As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Christopher Eng at Ogmini
- Aviv Yaniv at Courisity is a Drug
- Cyberdom
macOS Forensics Artifacts and Commands - Django Faiola at ‘Appunti di Informatica Forense’
Aggiungere un’app con APK distinti a dfAPKdngrader - Forensafe
Investigating Android Wire Messenger - Mat Fuchs
Chasing Ghosts Over RDP: Lateral Movement in Tiny Bitmaps - Matthew Plascencia
Hex Editors: How to Use Them Effectively - Awad Aljuaid at Securelist
Forensic journey: Breaking down the UserAssist artifact structure - AbdulRhman Alfaifi at u0041
Exploring Windows Artifacts : Jumplist Files
THREAT INTELLIGENCE/HUNTING
- Akash Patel
- Arctic Wolf
Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC - ASEC
- Christine Barry at Barracuda
Qilin ransomware is growing, but how long will it last? - BI.Zone
Rainbow Hyena strikes again: new backdoor and shift in tactics - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
- CERT Ukraine
Кібератаки UAC-0001 на сектор безпеки та оборони із застосуванням програмного засобу LAMEHUG, що використовує LLM (велику мовну модель) (CERT-UA#16039) - CERT-AGID
- Check Point
- Cisco’s Talos
- Max Gannon at Cofense
Next Gen TTPs in the Threat Actor’s Playbook - Cyble
Scanception: A QRiosity-Driven Phishing Campaign - Cyfirma
Weekly Intelligence Report – 18 July 2025 - Damien Lewke
RMM Tools: The Good, The Bad, and the Quietly Terrifying - Dark Atlas
- Datadog Security Labs
I SPy: Escalating to Entra ID’s Global Admin with a first-party app - Vivek Satsangi at “Hack For Lab”
AWS Cloud Attack Summary - Richard Ackroyd at Detect FYI
On Confidence - Disconinja
Weekly Threat Infrastructure Investigation(Week28) - DomainTools Investigations
- Arda Büyükkaya at EclecticIQ
GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates - Esentire
Threat Actors Recompile SonicWall’s NetExtender to Include SilentRoute Backdoor - Ben Nahorney and Brandon Overstreet at Expel
PoisonSeed downgrading FIDO key authentications to ‘fetch’ user accounts - Eye Research
- Merlyn Albery-Speyer at F5 Labs
NoBooze1 Malware Targets TP-Link Routers via CVE-2019-9082 - FalconFeeds
- Flare
The Fall of LockBit and the Rise of 2025 Ransomware Chaos - Flashpoint
Justice Department Announces Arrest of Prolific Chinese State-Sponsored Contract Hacker - Josh Goddard, Zander Work, and Dimiter Andonov at Google Cloud Threat Intelligence
Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor - GreyNoise
- Group-IB
Fake Receipts Generators: the rising threat to major retail brands - HackTheBox
Ghost in the PowerShell: APT33’s low-and-slow tactics explained - Hunt IO
Widespread gov.br Subdomain Abuse: 630k+ URLs Leveraged for Black Hat SEO Redirects - Huntress
- Hussam Shbib at Cyber Dose
Be a Better Detective #4 – Never trust what you hear, and only half of what you see - Zafir Ansari and Darin Johnson at Infoblox
DNS: A Small but Effective C2 system - Intel 471
Threat hunting case study: Lumma infostealer - Yuma Masubuchi at JPCERT/CC
Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities - Kevin Beaumont at DoublePulsar
CitrixBleed 2 situation update — everybody already got owned - Bert-Jan Pals at KQL Query
Hunting Through APIs – Logic App Edition - Adam Goss at Kraven Security
CTI Notetaking: How to Make Effective Notes and Documentation - Leonidas Tsaousis at Reversec Labs
High-Profile Cloud Privesc - Mahmoud Elfawair
The Azure Lab Diaries – Hunting Common File Transfer Activity - Microsoft Security
Protecting customers from Octo Tempest attacks across multiple industries - Nir Varon and Raviv Rachmiel at Mitiga
God-Mode in the Shadows: When Security Tools Become Cloud Risks - Lex Crumpton at MITRE ATT&CK
What Comes After Detection Rules? Smarter Detection Strategies in ATT&CK - Michael Gorelik at Morphisec
From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up - Microsoft
Customer guidance for SharePoint vulnerability CVE-2025-53770 - Oleg Skulkin at ‘Know Your Adversary’
- 194. Can Darknet Forums Help Us with Threat Hunting?
