As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Berla
  Connecting Occupants to Vehicles Through Device Data
  
  
• Damien Attoe
  A Forensic Look at the Grok Android App
  
  
• Oleg Afonin at Elcomsoft
  • Browser Forensics in 2026: App-Bound Encryption and Live Triage
  • Web Browser Forensics in Digital Triage
    
    
• Forensafe
  BelkaCTF #6: Bogus Bill
  
  
• Kenneth G Hartman at Lucid Truth Technologies
  BFU vs AFU: What Attorneys Need to Know About Phone Lock States and Digital Evidence
  
  
• Matthew Plascencia
  Getting Back on the Mac
  
  
• North Loop Consulting
  Forensic Analysis of the ChatGPT iOS Application
  
  
• Aditya Srikar Konduri at Paraben Corporation
  Memory Forensics Beyond the Endpoint: Volatile Evidence in Modern Cloud and Edge Environments
  
  
• Steve Whalen at Sumuri
  The Death of Physical Imaging: Understanding the New Standard in Mac Forensics
  

THREAT INTELLIGENCE/HUNTING

• Shu Hao Tung at APNIC
  From spoofing to tunnelling: New Red Team networking techniques for initial access and evasion
  
  
• ASEC
  • RMM Tools (Syncro, SuperOps, NinjaOne, etc.) Being Distributed Disguised as Video Files
  • Statistics Report on Malware Targeting Windows Web Servers in Q4 2025
  • Statistics Report on Malware Targeting Linux SSH Servers in Q4 2025
  • Statistics Report on Malware Targeting Windows Database Servers in Q4 2025
  • December 2025 Infostealer Trend Report
  • December 2025 APT Attack Trend Report (South Korea)
  • December 2025 Threat Trend Report on Ransomware
    
    
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | January 2026
  
  
• Bill Toulas at BleepingComputer
  Black Basta boss makes it onto Interpol’s ‘Red Notice’ list
  
  
• Brad Duncan at Malware Traffic Analysis
  2026-01-10: Ten days of scans and probes and web traffic hitting my web server
  
  
• CERT Ukraine
  “Неблагонадійний фонд”: цільові кібератаки UAC-0190 у відношенні СОУ з використанням PLUGGYAPE (CERT-UA#19092)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 10 – 16 gennaio
  
  
• Chainalysis
  Iranian Crypto Activity: A Mirror of Geopolitical Tensions and Domestic Unrest
  
  
• Check Point
  • 12th January – Threat Intelligence Report
  • Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework
  • Latin America Sees Sharpest Rise in Cyber Attacks in December 2025 as Ransomware Activity Accelerates
  • Sicarii Ransomware: Truth vs Myth
  • Microsoft Remains the Most Imitated Brand in Phishing Attacks in Q4 2025
    
    
• Asheer Malhotra, Vitor Ventura, Brandon White at Cisco’s Talos
  UAT-8837 targets critical infrastructure sectors in North America
  
  
• Max Gannon at Cofense
  International Threats: How Malware Campaigns Vary Across Non-English Languages
  
  
• Cyb3rhawk
  From Partner Search to Pig Butchering: Part 2, Wallet Drainer
  
  
• Ari Novick at CyberArk
  UNO reverse card: stealing cookies from cookie stealers
  
  
• Cybersec Sentinel
  How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT
  
  
• Cyble
  • deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran
  • Ransomware and Supply Chain Attacks Soared in 2025
    
    
• Cyfirma
  Weekly Intelligence Report – 16 January 2026
  
  
• Darktrace
  React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and Threat Insights
  
  
• Detect FYI
  • Detection of Kerberos Golden Ticket Attacks via Velociraptor
  • TIFCE: Threat Intelligence Feed Evaluation (+ KQL Detections)
  • Shai Hulud 2.0 Campaign
  • How to Use Pareto Principle to Fine-Tune Alerts and Reduce False Positives Wisely
    
    
• Esentire
  The Industrialization of Cybercrime: 7 Key Statistics from eSentire’s 2026 Annual Cyber Threat Report
  
  
• Expel
  Planned failure: Gootloader’s malformed ZIP actually works perfectly
  
  
• Niels Teusink at Eye Research
  Microsoft login page abused as phishing redirector
  
  
• F5 Labs
  Analyzing React2Shell Threat Actors
  
  
• FalconFeeds
  • From Breaches to Influence: The Weaponization of Leaked Data in Modern Information Warfare
  • From Script Kiddie to Threat Actor: The Evolutionary Lifecycle of Targeted Campaign Operators
    
    
• Google Cloud Threat Intelligence
  • AuraInspector: Auditing Salesforce Aura for Data Exposure
  • Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation
    
