As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Who’s Using a Proxy or VPN in Your M365 Environment — and Why It Matters
  • Querying Like a Pro in Arkime: Getting the Most Out of Arkime Viewer: Beyond the Basics
  • Why Arkime is a Game-Changer for Network Forensics (and Why It’s Not Just Another Wireshark)
    
    
• Aviv Yaniv at Courisity is a Drug
  • Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #5 Solution
  • Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #6 Solution
  • Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #4 Solution
  • Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #7 Solution
  • Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #8 Solution
  • Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #9 Solution
    
    
• Belkasoft
  Photo Forensics: Analyzing the Full Picture
  
  
• Christopher Eng at Ogmini
  • Windows Notepad – Version Changes (11.2410.21.0)
  • BelkaCTF 7 – Stranger Dfings Prep
  • BelkaCTF 6 – Bogus Bill Tasks 1-5
  • BelkaCTF 7 – Stranger Dfings Live
  • BelkaCTF 7 – Stranger Dfings Closing Out
    
    
• Doug Metz at Baker Street Forensics
  Portable Forensics with Toby: A Raspberry Pi Toolkit
  
  
• Elcomsoft
  Perfect Acquisition Part 5: Perfect APFS Acquisition
  
  
• Elliptic
  Investigating CBEX: The Ponzi scheme that began laundering crypto cross-chain while still defrauding investors
  
  
• Forensafe
  Investigating iOS Gettr
  
  
• Group-IB
  Signed, Sealed, Altered? Deepdive into PDF Tempering
  
  
• Kevin Pagano at Stark 4N6
  • iOS App & Storage Usage via AMDSQLite DB
  • Introducing DirListHash – A Directory & Hashing Utility
    

THREAT INTELLIGENCE/HUNTING

• Sharepoint Vulnerability
  • ToolShell: Details of CVEs affecting SharePoint servers
  • CrowdStrike Detects and Blocks Initial SharePoint Zero-Day Exploitation
  • Responding to ToolShell: A Microsoft SharePoint zero-day vulnerability
  • CVE-2025-53770 & CVE-2025-53771: Critical On-Prem SharePoint Vulnerabilities
  • Critical SharePoint Vulnerability CVE-2025-53770: Remote Code Execution via ViewState Abuse
  • Inside The ToolShell Campaign
  • CVE-2025-53770
  • ToolShell: When SharePoint Becomes a Gateway to RCE
  • Disrupting active exploitation of on-premises SharePoint vulnerabilities
  • ToolShell Aftermath: What Defenders Should Do After Patching CVE-2025-53770
  • Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 24)
  • CVE-2025-53770: Critical Unauthenticated RCE in Microsoft SharePoint
  • ToolShell Zero-day: Microsoft Rushes Emergency Patch for Actively Exploited SharePoint Vulnerabilities
  • SharePoint ‘ToolShell’ zero-day: What we know
  • Critical Sharepoint 0-Day Vulnerablity Exploited CVE-2025-53770 (ToolShell), (Sun, Jul 20th)
  • ToolShell: a story of five vulnerabilities in Microsoft SharePoint
  • Simulating CVE-2025-53770 in SharePoint for Real-World Detection Engineering
  • SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers
  • Defending Against ToolShell: SharePoint’s Latest Critical Vulnerability
  • SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild
  • On-Premises SharePoint Server “ToolShell” Backdoor – Advisory for Mitigation and Response
  • ToolShell: Critical SharePoint Zero-Day Exploited in the Wild
  • ToolShell, SharePoint, and the Death of the Patch Window
  • CVE-2025–53770/TOOLSHELL: HUNTING DOWN THE ATTACKER TECHNIQUES & VICTIMS
  • Critical SharePoint Vulnerabilities Under Active Exploitation
  • Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)
  • SharePoint Vulnerabilities CVE-2025-53770 and CVE-2025-53771
  • Detection of CVE-2025-53770 / Toolshell
  • In-the-wild Exploitation of CVE-2025-53770 and CVE-2025-53771: Technical Details and Mitigation Strategies
  • Unmasking ToolShell: A Proactive Defense Against a SharePoint Zero-Day
  • ToolShell: A SharePoint RCE chain actively exploited 
  • ToolShell: An all-you-can-eat buffet for threat actors
  • SharePoint Vulnerabilities (CVE-2025-53770 & CVE-2025-53771): Everything You Need to Know
  • Как защититься от ToolShell – цепочки критических zero-day в Microsoft SharePoint
  • What CVE-2025-53770 Teaches Us About Zero-Day Reality and Ransomware Routine
    