- 195. Hunting for Interlock RAT PHP Based Variant
- 196. Hunting for AWS Lambda URLs Abuse
- 197. Hunting for C2 Request Patterns
- 198. Ransomware Gangs Uninstall Two-Factor Authentication Apps
- 199. That’s How Katz Stealer Extracts Authentication Material from Registry
- 200. Threat Actors Eliminate Competitors from Compromised Systems
- 201. Adversaries Misuse Microsoft CAB File Extract Utility in Lumma Infection Chain
- Karthikeyan Nagaraj at OSINT Team
AI in Malware: How to Detect Mutating Threats - Bleon Proko at Permiso
An Arrow to the Heel: Abusing Default Machine Joining to Domain Permissions to Attack AWS Managed Active Directory - Picus Security
Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale - Proofpoint
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting - Susannah Clark Matt at Red Canary
A defender’s guide to initial access techniques - Byyoann Dequeker and Jean Marsault at RiskInsight
Phishing : Evilginx poussé à ses limites - Milda Petraityte and Melissa DeOrio at S-RM
Ransomware in focus: Meet Qilin - SANS Internet Storm Center
- Experimental Suspicious Domain Feed, (Sun, Jul 13th)
- Keylogger Data Stored in an ADS, (Tue, Jul 15th)
- DShield Honeypot Log Volume Increase, (Mon, Jul 14th)
- Hiding Payloads in Linux Extended File Attributes, (Thu, Jul 17th)
- More Free File Sharing Services Abuse, (Wed, Jul 16th)
- Veeam Phishing via Wav File, (Fri, Jul 18th)
- Dheeraj Kumar, and Sina Chehreghani at Securonix
Securonix Threat Labs Monthly Intelligence Insights – June 2025 - SentinelOne
- Seqrite
- Siddhant Mishra
- Simone Kraus
Hezbollah’s Shadow Network in Germany: A Strategic Dossier on Islamist Infiltration, Leftist… - Socket
- Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
- Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users
- Active Supply Chain Attack: npm Phishing Campaign Leads to Prettier Tooling Packages Compromise
- npm Phishing Email Targets Developers with Typosquatted Domain
- SOCRadar
- Stairwell
Detecting TodoSwift - Brandon Webster at Sublime Security
Phishing for Xfinity credentials with malicious Zoom Docs - Marco A. De Felice aka amvinfe at SuspectFile
Stylometry and Cybercrime: A Promising but Not Infallible Tool - The DFIR Report
KongTuke FileFix Leads to New Interlock RAT Variant - Sydney Marrone at THOR Collective Dispatch
If You Like It Then You Should’ve Put a timechart on It - Threatmon
Inside the Godfather Android Malware: How Cybercriminals Hijack Real Apps to Steal Your Money - Trellix
- Trend Micro
- Caroline Fenstermacher at TrustedSec
Hiding in the Shadows: Covert Tunnels via QEMU Virtualization - Jacob Baines at VulnCheck
The Linuxsys Cryptominer
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-07-21 #livestream #infosec #infosecnews - Gerald Auger at Simply Cyber
Coffee Is Your Top Supply Chain Risk: A Conversation with Kyle Kelly | Simply Defensive S4 E1 - Magnet Forensics
- Silent Push
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
The Return of SCATTERED SPIDER - AhmedS Kasmani
This Simple Trick Loads Malicious Code in Trusted Apps (DLL Side-Loading) - Behind the Binary by Google Cloud Security
EP12 Unpacking Malware & Minds: A Reverse Engineer’s Journey with Danny Quist - Belkasoft
Interpretation Risks with Digital Evidence | Jan Collie - Cellebrite
Tip Tuesday: Media Intelligence & Location Change - Cloud Security Podcast by Google
EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect - Cyber Social Hub
Evidence Recovery Techniques for Apple Watch - Deepanshu Khanna
KubePwn – An Ultimate APT-Style Red and Blue Team Lab – Introduction & Lab Setup – from Zero to Hero - Dr Josh Stroschein
