| No sponsor this week. If your organisation is interested, head over here to find out more. |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Berla
Finding Previous Locations Without Geolocation Data - Forensafe
- Hideaki Ihara at port139
Win 11 25H2 におけるSRUM検証 - Matthew Plascencia
Linux Kidnapping Case - Maxim Suhanov
Windows event logs were cleared, but resurrected in another file! - Monty Shyama
Freezing the Crime Scene: A Step-by-Step Guide to Container Checkpointing & Forensics on Amazon EKS - Nik Alleyne at ‘Security Nik’
CTF: Silence of the RAM – Tushar’s Write-up
THREAT INTELLIGENCE/HUNTING
- Abdulrehman Ali
- Tony Burgess at Barracuda
Malware Brief: New wave of botnets driving DDoS chaos - Bitdefender
- BlackFog
- Brad Duncan at Malware Traffic Analysis
- 2026-01-29: njRAT infection with MassLogger
- 2026-01-22: SmartApeSG uses ClickFix technique to push Remcos RAT
- 2026-01-20: Lumma Stealer infection with follow-up malware
- 2026-01-20: VIP Recovery infection with FTP data exfiltration traffic
- 2026-01-20: Xworm infection
- 2026-01-30: PhantomStealer infection
- 2026-01-31: Traffic analysis exercise: Lumma in the room-ah!
- Brian Krebs at ‘Krebs on Security’
Who Operates the Badbox 2.0 Botnet? - Bridewell
Intelligence Insights: Jan 2025 - CERT Polska
Energy Sector Incident Report – 29 December 2025 - CERT-AGID
- Check Point
- David Bianco at Cisco
Introducing The PEAK Threat Hunting Assistant: Agentic AI to Supercharge Your Hunt - Cisco’s Talos
- CloudSEK
Pivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada - Cofense
- Rob Bruner at CrowdStrike
LABYRINTH CHOLLIMA Evolves into Three Adversaries - CTF导航
波斯王子 – APT-C-07 分析 - Ctrl-Alt-Int3l
ErrTraffic Under the Hood: A look at the source code - Cyb3rhawk
Infrastructure Pivoting: Malicious Polymarket npm, Wallet Drainer, and Vidar Stealer - Cyfirma
Weekly Intelligence Report – 30 January 2026 - Darktrace
ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval - Daylight Security
North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft - Detect FYI
- Disconinja
Weekly Threat Infrastructure Investigation(Week3) - Dragos
ELECTRUM: Cyber Attack on Poland’s Electric System 2025 - Yasin Tas at Eye Research
From Helper to Adversary: The Dual-Use Risks of AI Canvases - FalconFeeds
- The Politics of Patch Delays: When Vulnerability Disclosure Collides with National Interests
- Threat Intel in the Age of Data Localization Laws: A Borderless Discipline in a Bordered World
- The Cyber Forensics Trap: When Attribution Becomes a Weapon
- Proxy Networks and the Rise of Disposable Infrastructure-as-a-Service (IaaS)
- Flare
- Flashpoint
How China’s “Walled Garden” is Redefining the Cyber Threat Landscape - Mark Robson, Omar Avilez Melo, John Simmons, Ken Evans, Jared Betts, Angelo Deveraturda and Xiaopeng Zhang at Fortinet
Interlock Ransomware: New Techniques, Same Old Tricks - g0njxa
Approaching stealers devs: a brief interview with MioLab (NovaStealer) - Google Cloud Threat Intelligence
- Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
- No Place Like Home Network: Disrupting the World’s Largest Residential Proxy Network
- Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
- Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS
- Billy Leonard at Google Threat Analysis Group
TAG Bulletin: Q4 2025 - GreyNoise Labs
- Harfanglab
RedKitten: AI-accelerated campaign targeting Iranian protests - Howard Oakley at ‘The Eclectic Light Company’
More malware from Google search - Hudson Rock
- ClawdBot: The New Primary Target for Infostealers in the AI Era
- Compromised Machine in Gaza Strip Reveals Operational Documents From Breaking Dawn Operation
- Inside Al-Qassam Brigades (Hamas): A Compromised Machine View of Religious and Cultural Weaponization