    
• Faan Rossouw at Active Countermeasures
  DNS Packet Inspection for Network Threat Hunters
  
  
• AppOmni
  Shutting the Door on Vishing-Driven Data Theft in Salesforce
  
  
• Arctic Wolf
  Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode
  
  
• Assaf Morag at Aquasec
  AI-Generated Malware in Panda Image Hides Persistent Linux Threat
  
  
• AttackIQ
  • Ransom Tales: Volume I – Emulating BlackLock, Embargo, and Mamona Ransomware
  • [CISA AA25-203A] #StopRansomware: Interlock
    
    
• Jason Hurst, Nooms Charania, and Christopher Rae at AWS Security
  AWS Security Incident Response: The customer’s journey to accelerating the incident response lifecycle
  
  
• Barracuda
  • Malware Brief: A malware foursome working together
  • Why you should be familiar with the MITRE ATT&CK framework
    
    
• Alyssa Snow at Black Hills Information Security
  Detecting ADCS Privilege Escalation
  
  
• Brad Duncan at Malware Traffic Analysis
  2025-07-23: Ten days of scans and probes and web traffic hitting my web server
  
  
• Brian Krebs at ‘Krebs on Security’
  • Microsoft Fix Targets Attacks on SharePoint Zero-Day
  • Phishers Target Aviation Execs to Scam Customers
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 19 – 25 luglio
  
  
• Check Point
  • 21st July – Threat Intelligence Report
  • Phishing Trends Q2 2025: Microsoft Maintains Top Spot, Spotify Reenters as a Prime Target
    
    
• CISA
  #StopRansomware: Interlock
  
  
• Anna Bennett, James Nutland, and Chetan Raghuprasad at Cisco’s Talos
  Unmasking the new Chaos RaaS group attacks
  
  
• CloudSEK
  Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware
  
  
• Cobi Aloia and Anna Pizzitola at Cofense
  Fake Zoom Call Lures for Zoom Workplace Credentials
  
  
• Coveware
  Targeted social engineering is en vogue as ransom payment sizes increase
  
  
• Veronica Tecan at CrowdStrike
  CrowdStrike Falcon Prevents Supply Chain Attack Involving Compromised NPM Packages
  
  
• Cyberdom
  Ghosting the Sensor: Disrupting Defender for Identity Without Detection
  
  
• Cyfirma
  Weekly Intelligence Report – 25 July 2025
  
  
• John Reeman at Cyooda Security
  Qilin Ransomware: The Criminal Enterprise Redefining Cyber Extortion
  
  
• Danny Zendejas
  Threat Model: Malicious Packages
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week29)
  
  
• Esentire
  • Cyber Stealer Analysis: When Your Malware Developer Has FOMO About Features
  • Ghost Crypt Powers PureRAT with Hypnosis
  • What to Do When Your Security Provider Gets Acquired: How to Spot the Signals and Stay Ahead of the Spin
  • Secure Your (Microsoft) Teams: Defending Against Helpdesk Impersonation Attacks
    
    
• Expel
  An important update (and apology) on our PoisonSeed blog
  
  
• FalconFeeds
  When Threat Intelligence Goes Wrong: The Hidden Risks of Misinformation in Cybersecurity
  
  
• Alexandru-Cristian Bardaș at Gen
  Lazarus’ latest tactics: Deceptive development and ClickFix
  
  
• Google Cloud Threat Intelligence
  • Beyond Convenience: Exposing the Risks of VMware vSphere Active Directory Integration
  • From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944
    
    
• Billy Leonard at Google Threat Analysis Group
  TAG Bulletin: Q2 2025
  
  
• GreyNoise
  A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks
  
  
• Hunt IO
  Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data
  
  
• Huntress
  • The Case For SigParser
  • MFA for Business: Benefits, Methods & Why It Still Matters
    
    
• Lookout Threat Lab
  Lookout Discovers MuddyWater Leveraging DCHSpy For Israel-Iran Conflict | Threat Intel
  
