| No sponsor this week. If your organisation is interested, head over here to find out more. |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Digital Forensics Myanmar
- Nicholas Dubois at Hexordia
The Secret Header: How iMessage Link Previews “Skip” YouTube Ads - Hideaki Ihara at port139
- Matthew Plascencia
Disassemble that Video - Fred Pena Urbina at Paraben Corporation
TCP Traces: How Malicious Traffic Disrupts the Linux Network Stack - Seth Enoka
Understanding Windows Artefacts as Evidence, Not Indicators - SOC Fortress
Title: Volatility 3 Will Change How You Hunt Malware (and Here’s the Cheatsheet) - Terryn at chocolatecoat4n6
Presenting the ADAPT framework: Investigation and Analysis without Paralysis - The DFIR Journal
Communicating Uncertainty in DFIR
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
Malware of the Day – Encrypted DNS Comparison: Detecting C2 When You Can’t See the Queries - Aikido
- Alex Teixeira
Introducing > PowerShell.Exposed - Any.Run
- Arctic Wolf
Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts - ASEC
- Francis Guibernau at AttackIQ
Emulating the Elegant BlackSuit Ransomware - BI.Zone
Adversaries exploit CVE-2025-55182 to attack Russian companies - binaryanalys.is
Defender Timeline Downloader: Extending Data Retention for Incident Response - Rebecca Harpur at BlackFog
2025 Q4 Ransomware Report - Mehmet Ergene at Blu Raven Academy
Introducing LOLRMM-KQL - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
Kimwolf Botnet Lurking in Corporate, Govt. Networks - CERT-AGID
- Nuova campagna di phishing a tema SPID sfrutta Google Sites
- Sfruttato il logo di AdE per una campagna di phishing mirata al furto di credenziali SPID
- Ancora una campagna di phishing su “scadenza Tessera Sanitaria”: breve sintesi del contesto
- Sintesi riepilogativa delle campagne malevole nella settimana del 17 – 23 gennaio
- Check Point
- Cyber Centaurs
When Ransomware Makes a Mistake Inside INC Ransomware’s Backup Infrastructure - Cybersec Sentinel
Evelyn Stealer and the rising risk of developer tool supply chain attacks - Cyfirma
Weekly Intelligence Report – 23 January 2026 - Damien Lewke
MITRE ER7 Eval Demystification Part 1: The Mental Model - Darktrace
Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access - Daylight Security
MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users - DeTTECT
v2.2.0 - Disconinja
Weekly Threat Infrastructure Investigation(Week2) - Esentire
Weaponized in China, Deployed in India: The SyncFuture Espionage Targeted Campaign - FalconFeeds
- Carl Windsor at Fortinet
Analysis of Single Sign-On Abuse on FortiOS - Gen
Gen Q4/2025 Threat Report - Genians
Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms - GreyNoise Labs
- Group-IB
Peruvian Peaks: The Digital Loan Illusion - Hunt IO
ClickFix Campaign Hijacks Facebook Sessions at Scale by Abusing Verification and Appeal Workflows - Huntress
- Darin Johnson at Infoblox
Hallucinating for Fun and Profit: Using LLMs to Find Lookalikes without Targets - Intel 471
DevMan Ransomware - Iram Jack
- Thijs Xhaflaire at Jamf
Threat Actors Expand Abuse of Microsoft Visual Studio Code - Jeffrey Appel
How to natively archive Defender XDR logs for up to 12 years - Adam Goss at Kraven Security
Why Your CTI Team Can’t Keep Up (And How Data Engineering for CTI Fixes It) - Pieter Arntz at Malwarebytes
Can you use too many LOLBins to drop some RATs? - Michalis Michalos
Five (plus one) notable cyber attacks in Greece during 2025 - Microsoft Security
Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint - Natto Thoughts
- Oleg Skulkin at ‘Know Your Adversary’
- Regan Temudo at OSINT Team
Black Shrantac Ransomware: Victim Analysis, Leak Site Intelligence, and Threat Assessment… - Lidia López Sanz at Outpost24
The 2026 Cybersecurity Threat Landscape: Persistent Adversaries, Repeatable Playbooks - Shehroze Farooqi, Alex Starov, Diva-Oriane Marty and Billy Melicher at Palo Alto Networks
The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time - Aditya Vats at Permiso
Permiso State of Identity Security Report 2026: From False Confidence to True Visibility - Picus Security
- Farida Shafik at Praetorian
Stealing AI Models Through the API: A Practical Model Extraction Attack - Recorded Future
PurpleBravo’s Targeting of the IT Software Supply Chain - Red Canary
Intelligence Insights: January 2026 - Aditya Ganjam Mahesh and Kyle Schwaeble at S-RM
All eyes to the East: The rise of ransomware in Asia - SANS Internet Storm Center
- Seqrite
- SOCRadar
- Nasreddine Bencherchali and Teoderick Contreras at Splunk
A Shared Arsenal: Identifying Common TTPs Across RATs - Brian Baskin at Sublime Security