- The Art of Recruitment – A Jihadist Manual Found on a Compromised Machine
- The Autonomous Adversary: From “Chatbot” to Criminal Enterprise
- Huntress
- Intel 471
- Invictus Incident Response
Incident Response in the Neocloud – Nebius (Part I) - Kasada
Q4 2025 Threat Intelligence Report - Bert-Jan Pals at KQL Query
Defender for Endpoint Timeline Internals - Kroll
December Threat Intelligence Spotlight Report - Lab52
Black Industry: IRGC-Linked offensive OT framework - LevelBlue
- Microsoft Security
Turning threat reports into detection insights with AI - Eugenio Benincasa at Natto Thoughts
Provincial Tasking, Cross-Provincial Execution: A Case-Based Look at How China Scales Cyber Operations - Eric Brown at Nebulock
Nebulock | coreSigma: Developing an Endpoint Security Framework Pipeline - Stamatis Chatzimangou at NVISO Labs
ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing - Oleg Skulkin at ‘Know Your Adversary’
- OpenSourceMalware
- OSINT Team
- Justin Moore at Palo Alto Networks
Understanding the Russian Cyber Threat to the 2026 Winter Olympics - Picus Security
How NetSupport RAT Abuses Legitimate Remote Admin Tool - Michael Weber at Praetorian
Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals - Proofpoint
Can’t stop, won’t stop: TA584 innovates initial access - Push Security
- Daniel Card at PwnDefend
Cyber Attack on Poland’s Electric System 2025 - Jan Blažek and Calvin House at Rapid7
Threat Actors Using AWS WorkMail in Phishing Campaigns - Sam Straka at Red Canary
The key of AI: How Agentic Tuning can make your detection strategy sing - Robin Dost at Synaptic Systems
- SANS Internet Storm Center
- Scanning Webserver with /$(pwd)/ as a Starting Path, (Sun, Jan 25th)
- Initial Stages of Romance Scams [Guest Diary], (Tue, Jan 27th)
- Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?, (Wed, Jan 28th)
- Google Presentations Abused for Phishing, (Fri, Jan 30th)
- Sekoia
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic - Gabriel Bernadett-Shapiro & Silas Cutler (Censys) at SentinelOne
Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails - SOC Fortress
Stop SIEM Noise at the Source: Wazuh Agent-Side Suppression for Windows Security Events (QueryList… - SOCRadar
Dark Web Profile: BravoX Ransomware - Sean S. at Spur
Beyond Kimwolf: How Residential Proxy Networks Enable Enterprise Lateral Movement - Joe at Stranded on Pylos
Attributive Questions in High Profile Incidents - Aiden Mitchell at Sublime Security
Email attacks featuring Google Cloud Application Integration abuse and captcha.html · Blog · Sublime Security - Sygnia
Supply Chain Attacks in Q4 2025: From Isolated Incidents to Systemic Failure Modes - Symantec Enterprise
- System Weakness
- Kyle Contorno at Team Cymru
Operationalize Pure Signal™ in OpenCTI - ThreatBreach
Is Era Of Browser Extensions Secure ? - Trend Micro
The State of Criminal AI: Market Consolidation and Operational Reality - Daniel Kelley at Varonis
Stanley — A $6,000 Russian Malware Toolkit with Chrome Web Store Guarantee - Shay Berkovich at Wiz
Introducing SITF: The First Threat Framework Dedicated to SDLC Infrastructure - ZScaler
UPCOMING EVENTS
- Black Hills Information Security
Talkin’ Bout [infosec] News 2026-02-02 #infosec #news - Magnet Forensics
PRESENTATIONS/PODCASTS
- Hexordia
Truth in Data: S2EP2: The Volatile Truth: Mobile Device RAM Forensics with Adam Firman - Adversary Universe Podcast
LABYRINTH CHOLLIMA Evolves into Three Adversaries - Cellebrite
Tip Tuesday: Detected Faces - Cloud Security Podcast by Google
EP260 The Agentic IAM Trainwreck: Why Your Bots Need Better Permissions Than Your Admins - Dr Josh Stroschein
Mapping C Source to Intent | Strings & Imports | Lesson 1 - Endace
- InfoSec_Bret
Challenge – MemLoot - John Hammond