  
• Malicious Group
  The Quiet Side Channel… Smuggling with CL.0 for C2
  
  
• Malwarebytes
  Steam games abused to deliver malware once again
  
  
• Mat Fuchs
  The Evolution of Threat Hunting: From IOC Whack-a-Mole to Hypothesis-Driven Sleuthing
  
  
• Natto Thoughts
  HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 202. Adversaries Misuse a Script for Managing BitLocker to Deliver Fickle Stealer
  • 203. These are Staging Folders Used by APT41
  • 205. Adversaries Use an LLM to Generate Commands to be Executed on Compromised Systems
  • 204. Interlock Ransomware Gang Abuse AzCopy for Data Exfiltration
  • 206. That’s How Adversaries Hide User Accounts from the Windows Login Screen
  • 207. Dropping Elephant Misuses Pester to Execute Malicious PowerShell Commands
    
    
• Palo Alto Networks
  • Muddled Libra: From Social Engineering to Enterprise-Scale Disruption
  • The Ηоmоgraph Illusion: Not Everything Is As It Seems
    
    
• Adithya Vellal at Petra Security
  New Password Spray Campaign Using Residential Proxies
  
  
• Huseyin Can YUCEEL at Picus Security
  Interlock Ransomware Analysis, Simulation, and Mitigation – CISA Alert AA25-203A
  
  
• Luke Jennings at Push Security
  MFA downgrade: How attackers are getting around phishing-resistant authentication
  
  
• Red Canary
  Intelligence Insights: July 2025
  
  
• SANS Internet Storm Center
  • How quickly do we patch? A quick look from the global viewpoint, (Mon, Jul 21st)
  • WinRAR MoTW Propagation Privacy, (Tue, Jul 22nd)
  • New Tool: ficheck.py, (Thu, Jul 24th)
  • Analyzing Sharepoint Exploits (CVE-2025-53770, CVE-2025-53771), (Wed, Jul 23rd)
  • Sinkholing Suspicious Scripts or Executables on Linux, (Fri, Jul 25th)
    
    
• Denis Kulik and Daniil Pogorelov at Securelist
  The SOC files: Rumble in the jungle or APT41’s new target in Africa
  
  
• Subhajeet Singha and Sathwik Ram Prakki at Seqrite
  Operation CargoTalon : UNG0901 Targets Russian Aerospace & Defense Sector using EAGLET implant.
  
  
• Siddhant Mishra
  Advanced Threat Hunting Through Memory Address Patterns with Sysmon
  
  
• Silent Push
  Silent Push IOFA™ Feed Detects Aeza Group Infrastructure Shift Following OFAC Sanctions
  
  
• Socket
  • npm ‘is’ Package Hijacked in Expanding Supply Chain Attack
  • Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs
  • Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
  • Surveillance Malware Hidden in npm and PyPI Packages Targets Developers with Keyloggers, Webcam Capture, and Credential Theft
    
    
• Stairwell
  Prometei Evolves: Stairwell identifies new variants and publishes 3 new YARA rules
  
  
• Joe at Stranded on Pylos
  Will the Real Salt Typhoon Please Stand Up?
  
  
• Bryan Campbell and Brian Baskin at Sublime Security
  Keitaro TDS abused to delivery AutoIT-based loader targeting German speakers
  
  
• Sygnia
  Fire Ant: A Deep-Dive into Hypervisor-Level Espionage
  
  
• System Weakness
  • Analyzing Event and Alert | Deep Dive SIEM Part 7
  • Log Broker | Deep Dive SIEM Part 6
  • How I Built a Sigma Detection Rule to Catch APT29’s Encoded PowerShell Attacks
    
    
• Lefebvre Fabien at Tehtris
  Security Watch: Critical software flaws and ransomware surge
  
  
• Junestherry Dela Cruz at Trend Micro
  Back to Business: Lumma Stealer Returns with Stealthier Methods
  
  
• Ashish Verma and Deep Patel at Trend Micro
  Exploiting Trust in Open-Source AI: The Hidden Supply Chain Risk No One Is Watching
  