Key findings from the 2026 Sublime Email Threat Research Report · Blog · Sublime Security - Surya Teja
Detection Engineering Is Production Engineering — Why CI/CD Is No Longer Optional - Symantec Enterprise
Osiris: New Ransomware, Experienced Attackers? - Manish Rawat at System Weakness
DLL Hijacking Still Works in 2025 and That’s a Problem - Will Thomas at Team Cymru
Scattered Spider Attacks | Infrastructure and TTP Analysis - Lauren Proehl at THOR Collective Dispatch
Why You Should Build - Threatmon
Ransomware in Turkey, H2 2025: What the Data Really Tells Us - Ryan Slaney and Emma DeCarli at Trellix
From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks - WeLiveSecurity
ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025
UPCOMING EVENTS
- Black Hills Information Security
Talkin’ Bout [infosec] News 2026-01-26 #infosec #news - Magnet Forensics
Mobile Unpacked S4:E1 // Breaking down the browsers
PRESENTATIONS/PODCASTS
- AhmedS Kasmani
From Signed Driver to SYSTEM Control: A BYOVD Attack Walkthrough - Black Hat
Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications - Cloud Security Podcast by Google
EP259 Why Google Built a Security LLM and How It Beats the Generalists - Computer Crime Chronicles
Episode 10: Bhima Koregaon Part 1 - Dr Josh Stroschein
🎙️NEW Behind the Binary! Dhillon joins us to discuss breaking the 9-5, an agentic world and web3! - InfoSec_Bret
IR – SOC221 – Possible WinRAR Zero-Day Activity - Magnet Forensics
AI Unpacked S2:E1 // Cutting through the deepfake hype - Monolith Forensics
Forensic Software Tracking in Monolith - MSAB
#MSABMonday – XRY Enrichment - MyDFIR
How To Explain SOC Projects in Interviews - Parsing The Truth: One Byte at a Time Podcast
- Richard Davis at 13Cubed
The Truth About Windows Explorer Timestamps - Sandfly Security
Sandfly Operation – Agentless Automatic Drift Detection for Linux - The Weekly Purple Team
Relaying Kerberos with MiTM6 – CVE-2025-20929 - Three Buddy Problem
Cheap, AI-generated zero-days and the real meaning of ‘advanced’ malware
MALWARE
- 0day in {REA_TEAM}
[Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader - ASEC
- Xusheng Li at Binary Ninja
Defeating Anti-Reverse Engineering: A Deep Dive into the ‘Trouble’ Binary - Dharani Sanjaiy at CloudSEK
Inside MacSync’s Script-Driven Stealer and Hardware Wallet App Trojanization - Ctrl-Alt-Int3l
Attack on *stan: Your malware, my C2 - Erik Hjelmvik at Netresec
Decoding malware C2 with CyberChef - Marcus Hutchins at Expel
ClearFake gets more evasive with new living off the land (LOTL) techniques - Cara Lin at Fortinet
Inside a Multi-Stage Windows Malware Campaign - Tuval Admoni at Koi Security
MaliciousCorgi: The Cute-Looking AI Extensions Leaking Code from 1.5 Million Developers - Mostafa Farghaly
Deep Dive into Arkanix Stealer and its Infrastructure - Resecurity
PDFSIDER Malware – Exploitation of DLL Side-Loading for AV and EDR Evasion - Robin Dost at Synaptic Systems
RustyStealer: Your Compiler Is Snitching on You - S2W Lab
Detailed Analysis of LockBit 5.0 - Shubho57
Analysis of a powershell script leads to tsundere botnet - Kirill Boychenko at Socket
PyPI Package Impersonates SymPy to Deliver Cryptomining Malware - Trend Micro
- Блог Solar 4RAYS
ShadowRelay — уникальный бэкдор в госсекторе
MISCELLANEOUS
- Andrea Fortuna
What’s really slowing down your incident response - CyberBoo
Microsoft Defender for Endpoint Part 8: Next-Generation Protection - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 01/19/26 - Sebastian Weigmann at DFRWS
Would you like to host a DFRWS event? - Forensic Focus
- Digital Forensics Jobs Round-Up, January 19 2026
- Why Digital Forensic Triage Matters: A Cost-Benefit Analysis From The Field
- ADF Launches Refreshed Brand Identity To Celebrate 20 Years Of Innovation
- Digital Forensics Round-Up, January 21 2026
- Amped Software Image And Video Forensics Training Calendar 2026
- Preparing Investigators For Trauma Exposure In Digital Forensics
- Forensic Focus Digest, January 23 2026
- Bert-Jan Pals at KQL Query
Monitor New Actions in Sentinel & Defender XDR (V2) - Magnet Forensics
- Mat Fuchs
The Crisis That Never Happened: Why Tabletop Exercises Are the Best Thing You’re Not Doing Enough - Scott Richards at OpenText
Rethinking digital forensic evidence
SOFTWARE UPDATES
- Alexandre Borges
Malwoverview 7.0 - C.Peter
UFADE 1.0.3 - Datadog Security Labs
GuardDog Release v2.8.4 - Digital Sleuth
winfor-salt v2026.1.5 - Google
Timesketch 20260119 - Martin Korman
Regipy 6.2.1 - Nextron Systems
Announcing the Release of ASGARD Analysis Cockpit v4.4 - Open Source DFIR
Plaso 20250918 released - OpenCTI
6.9.10 - Sandfly Security
Sandfly 5.6 – Automatic Drift Detection - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.
