  
  
• GuidePoint Security
  Insights from the GRIT Q2 2025 Ransomware & Cyber Threat Report
  
  
• Howard Poston at HackTheBox
  Inside Salt Typhoon: How Chinese APTs breached US telecoms (and stayed hidden for years)
  
  
• Huntress
  Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild
  
  
• Invictus Incident Response
  Introducing KubeForenSys: A Kubernetes Forensic Collection Framework for Azure Kubernetes Service (AKS)
  
  
• Keisuke Shikano at JPCERT/CC
  TSUBAME Report Overflow (Jan-Mar 2025)
  
  
• Kaido Järvemets
  Excel Isn’t a SIEM (But Sometimes It’s All You Have)
  
  
• Alanna Titterington at Kaspersky Lab
  How extensions from Open VSX were used to steal cryptocurrency
  
  
• Kevin Beaumont at DoublePulsar
  CitrixBleed 2 exploitation started mid-June — how to spot it
  
  
• Adam Goss at Kraven Security
  Data Collection Methods for CTI: How to Collect Data
  
  
• Lab52
  New book NOW available: Cyber GRU. Russian military intelligence in cyberspace
  
  
• Mathy Vanhoef
  Haunted by Legacy: Discovering and Exploiting Vulnerable Tunnelling Hosts
  
  
• Miss cyberpenny by Jane Lo
  Infostealers – The Silent Data Thief [SINCON 2025]
  
  
• MITRE ATT&CK
  ATT&CK Detection Strategy 1.0: Shifting to Multi-Event Collections
  
  
• Moonlock
  • Atomic macOS stealer now has a backdoor allowing it to linger
  • New North Korean malware targets crypto startups via fake Zoom invites
    
    
• Ilia Kulmin at Morphisec
  Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West
  
  
• Natto Thoughts
  Pick Your Innovation Path in AI: Chinese Edition
  
  
• NSB Cyber
  #NSBCS.082 – Q2 Ransomware Report Teaser
  
  
• Stamatis Chatzimangou at NVISO Labs
  Detection Engineering: Practicing Detection-as-Code – Introduction – Part 1
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 189. Adversaries Abuse ComputerDefaults.exe to Bypass the UAC
  • 188. Adversaries Abuse Console Window Host More and More Often
  • 190. Does Renaming Legitimate Binaries Really Mask Them?
  • 191. Some Threat Actors Just Want to Be Detected
  • 192. I’m Not Sure If I Want to Masquerade It
  • 193. Let’s Look How Modern Ransomware Gangs Collect and Exfiltrate Data
    
    
• OSINT Team
  • AI-Powered Phishing: Detection and Defense Strategies
  • Why Traditional Android Malware Detectors Fail — and How Graph Communities Might Save Us
    
    
• Palo Alto Networks
  • GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed
  • Fix the Click: Preventing the ClickFix Attack Vector
  • Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
    
    
• Hantae Kim at Plainbit
  • 헌터스 인터내셔널 랜섬웨어 조직 해체 선언의 진실: 사이버 위협의 새로운 전환점
  • Pangolin: 오픈소스 Cloudflare Tunnels 대안
    
    
• Hassan Faraz at Porthas
  SafePay ransomware: Threat Profile and Analysis
  
  
• Lisa Forte at Red Goat
  The Rise of Scattered Spider: What Every Organisation Needs to Know
  
  
• Resecurity
  Chinese Threat: NFC-Enabled Fraud in the Philippines’ Financial Sector
  
  
• SANS Internet Storm Center
  • A few interesting and notable ssh/telnet usernames, (Sun, Jul 6th)
  • What’s My (File)Name?, (Mon, Jul 7th)
  • SSH Tunneling in Action: direct-tcp requests [Guest Diary], (Wed, Jul 9th)
  • Setting up Your Own Certificate Authority for Development: Why and How., (Wed, Jul 9th)
    
    
• Silent Push
  Enrich Your OpenCTI Operation With Silent Push IOFA™ Data
  
  
• Michael Haag at Splunk
  Beyond The Click: Unveiling Fake CAPTCHA Campaigns
  
  
• Marco A. De Felice aka amvinfe at SuspectFile
  Cybercrime and Corrupt Negotiators: The Dark Side of Ransomware Negotiations
  
  
• Symantec Enterprise
  Is Cyber the Next Stage of War in the Middle East Conflict?
  