    
• GreyNoise Labs
  • SmarterMail Version Enumeration: Threat Actors Building Target Lists Post-CVE-2025-52691
  • GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-17
    
    
• Group-IB
  DeadLock Ransomware: Smart Contracts for Malicious Purposes
  
  
• Laura Babbili at GuidePoint Security
  2025 Shattered Records: Key Takeaways From the GRIT 2026 Ransomware & Cyber Threat Report
  
  
• Harfanglab
  2026 Threatscape report
  
  
• Heather Lowrie
  Misogyny as Threat Infrastructure: Why Cyber Threat Intelligence Must Catch Up
  
  
• Hornet Security
  Monthly Threat Report Dezember 2025
  
  
• Hunt IO
  Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
  
  
• Andrew Schwartz at Huntress
  SDFlags: The Log Field I Wasn’t Looking at That Revealed How BloodHound Really Works
  
  
• Infoblox
  • Kimwolf Howls from Inside the Enterprise
  • Inside a Malicious Push Network: What 57M Logs Taught Us
    
    
• Natalie Zargarov at LayerX
  Browser Extensions Gone Rogue: The Full Scope of the GhostPoster Campaign
  
  
• Katrina Udquin at LevelBlue
  BEC Email Trends: Attacks up 15% in 2025
  
  
• Microsoft Security
  Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations
  
  
• Natto Thoughts
  China’s 2025 Top 20 Cybersecurity Companies: Which “Dark Horses” Will Emerge to Prominence in 2026?
  
  
• Sydney Marrone at Nebulock
  Hunting DigitStealer: Behaviors That Give Away macOS Infostealers
  
  
• Maurice Fielenbach at Nextron Systems
  Free Converter Software – Convert Any System from Clean to Infected in Seconds
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  367. Adversaries Use Fake BSOD to Make a Victim to Run a Malicious Command
  
  
• Roberto Rodriguez and Jose Rodriguez at Open Threat Research
  Evolving the Threat Hunter Playbook 🏹: Planning Hunts with Agent Skills 🤖
  
  
• Regan Temudo at OSINT Team
  Malspam Campaign Abusing Microsoft Outlook to Deploy LogMeIn GoToResolve RMM
  
  
• Lydia Atienza at Outpost24
  New attack analysis: What you need to know about the Endesa data breach
  
  
• Randy Stone at Palo Alto Networks
  Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering
  
  
• Picus Security
  • How WannaMine Works: A Fileless Cryptominer Malware
  • Prince of Persia APT Analysis: Infy, Foudre, and Tonnerre Malware
    
    
• Push Security
  • Analysing the malvertising criminal ecosystem
  • Google Search malvertising campaign impersonating Ahrefs
  • ConsentFix debrief: insights, recommendations & predictions
    
    
• SANS Internet Storm Center
  • YARA-X 1.11.0 Release: Hash Function Warnings, (Sun, Jan 11th)
  • Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain, (Wed, Jan 14th)
  • Battling Cryptojacking, Botnets, and IABs [Guest Diary], (Thu, Jan 15th)
  • Wireshark 4.6.3 Released, (Sat, Jan 17th)
  • “How many states are there in the United States?”, (Sun, Jan 18th)
    
    
• Sansec
  Keylogger targets 200,000+ employees at major US bank
  
  
• Thomas Roccia at SecurityBreak
  Coding Agents. The Insider Threat You Installed Yourself
  
  
• Securonix
  • Securonix Threat Labs Monthly Intelligence Insights – December 2025
  • SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployment
    
    
• Sekoia
  Leveraging Landlock telemetry for Linux detection engineering
  
  
• TobyG at sentinel.blog
  ConsentFix: Securing Your Tenant Against OAuth Authorisation Code Theft
  
  
• Silent Push
  • Unmasking the DPRK Remote Worker Problem
  • Silent Push Uncovers New Magecart Network: Disrupting Online Shoppers Worldwide
    
    
• Simone Kraus
  Shai Hulud 2.0 Campaign
  
  
• SOCRadar
  • Annual Dark Web Report 2025
  • Dark Web Profile: Orion Ransomware
    
    
• Marco A. De Felice aka amvinfe at SuspectFile
  The Alliance That Never Was: A Critical Analysis of the Ransomware “Alliance” Announced by Stormous
  
  
• Symantec Enterprise
  Ransomware: Tactical Evolution Fuels Extortion Epidemic
  
  
• Sysdig
  • How threat actors are using self-hosted GitHub Actions runners as backdoors
  • VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits
    
    
• Manubhav Sharma at System Weakness
  Detecting and Mitigating C2 Communications: Methods and Detection Techniques
  
  
• Tasos Chatziefstratiou
  Beyond Graph API: Exploring ConsentFix Through the Exchange REST API Lens
  