100 Days of YARA, YARA Rule Tips and The Current State of Email borne Threats with Greg Lesnewich - Magnet Forensics
- Matthew Plascencia
iOS Unified Logs Introduction and Comparison | iOS Forensics 13. #digitalforensics #ios - MSAB
XAMN Pro Exclude - MyDFIR
Why You SHOULD Be a SOC Analyst - Off By One Security
Exploiting a Windows Application Using Return Oriented Programming - Parsing the Truth: One Byte at a Time
BTK Killer Fact or Fiction - Proofpoint
10 Things I Hate About Attribution: A Clustering Conundrum - Richard Davis at 13Cubed
Windows Memory Forensics Challenge - SANS
Series Two Round-Up - The Cyber Mentor
Live: APT Intrusion Hunting | Cybersecurity | TryHackMe - The Defender’s Advantage Podcast
The Rise of ClickFix - Three Buddy Problem
Train brake hack, GRU sanctions, Wagner war crimes, Microsoft’s Chinese ‘digital escorts’
MALWARE
- Dr Josh Stroschein
Why GO Binaries Are Challenging to Reverse with Kyle Cucci - Fortinet
- Thijs Xhaflaire at Jamf
Signed and stealing: uncovering new insights on Odyssey infostealer - Kyle Cucci at SecurityLiterate
Go Big or Go Home (and Other Terrible Go Puns): Tips for Analyzing GoLang Malware - Lab52
DeedRAT Backdoor Enhanced by Chinese APTs with Advanced Capabilities - Daniel Ghillione at LevelBlue
Different Types of Malware Explained - Lexfo
Analysis of Secp0 Ransomware - Dexter Shin at McAfee Labs
Fake Android Money Transfer App Targeting Bengali-Speaking Users - Securelist
GhostContainer backdoor: malware compromising Exchange servers of high-value organizations in Asia - Security Onion
Quick Malware Analysis: KOI LOADER/KOI STEALER INFECTION pcap from 2025-07-08 - Shubho57
Analysis of a Gh0st RAT variant (AnyDesk Application RMM) - Puja Srivastava at Sucuri
WordPress Redirect Malware Hidden in Google Tag Manager Code - Trustwave SpiderLabs
- Nikola Knežević at WeLiveSecurity
Unmasking AsyncRAT: Navigating the labyrinth of forks - Zhassulan Zhussupov
MISCELLANEOUS
- Abdul Mhanni
The Admin you forgot about - Anton Chuvakin
“Maverick” — Scorched Earth SIEM Migration FTW! - Belkasoft
- Brett Shavers
- Chris Prall at CrowdStrike
Stop Remote Ransomware Attacks with Falcon Endpoint Security - Darktrace
Forensics or Fauxrensics: Five Core Capabilities for Cloud Forensics and Incident Response - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 07/14/25 - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Bellingcat Challenge – June 2025 (Cultural Confusion) - Forensic Focus
- Jeffrey Appel
Defender for Office 365 Auto-Remediation of Malicious Messages (AIR) - Lookout Threat Lab
Lookout Discovers Massistant Chinese Mobile Forensic Tooling | Threat Intel - Magnet Forensics
- Stamatis Chatzimangou at NVISO Labs
Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 - Oxygen Forensics
Streamline your evidence review process, accelerate analysis, and enhance team collaboration with the Oxygen Forensics Device Dashboard - Rain Ginsberg
The Defender’s Grimoire: A Hands-On Blueprint for Blue Team Alchemists - Salvation DATA
Cloud Data Extraction in Digital Forensics - SOC Fortress
- Sumuri
TALINO Color Cases - Neetrox at System Weakness
Setting Up TheHive on Ubuntu with Docker
SOFTWARE UPDATES
- Amped
Amped DVRConv and Engine Update 38103 - Berla
iVe Software v4.12 Release - Digital Sleuth
- k1nd0ne
VolWeb v3.15.0 - Matt Shannon at F-Response
F-Response Collect and X-Ways Forensics – New X-Tension DLL coming soon - MISP
MISP Releases v2.5.16 & v2.4.214 – A Major Leap in Performance and Stability - OpenCTI
6.7.5 - Sandfly Security
Sandfly 5.5 – AI-Powered Analysis, Advanced BPFDoor Detection, and Smarter Scanning - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 