  
• Manish Rawat at System Weakness
  Why Most “Threat Hunts” Are Just Expensive Fishing Expeditions
  
  
• Tanium
  • What is Threat Detection and Response? An Actionable Guide
  • CTI Roundup: GIFTEDCROOK, ESET H1 2025 Threats, Jasper Sleet
    
    
• Team-Cymru
  Supply Chain & CTI
  
  
• Ryan G. Cox at The Cybersec Café
  Understanding the Full Spectrum of Threat Indicators
  
  
• The Raven File
  MEDUSA RANSOMWARE EXPOSED BY RANSOMEDVC
  
  
• ThreatFabric
  Anatsa Targets North America; Uses Proven Mobile Campaign Process
  
  
• Threatmon
  Inside GOGLoader: The Stealthy Malware Loader Challenging Modern Defenses
  
  
• Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc and Alex Lanstein at Trellix
  From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities
  
  
• Valdin
  Finding Fake/Phishing Domains with HTML Features in Validin
  
  
• Neta Armon at Varonis
  Count(er) Strike – Data Inference Vulnerability in ServiceNow
  
  
• Lucie Cardiet at Vectra AI
  Are Iranian APTs Already inside Your Hybrid Network? by Lucie Cardiet
  

UPCOMING EVENTS

• Black Hills Information Security
  • Inside SOC Email Investigations with Tom DeJong
  • BHIS – Talkin’ Bout [infosec] News 2025-07-14 #livestream #infosec #infosecnews
  • Backdoors & Breaches: Introducing Datadog Expansion Deck
    
    
• Gerald Auger at Simply Cyber
  Professional Vishing and Threat Hunting with Edna Johnson | Simply Social Engineering S1 E2
  
  
• Jimmy Wylie and Matthew Pahl at Dragos
  What is ICS malware & how we detect it
  
  
• Magnet Forensics
  • Unlocking mobile insights for traffic investigations
  • Challenges conquered: Practical advice for approaching complex technical investigations
    
    
• Oxygen Forensics
  Validation, Automation, or DIY: Choosing the Right Tool for the Job
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP12: Hardware: Board-level Repair and How it Relates to Digital Forensics
  
  
• Black Hat
  How to Get the Most Out of the Python Decompilers Uncompyle6 and Decompyle3
  
  
• Breaking Badness
  Why DNS Is Still the Biggest Blind Spot in Threat Intelligence
  
  
• Cellebrite
  Tip Tuesday: We Want to Hear from You!
  
  
• InfoSec_Bret
  Challenge – PowerShell Keylogger
  
  
• John Hammond
  how hackers avoid getting caught
  
  
• Magnet Forensics
  • Cyber Unpacked S2:E3 // When updates turn rogue: The forensic trail of a supply chain attack
  • Six pillars of digital forensics
    
    
• Malspace
  Multiple Actors, One Breach – Rethinking Threat Models in 2025
  
  
• Matthew Plascencia
  NextDNS Explanation and Setup Tutorial 2025
  
  
• Microsoft Threat Intelligence Podcast
  Tips from Grifter and Lintile for Attending Hacker Summer Camp
  
  
• MSAB
  XAMN Pro RAMalyzer
  
  
• MyDFIR
  Self-Taught vs Formal Training: The Best Path to SOC Analyst
  
  
• Nuix
  • On-demand webinar // De-Stress eDiscovery with Nuix Neo Legal
  • Nuix On-demand webinar: De-stress Early Case Assessment – The Impact of AI and Automation
  • Nuix and ACEDS webinar – Unlocking the potential of AI in Legal Discovery
    
    
• Paraben Corporation
  Zandra AI Image Analysis
  
  
• Parsing the Truth: One Byte at a Time
  Part 3 – Voyeurism, Drugs, Blackmail, & a Masked Man on a Bicycle
  
  
• SANS
  Life, Limb, and Infrastructure with Tim Conway
  
  
• Security Unlocked
  Hunting Variants: Finding the Bugs Behind the Bug
  
  
• Silent Push
  Safe Mode Podcast: Ken Bagnall On Taking Down Malicious Infrastructure
  
  
• Sumuri
  How to Use Dual Boot on a TALINO Workstation
  
  
• The Weekly Purple Team
  🛡️ Tunneling with Chisel & Running RDP Commands with NetExec
  
  
• Three Buddy Problem
  How did China get Microsoft’s zero-day exploits?
  