  
• Will Thomas at Team Cymru
  Analysing Carding Infrastructure
  
  
• Trellix
  • The Unfriending Truth: How to Spot a Facebook Phishing Scam Before It’s Too Late
  • Hiding in Plain Sight: Multi-Actor ahost.exe Attacks
    
    
• Truesec
  Chrome Extension Steal ChatGPT and DeepSeek Conversations
  
  
• Joseliyo Sánchez at VirusTotal
  New Infostealer Campaign Targets Users via Spoofed Software Installers
  
  
• Yuval Avrahami and Nir Ohfeld at Wiz
  CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild
  
  
• Manmeet Bhasin at WMC Global
  The 2026 Outlook for Mobile Threat Intelligence
  
  
• Zero Salarium
  EDRStartupHinder: EDR Startup Process Blocker
  

UPCOMING EVENTS

• Jessica Hyde at Hexordia
  Magnet Virtual Summit Capture the Flag Powered by Hexordia Weekly Cipher Challenge
  
  
• Black Hills Information Security
  Talkin’ Bout [infosec] News 2026-01-19 #infosec #news
  
  
• Eclypsium
  The 2026 Threat Landscape: What Breaks Next – and How to Stay Ahead
  
  
• Magnet Forensics
  AI Unpacked S2:E1 // Cutting through the deepfake hype
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Taking Down Cybercriminals with Shawn Henry, Former FBI Leader
  
  
• Anuj Soni
  Debugging Malware: Extracting Hidden Payloads from Memory
  
  
• Behind the Binary by Google Cloud Security
  EP21 – From HITB Origins to Agentic AI: Web3, Music & The Future of Hacking with Dhillon Kannabhiran
  
  
• Erik Pistelli at Cerbero
  Memory Challenge 15: Hijacked
  
  
• Cloud Security Podcast by Google
  EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen
  
  
• Dr Josh Stroschein
  How the Windows Internals Book was a “Fluke” 😲
  
  
• Hexordia
  Truth in Data: S2E1: EvanoleVM: Breaking Down Barriers to Open-Source Forensics with Adam Hachem
  
  
• Huntress
  Fireside Chat | The Great Stack Audit: Making Sense of Your Tools
  
  
• InfoSec_Bret
  IR – SOC321 – Windows Defender Evasion Attempt
  
  
• John Hammond
  NTUSER.MAN
  
  
• Lesley Carhart
  Podcast – GirlsTalkCyber – Episode 24
  
  
• Magnet Forensics
  • Unlocking workflow efficiencies in video forensics: What’s new in 2026
  • Legal Unpacked S1:E4 // eDiscovery: Using civil discovery to dig deep into digital evidence
    
    
• Michael Haggis
  • ADTrapper: Open-Source Active Directory Security Analysis Platform
  • Detection Engineer Secrets: MCP + LLM for Scalable Detection Engineering
  • I Built an Event-Driven System to Analyze npm Supply Chain Risk
    
    
• Microsoft Threat Intelligence Podcast
  Open SesameOp: Abusing trusted AI platforms to host a C2 server
  
  
• Monolith Forensics
  Adding an Inquiry in Monolith
  
  
• MyDFIR
  Cybersecurity SOC Analyst Lab – PSExec Hunt
  
  
• Parsing the Truth: One Byte at a Time
  Who Solves Cases? Digital Forensics Tools or People?
  
  
• Permiso Security
  AI Users, Builders, and Agents: Securing the Next Generation of Identities
  
  
• Sandfly Security
  Sandfly Operation – Finding and Tracking SSH Keys on Linux Agentlessly
  
  
• Securizame
  Una caña con Lawwait – Episodio 46 – Nacho Barnés
  
  
• SentinelOne
  LABScon25 Replay | Hacktivism and War: A Clarifying Discussion
  
  
• The Defender’s Advantage Podcast
  How Android Combats Mobile Scams
  
  
• Three Buddy Problem
  Google Pixel ‘zero-click’ exploit caused by AI, mysterious Poland grid attacks, China bans US cybersecurity software
  

MALWARE

• Any.Run
  • CastleLoader Analysis: A Deep Dive into Stealthy Loader Targeting Government Sector
  • German Manufacturing Under Phishing Attacks: Tracking a Stealthy AsyncRATCampaign 
    
    
• Apophis
  ValleyRAT_S2 Chinese campaign
  
  
• CloudSEK
  HUMINT Operations Uncover Cryptojacking Campaign: Discord-Based Distribution of Clipboard Hijacking Malware Targeting Cryptocurrency Communities
  
  
• Dr. Web
  • Doctor Web’s Q4 2025 virus activity review
  • Doctor Web’s virus activity review for 2025
  • Doctor Web’s review of virus activity on mobile devices in 2025
    
