| No sponsor this week. If your organisation is interested, head over here to find out more. |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
Case Studies: Building Effective Timelines with Plaso (Log2Timeline) - Christian Peter
“Far over the misty mountains cold – iLEAPP Threema Parser” - Derek Eiri
Extracting and Matching Faces with API Forensics’ Exponent Faces - Martin Korman at DFIR Dudes
Regipy MCP: Natural Language Registry Forensics with Claude - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
A Typical PDF - Elcomsoft
- Forensafe
iOS Gmail - Marco Neumann at ‘Be-binary 4n6’
- Vendrop
FortiGate DFIR Notes
THREAT INTELLIGENCE/HUNTING
- Apramey Shurpali
Automate Your Threat Intel Workflow with GitHub - Ashok Sakthivel at Barracuda
Threat Spotlight: How phishing kits evolved in 2025 - Sean Minnick at Black Hills Information Security, Inc.
Deceptive-Auditing: An Active Directory Honeypots Tool - Rebecca Harpur at BlackFog
The State of Ransomware: December 2025 - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
Who Benefited from the Aisuru and Kimwolf Botnets? - CERT-AGID
- Nuova campagna di phishing su “scadenza Tessera Sanitaria” in corso
- Scoperto falso portale del Ministero dell’Interno: phishing su permesso di soggiorno
- Nuova vulnerabilità critica Ni8mare in n8n: Attacco senza autenticazione
- Sintesi riepilogativa delle campagne malevole nella settimana del 3 – 9 gennaio
- Check Point
- Asheer Malhotra, Vitor Ventura, and Brandon White at Cisco’s Talos
UAT-7290 targets high value telecommunications infrastructure in South Asia - CloudSEK
Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant - Max Gannon at Cofense
International Threats: Themes for Regional Phishing Campaigns - Cybersec Sentinel
VVS Stealer highlights the rising danger of Discord focused infostealers - Cyfirma
Weekly Intelligence Report – 09 January 2026 - Darktrace
- Detect FYI
- Disconinja
Weekly Threat Infrastructure Investigation(Week1) - DomainTools Investigations
- Elastic Security Labs
From Hypothesis to Action: Proactive Threat Hunting with Elastic Security - ExaTrack
Happy 2026: A Gift for Threat Hunters – 12 Weeks of Hunting Tips - FalconFeeds
- Fractured Allegiances: Strategic CTI Analysis of Internecine Conflict in the Cybercriminal Underground
- From Code to Culture: How Threat Actor Communities Evolve on Telegram and Dark Web Forums
- The Shadow Web: How Private Messaging Apps Are Becoming the New Threat Actor Playground
- The Akira Ransomware Syndicate: A Comprehensive Strategic Assessment, Operational Analysis, and Threat Trajectory (2023–2026)
- Flare
- Flashpoint
Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups - GreyNoise
- GreyNoise Labs
GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-09 - Group-IB
- HackTheBox
War Room: CVE-2025-14847—Mongobleed explained - Hudson Rock
Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk - Anna Pham and Matt Anderson at Huntress
ESXi Exploitation in the Wild - IC3
North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities - Intel 471
Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections - Alexandre Carle at Intrinsec
From VPN Compromise to Ransomware: 5 Real-World Incident Response Scenarios - KQL Query
- Microsoft Security
Phishing actors exploit complex routing and misconfigurations to spoof domains - Ucha Gobejishvili at Mitiga
ConsentFix OAuth Phishing Explained: How Token-Based Attacks Bypass MFA in Microsoft Entra ID - Recorded Future
- Resecurity
Cyber Counterintelligence (CCI): When ‘Shiny Objects’ trick ‘Shiny Hunters’ - Sandfly Security
The Advantages of Agentless EDR for Linux White Paper - SANS Internet Storm Center
- Risks of OOB Access via IP KVM Devices, (Mon, Jan 5th)
- Tool Review: Tailsnitch, (Tue, Jan 6th)
- A phishing campaign with QR codes rendered using an HTML table, (Wed, Jan 7th)
- Analysis using Gephi with DShield Sensor Data, (Wed, Jan 7th)
- Malicious Process Environment Block Manipulation, (Fri, Jan 9th)
- Securite360
The Intriguing Lotus: A Deep Dive into Sagerunex - SentinelOne
12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review - Sarah Gooding at Socket
npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens - Peter Djordjevic at Sublime Security
HostPapa abuse treasure trove discovered in GoDaddy email threat hunt · Blog · Sublime Security - Marco A. De Felice aka amvinfe at SuspectFile
Exclusive – Ransomware attack against Copec: Anubis claims exfiltration of 6 TB of data - Akashwaris at System Weakness
Investigating a Cross-Site Scripting (XSS) Attempt in Let’sDefend SOC Lab - Lauren Proehl and Sydney Marrone at THOR Collective Dispatch
2026: The Year Builders Show Up - Aswath A at Trellix