MALWARE

• Any.Run
  Technical Analysis of Ducex: Packer of Triada Android Malware 
  
  
• Dark Atlas
  ClickFix Chaos: A Deep Dive into Rhadamanthys Infostealer’s Stealth and Steal Tactics
  
  
• Cara Lin at Fortinet
  NordDragonScan: Quiet Data-Harvester on Windows
  
  
• Sean Cartagena, Josemaria Grana and Andrew Go at G Data Security
  Digging Gold with a Spoon – Resurgence of Monero-mining Malware
  
  
• Petar Kirhmajer at ReversingLabs
  Malicious pull request infects VS Code extension
  
  
• S2W Lab
  Detailed Analysis of AiLock Ransomware
  
  
• Securelist
  Batavia spyware steals data from Russian organizations
  
  
• Security Onion
  Quick Malware Analysis: NETSUPPORT RAT pcap from 2025-06-18
  
  
• Phil Stokes & Dinesh Devadoss at SentinelOne
  macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App
  
  
• Shubho57
  Analysis of a powershell script leading to 3 differrent malware families (AsyncRAT, DCRAT…
  
  
• Sucuri
  • Attackers Inject Code into WordPress Theme to Redirect Visitors
  • Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors
    
    
• Don Ovid Ladores, Nathaniel Morales, Maristel Policarpio, Sophia Nilette Robles, Sarah Pearl Camiling, and Ivan Nicole Chavez at Trend Micro
  BERT Ransomware Group Targets Asia and Europe on Multiple Platforms
  
  
• István Márton at Wordfence
  200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in SureForms WordPress Plugin
  
  
• Zhassulan Zhussupov
  MacOS hacking part 5: shellcode running. Simple NASM and C (Intel) examples
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  • Sinobi
  • KaWaLocker
    

MISCELLANEOUS

• Atola Technology
  Learn to Recover: Courses & Resources for Damaged Drive Forensics
  
  
• Cellebrite
  • Introducing Cellebrite’s Trust Center
  • 5 Things a Prosecutor Can Do with Cellebrite Pathfinder
  • Accelerate Your Digital Forensics Career with CCME Fast Track
    
    
• Decrypting a Defense
  Bypassing Surveillance Bans, Biometrics & the 5th Am., NY FOIL Reform Bill, Police ALPR Sharing & More
  
  
• DFIR Dominican
  • DFIR Jobs Update – 07/07/25
  • How To Break Into DFIR (Part 4 of 5) – Threat Hunting
    
    
• Forensic Focus
  • ‘Your Mind Matters’ Leaflet Now Available To Download
  • Six Sessions Are Not Enough: Support For Digital Forensic Investigators Must Improve
  • Halfway Through The S21 CCTV Spotlight Session — What’s Next?
  • Digital Forensics Round-Up, July 09 2025
  • Passware Kit Mobile 2025v3 Instantly Decrypts Data From Select Huawei Kirin Devices
  • Introducing Oxygen Forensic® Detective v.17.3.1
  • Forensic Focus Digest, July 11 2025
    
    
• Jaysn Rye at Google Cloud Threat Intelligence
  Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience
  
  
• Louis Mastelinck
  Isolation Exclusion Rules: Fixing Microsoft Teams & Outlook Communication During Isolation
  
  
• Magnet Forensics
  Beyond the badge: AI’s role in modern investigations 
  
  
• Oxygen Forensics
  The Collaboration Software for Digital Investigations You’ve Been Waiting For.
  
  
• Heloise Montini at Porthas
  The True Cost of Ransomware Recovery: Ransom, Fees, and Downtime
  
  
• TobyG at sentinel.blog
  Microsoft Sentinel Analytical Rule Tuning
  
  
• Victor M. Alvarez at YARA-X
  Suppressing warnings in YARA-X
  

SOFTWARE UPDATES

• Apache
  Apache Tika Release 3.2.1 – 6/26/2025
  
  
• Digital Sleuth
  winfor-salt v2025.9.7
  
  
• Google
  Timesketch 20250708
  
  
• MobilEdit
  • Newly supported and updated applications with the MOBILedit Forensic 9.6
  • MOBILedit Forensic 9.6 is here – better smartwatch forensics, stronger security bypassing, more apps!
    
    
• OpenCTI
  6.7.4
  
  
• Passmark Software
  V11.1 build 1008 11th June 2025
  
  
• Passware
  Passware Kit Mobile 2025 v3 Now Available
  
  
• Sigma
  Release r2025-07-08
  
  
• Thiago Canozzo Lahr
  uac-3.2.0-rc1
  
  
• AbdulRhman Alfaifi
  Jumplist Parser
  
  
• Xways
  X-Ways Forensics 21.6 Preview 3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!