  
• Trustwave SpiderLabs
  • No Tell Motel: Trustwave Exposes the Secrets of Dark Web Travel Agencies
  • Using SQLmap to Dig for Sensitive Data in SQL Databases
    
    
• Kenneth Kinion at Valdin
  Hunting Laundry Bear: Infrastructure Analysis Guide and Findings
  
  
• Tiffany Nip at Vectra AI
  Behind the Hunt: Real-World Threat Hunting Practices and How Vectra AI Makes the Difference by Tiffany Nip
  
  
• Jacob Baines at VulnCheck
  Novel Use of “mount” Spotted in Hikvision Attacks
  
  
• WeLiveSecurity
  Rogue CAPTCHAs: Look out for phony verification pages spreading malware
  
  
• Raunak Parmar at White Knight Labs
  AzDevRecon: Turning Tokens into DevOps Portal
  
  
• Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger at Wiz
  Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload
  
  
• István Márton at Wordfence
  10,000 WordPress Sites Affected by Critical Vulnerabilities in HT Contact Form WordPress Plugin
  
  
• Sudeep Singh and Roy Tay at ZScaler
  Illusory Wishes: China-nexus APT Targets the Tibetan Community
  
  
• Блог Solar 4RAYS
  Proxy Trickster эксплуатирует инфраструктуру: круглосуточно и глобально
  

UPCOMING EVENTS

• Black Hills Information Security
  • Introduction to ADCS Exploitation w/ Alyssa Snow & Kaitlyn Wimberley
  • BHIS – Talkin’ Bout [infosec] News 2025-07-28 #livestream #infosec #infosecnews
    
    
• Magnet Forensics
  Mobile Unpacked S3:E7 // Analyzing Android 16 – Baking up Baklava
  
  
• SANS
  Stay Ahead of Ransomware – Pre-Ransomware Notification and YOU!
  

PRESENTATIONS/PODCASTS

• Cellebrite
  Tip Tuesday: Answering Speech-to-Text Questions
  
  
• Intel 471
  Defending against doxing
  
  
• Magnet Forensics
  • Digital Forensics in the fight against fentanyl – a case study with Metro Nashville Police Department
  • From evidence to insight: Mobile forensics for enterprises & Magnet Verakey training
    
    
• Microsoft Threat Intelligence Podcast
  Inside Microsoft’s Global Operation to Disrupt Lumma Stealer’s 2,300-Domain Malware Network
  
  
• MSAB
  • Language Identification
  • Forensic Fix Episode 22
    
    
• MyDFIR
  Cybersecurity SOC Analyst: Still Worth It or Replaced by AI?
  
  
• Oxygen Forensics
  Five ways geo-location data can impact your investigation
  
  
• Parsing the Truth: One Byte at a Time
  Frames Don’t Lie: Epstein’s Missing Minute
  
  
• Sandfly Security
  Sandfly 5.5 – AI Linux Forensics Analysis Demo
  
  
• Sandfly Security
  Sandfly 5.5 – AI-Powered Agentless Linux Forensics Investigation and Incident Response
  
  
• SANS
  • Critical SharePoint Zero-Day Exploited: What You Need to Know About CVE-2025-53770
  • How to Install Paladin LTS on a USB Drive with Balena Etcher Step-by-Step Guide
    
    
• THE Security Insights Show
  The Security Insights Show Episode 269 – Ali Segovia – Microsoft Sr. Consultant – Data Security and Compliance
  
  
• The Weekly Purple Team
  🔐 Golden dMSA Attack & Detection | Purple Team Walkthrough
  
  
• Three Buddy Problem
  Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days
  

MALWARE

• Any.Run
  Malware Trends Report, Q2 2025: Know the Key Risks to Your Business
  
  
• ASEC
  • Attacks Targeting Linux SSH Servers to Install SVF DDoS Bot
  • New Variant of ACRStealer Actively Distributed with Modifications
  • Malicious LNK Disguised as Credit Card Security Email Authentication Pop-up
  • RokRAT Malware Using Malicious Hangul (.HWP) Documents
  • Gunra Ransomware Emerges with New DLS
    
    
• Dr Josh Stroschein
  • Reversing Mac Malware with L0Psec: Live ARM64 Analysis & Latest Trends
  • ARM64 Malware & Exploits Unraveled with Saumil Shah
    