Clawdbot Malware - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Malicious MS Office files without Macros - Magnet Forensics
Mobile Unpacked S4:E1 // Breaking down the browsers - Michael Haggis
Security Detections MCP v1.4: AI-Powered Detection Engineering + MITRE ATT&CK MCP Preview - Microsoft Threat Intelligence Podcast
Fact vs Hype: How Threat Actors Are Really Using AI Right Now - Monolith Forensics
Equipment Tracking in Monolith - MSAB
#MSAB Monday – Exporting with XRY and XAMN - Off By One Security
Tooling for AI Agents: A casual chat about tools, coding agents and more! …with AllThingsIDA - Parsing The Truth: One Byte at a Time Podcast
S1 E37: The Lauren Giddings Case - Proofpoint
Emerging Threats in 2026: Inside Proofpoint’s Detection Playbook - Security Onion
Security Onion Essentials 2026 - Three Buddy Problem
A destructive cyberattack in Poland raises NATO ‘red-line’ questions
MALWARE
- Aikido
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT - ASEC
Detection of Recent RMM Distribution Cases Using AhnLab EDR - Cyble
ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell - Andrea Draghetti at D3Lab
NFCShare Android Trojan: NFC card data theft via malicious APK - Vincent Li at Fortinet
Unveiling the Weaponized Web Shell EncystPHP - Intrinsec
PhantomVAI: custom loader built on an old RunPE utility used in worldwide campaigns - Jamf
How Predator spyware defeats iOS recording indicators - Deepa B at K7 Labs
The PyRAT Code: Python Based RAT and its Internals - Natalie Zargarov at LayerX
How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts - Ron Benisty at Profero
địt mẹ mày morphisec: When Malware Authors Taunt Security Researchers - Pulsedive
TAMECAT – Analysis of an Iranian PowerShell-Based Backdoor - Robert Simmons at ReversingLabs
Inside the EmEditor supply chain compromise - John Tuckner at Secure Annex
Worms lurking in code extensions - Securelist
- Shubho57
Analysis of an APT36 variant (APK File) - Socket
- Sophos
Eeny, meeny, miny, moe? How ransomware operators choose victims - Puja Srivastava at Sucuri
Shadow Directories: A Unique Method to Hijack WordPress Permalinks - Ted Lee and Joseph C Chen at Trend Micro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups - WeLiveSecurity
- Zhassulan Zhussupov
MacOS malware persistence 2: shell environment hijacking. Simple C example - بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Android.Chameleon.Ia
MISCELLANEOUS
- Belkasoft
Remote Mobile Acquisition with Belkasoft R - Brett Shavers
- CyberBoo
- Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 01/26/26 - Oleg Afonin at Elcomsoft
The History and Evolution of USB Charging Standards - Forensic Focus
- Protecting The Protectors: Applying The ICMEC Framework To Digital Forensics
- What’s New? ADF PRO v6.2.0 Features And Enhancements
- Digital Forensics Round-Up, January 28 2026
- Detego Global Launches Detego Detective, A Mini-Game Designed To Support Investigator Well-Being
- Advancing Forensic Science: Transforming Video Evidence With Precision Speed Estimation
- Forensicfossil
Phishing Simulation For Employee - Magnet Forensics
SOFTWARE UPDATES
- Arkime
v6.0.0-rc1 - Alexander Taylor at Binary Ninja
Binary Ninja Enterprise 2.0 Released - Matthieu Gras
Extending Timeline Downloader: Identity Forensics and the 9000-Event Limit - Canadian Centre for Cyber Security
Assemblyline v4.7.0.stable1 - Cerbero
Memory Analysis Package 0.8 - CyberChef
v10.20.0 - DFIR-IRIS
IRIS-Web v2.4.27 - Obsidian Forensics
Hindsight v2026.01 - OpenCTI
6.9.13 - Phil Harvey
ExifTool 13.48 - Sigma
Release r2026-01-01 - Volatility Foundation
Volatility 3 2.27.0 - Xways
- Yamato Security
Hayabusa v3.8.0 – Winter Release
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.