    
• Xiaopeng Zhang at Fortinet
  New Remcos Campaign Distributed Through Fake Shipping Document
  
  
• Shen Yuan and Nir Avraham at Jamf
  Predator’s kill switch: undocumented anti-analysis techniques in iOS spyware
  
  
• Calvin So at Kandji
  Analyzing the MonetaStealer macOS Threat
  
  
• Vladimir Gursky at Kaspersky Lab
  Activity-masking infostealer dropper | Kaspersky official blog
  
  
• Kyle Cucci at SecurityLiterate
  Deceiving the Deceivers: A Review of Deception Pro
  
  
• Nicter
  暗号通貨のマイニングをするRondoDox
  
  
• R136a1
  🇷🇺 COMmand & Evade: Turla’s Kazuar v3 Loader
  
  
• Robin Dost at Synaptic Systems
  Gamaredon: Now Downloading via Windows Update’s Best Friend “BITS”
  
  
• S2W Lab
  Detailed Analysis of DragonForce Ransomware
  
  
• Security Alliance
  VS Code Tasks Abuse by Contagious Interview (DPRK)
  
  
• Shubho57
  Analysis of an packed file leading to an variant of Sauron Ransomware
  
  
• Socket
  • Malicious Chrome Extension Steals MEXC API Keys for Account Takeover
  • 5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR and ERP Systems
    
    
• Sushmita Shetty at Sophos
  TamperedChef serves bad ads, with infostealers as the main course
  
  
• Puja Srivastava at Sucuri
  Malware Intercepts Googlebot via IP-Verified Conditional Logic
  
  
• Robin Dost at Synaptic Systems
  MuddyWater: When Your Build System Becomes an IOC “Jacob”
  
  
• Buddy Tancio, Jed Valderama, Khristoffer Jocson, and Frankylnn Uy at Trend Micro
  Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response
  

MISCELLANEOUS

• Brett Shavers
  We’ve (D)evolved from Casework to Toolwork
  
  
• Cellebrite
  • A Leap Forward: How Cellebrite and Corellium are Shaping the Future of Mobile Investigations 
  • An Investigator’s Guide to CellebriteWhat to look for when choosing the right technology partner for modern criminal investigations.
  • Digital Forensics—Understanding the Nuances of Acquiring Computer Data 
    
    
• CyberBoo
  Attack Surface Reduction in Microsoft Defender for Endpoint: Part 7
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 01/12/26
  
  
• Forensic Focus
  • GMDSOFT Tech Letter Vol 18. Analyzing Recent App Traces: Task Snapshots
  • Digital Forensics Jobs Round-Up, January 12 2026
  • Oxygen Forensic KeyDiver – Keys To The Kingdom: Part 2
  • SS8 Whitepaper Reveals How Criminals Use Consumer Trackers — And How Investigators Stop Them
  • Digital Forensics Round-Up, January 14 2026
  • Covert Cyber Investigator Well-Being With Carol Brooks
  • GMDSOFT 2025 MD-Series Q4 Release Note Highlights
    
    
• Lenny Zeltser
  Write Good Incident Response Reports Using Your AI Tool
  
  
• Magnet Forensics
  • DFIR and DOGE: Digital Forensics in a new funding environment
  • Why is AI held to a higher standard than I am?
  • The power of Portable Case: Unleashing evidence discovery for all investigators
    
    
• Raymond Roethof
  Microsoft Copilot Studio: Real-Time Protection for AI Agents
  
  
• Sam Langrock at Recorded Future
  Best Ransomware Detection Tools
  

SOFTWARE UPDATES

• Canadian Centre for Cyber Security
  Assemblyline 4.6.2.0
  
  
• Cyber Triage
  Cyber Triage 3.16: Investigate Faster with Cyber Triage Enterprise
  
  
• Datadog Security Labs
  GuardDog Release v2.8.2
  
  
• Didier Stevens
  • Update: hash.py Version 0.0.14
  • Update: zipdump.py Version 0.0.33
    
    
• Digital Sleuth
  winfor-salt v2026.1.2
  
  
• MALCAT
  0.9.12 is out: Python 3.14, PYC and .NET stack analysis
  
  
• Mandiant
  flare-floss QUANTUMSTRAND beta 2
  
  
• MISP
  MISP v2.5.32 released bringing new workflow capabilities, enhancement, security fix and various bugs fixed
  
  
• OpenCTI
  6.9.8
  
  
• Passmark Software
  OSForensics V11.1 build 1015 15th January 2026
  
  
• Security Onion
  Security Onion 2.4.201 now available with Suricata and Zeek Updates!
  
  
• AbdulRhman Alfaifi at u0041
  Jumplist Parser
  
  
• Yogesh Khatri
  mac_apt 20260113
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!