    
• Dr. Web
  Gamers, get ready: scammers disguise cryptocurrency and password-stealing Scavenger trojans as cheats and mods
  
  
• Idan Dardikman at Koi Security
  Amazon’s AI Assistant Almost Nuked Your Dev Environment (And No One Noticed for 5 Days)
  
  
• Xiaopeng Zhang and John Simmons at Fortinet
  In-Depth Analysis of an Obfuscated Web Shell Script
  
  
• MWLab
  Koske miner – Panda images and malware generated by AI
  
  
• Shubho57
  A Javascript file leads to Strela Stealer
  
  
• Snyk
  • Cursor IDE Malware Extension Compromise in $500k Crypto Heist
  • Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware
    
    
• Puja Srivastava at Sucuri
  Uncovering a Stealthy WordPress Backdoor in mu-plugins
  
  
• VMRay
  Feature Highlight: DLL Hollowing
  

MISCELLANEOUS

• Vitaliy Mokosiy
  Free App to Clone, Erase, and Backup Drives with CLI Support
  
  
• Brett Shavers at DFIR.Training
  Why ‘Cleaning Your Room’ Is a Better Learning Model Than Most DF/IR Courses
  
  
• Damien Lewke
  “You can teach someone the tech. You can’t teach coachability.”
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 07/21/25
  
  
• Forensic Focus
  • Digital Forensics Jobs Round-Up, July 21 2025
  • GMDSOFT Tech Letter Vol .13 Smart Ring Artifact Analysis: Oura
  • MSAB And Child Rescue Coalition To Combat Online Child Sexual Abuse
  • Cellebrite 2026 Industry Trends Survey – Help Shape The Future Of Digital Forensics
  • Final S21 CCTV Spotlight Session – What We’ve Covered
  • Oxygen Remote Explorer v.1.9 Adds iOS And Telegram Remote Collection
  • Passware Kit 2025v3 Released: Decrypt BitLocker Devices With TPM And PXE
  • Digital Forensics Round-Up, July 23 2025
  • Forensic Focus Digest, July 25 2025
  • Digital Forensics And Stress: Understanding Your Body’s Signals
    
    
• Magnet Forensics
  • Recognition in the community: Applications now open for the 2026 Magnet Forensics Scholarship & Agency Impact Awards! 
  • eDiscovery Forensics: Bridging Legal Review and Digital Evidence
  • Reclaim time in your digital investigations with Magnet One: Collaborate with ease
    
    
• Maxim Deweerdt at NVISO Labs
  Why Microsoft’s New Sentinel Data Lake Actually Matters
  
  
• Oxygen Forensics
  5 Review and Collaboration Benefits Using Oxygen Analytic Center
  
  
• Margaret Kelley and Nicole Weaver at Palo Alto Networks
  Cloud Logging for Security and Beyond
  
  
• TobyG at sentinel.blog
  Microsoft Sentinel Data Lake: Revolutionising Security Analytics with Cost-Effective Long-Term Storage
  
  
• The Volatility Foundation
  The 13th Annual Volatility Plugin Contest is Open!
  
  
• John Grageda at THOR Collective Dispatch
  Make It Hurt (a Little): Why Showing Real Impact in Pentest Findings Matters
  

SOFTWARE UPDATES

• Alexandre Borges
  Malwoverview 6.2
  
  
• Arkime
  v5.7.1
  
  
• Crowdstrike
  Falconpy Version 1.5.4
  
  
• Digital Sleuth
  winfor-salt v2025.9.10
  
  
• DomainTools
  DNSDB Scout Updates: Streamlined Interoperability with Iris Investigate
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.22.1
  
  
• Lethal Forensics – Microsoft-Analyzer-Suite
  Microsoft-Analyzer-Suite v1.6.0
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.1.507.1116
  
  
• OpenCTI
  6.7.7
  
  
• Passware
  Passware Kit 2025 v3 Now Available
  
  
• Phil Harvey
  ExifTool 13.33
  
  
• PuffyCid
  Artemis v0.15.0 – Released!
  
  
• Thiago Canozzo Lahr
  uac-3.2.0-rc2
  
  
• Xways
  • X-Ways Forensics 21.4 SR-7
  • X-Ways Forensics 21.5 SR-4
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!