The Ghost in the Machine: Unmasking CrazyHunter’s Stealth Tactics - Carlos Perez at TrustedSec
Updating the Sysmon Community Guide: Lessons Learned from the Front Lines - Trustwave SpiderLabs
Threat Intelligence News from LevelBlue SpiderLabs January 2026 - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – December Update
UPCOMING EVENTS
- Atola Technology
Must-visit DFIR conferences in 2026 - Black Hills Information Security
Active Directory Attack Path in Action w/ Alyssa & Kaitlyn - Magnet Forensics
- Monolith Forensics
Workshop Wednesdays: Mastering Forensic Documentation & Reporting - Silent Push
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Digital Forensics Now Podcast S3 – 2 - Black Hat
From Spoofing to Tunneling: New Red Team’s Networking Techniques for Initial Access and Evasion - BSides Cape Town
Making OpenINTEL open up – Szymon | BSides Cape Town 2025 - Cellebrite
Tip Tuesday: Hex Search Reminder - Cloud Security Podcast by Google
EP257 Beyond the ‘Kaboom’: What Actually Breaks When OT Meets the Cloud? - InfoSec_Bret
SA – SOC257 EventID: 225 – VPN Connection Detected from Unauthorized Country - John Hubbard at ‘The Blueprint podcast’
Infiltration Alert! How to Catch Fake IT Employees in Your Network with Zak Stufflebeam - Lesley Carhart
Destination Cyber Podcast on OT - Linux Artifact Parser LAP
- Parsing the Linux “audit.log” log with LAP – Linux Artifact Parser
- Elf binary analysis using LAP – Linux Artifact Parser
- Analysis of the /Proc virtual filesystem using LAP – Linux Artifact Parser
- Reviewing Linux artifacts with LAP – Linux Artifact Parser
- Analysis of .RPM and .DEB installation packages with LAP – Linux Artifact Parser
- Magnet Forensics
Leveraging grants to power digital investigations - Michael Haggis
This Windows Persistence Trick Hides in Mandatory Profiles (MAN) – Atomic Testing - Monolith Forensics
Adding a Storage Item in Monolith - MSAB
#MSABMonday – XRY Language Detection - Open Threat Research
Running Agent Skills with GitHub Copilot (VS Code) – Planning a Windows Threat Hunt - Parsing The Truth: One Byte at a Time Podcast
S1 E34: Three Pillars of Expert Testimony: Preparation, Presence, & Education - Richard Davis at 13Cubed
Major Update to 13Cubed Courses: Chaos at Cobalt - Sandfly Security
Sandfly Operation – Agentless Linux Threat Hunting with Custom Sandfly Modules - Security Onion
New Video: Introduction to Security Onion 2.4 - The Cyber Mentor
LIVE: 🕵️ New Year New Me | Sherlocks | Cybersecurity - THE Security Insights Show
The “AI” Security Insights Show Episode 283 – AI Revolution in Cybersecurity - The Weekly Purple Team
🚨 Weaponizing AppLocker - Three Buddy Problem
Hamid Kashfi on the situation in Iran; Did cyber cause Venezuela blackouts?
MALWARE
- Charlie Eriksen at Aikido
JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack - ASEC
- Pieter Arntz at Malwarebytes
Fake WinRAR downloads hide malware behind a real installer - Patrick Wardle at Objective-See
The Mac Malware of 2025 - Robert Simmons at ReversingLabs
Unpacking the packer ‘pkr_mtsi’ - Securonix
Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection - Puja Srivastava at Sucuri
- Aswath A at Trellix
The Ghost in the Machine: Unmasking CrazyHunter’s Stealth Tactics - Zhassulan Zhussupov
MacOS malware persistence 1: LaunchAgents. Simple C example - Satyam Singh and Lakhan Parashar at ZScaler
Malicious NPM Packages Deliver NodeCordRAT
MISCELLANEOUS
- Faan Rossouw at Active Countermeasures
Context Over Code: The Irreplaceable Role of Human Hunters - Decrypting a Defense
Real-Time Facial Recognition, White House AI Executive Order, Failure to Preserve Video, State of the Surveillance State & More - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 01/05/26 - Forensic Focus
- Digital Forensics Jobs Round-Up, January 05 2026
- First Forensic Forum (F3) Analyst’s Annual Workshops 2025
- Oxygen Forensic KeyScout – Keys To The Kingdom: Part 1
- Digital Forensics Round-Up, January 07 2026
- Forensic Focus International Well-Being Study – Have Your Say
- Forensic Focus Digest, January 09 2026
- Debbie Garner & Kim Gatson at Hexordia
Sworn or Civilian? Structuring the Digital Forensics Function for Success - Magnet Forensics
- Macie Thompson at Recon Infosec
Planning for the Worst: Making IR, BC, and DR Plans Work
SOFTWARE UPDATES
- Alexis Brignoni
AI_Provenance_Scanner - Brian Maloney
OneDriveExplorer v2026.01.06 - Datadog Security Labs
GuardDog v2.7.1 - Digital Sleuth
winfor-salt v2026.1.1 - OpenCTI
6.9.6 - Roberto Nardella
LAP - Securizame
Wintriage: Publicada la versión 28112025 / Released version 28112025 - SigmaHQ
pySigma v1.1.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.
