No sponsor this week. If your organisation is interested, head over here to find out more.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Chris at AskClees
  Decrypting Threema4.db
  
  
• Mike Wilkinson at Cyber Triage
  Configuring Your System for IR: Windows Logging
  
  
• Derek Eiri
  Exploring frame-counts-galore and hashing pixel data
  
  
• Oleg Afonin at Elcomsoft
  Live System Analysis: Mitigating Interference from Antivirus Tools
  
  
• Forensafe
  Android Threema
  
  
• Kenneth G Hartman at Lucid Truth Technologies
  Android Evidence in Court: Why It’s Harder to Defend Than iPhone Evidence
  
  
• Mahmoud Al-Qudsi at Neosmart Technologies
  Recreating uncensored Epstein PDFs from raw encoded attachments
  
  
• Faishol Hakim at MII Cyber Security
  L3ak CTF — Forensic
  
  
• Steve Whalen at Sumuri
  Why macOS Artifacts Don’t Behave Like Windows Artifacts (And Never Will)
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  The MITRE ATT&CK Framework: A Threat Hunter’s Strategic Compass
  
  
• Adan Alvarez
  A Practical Introduction to OpenTIDE: Open Threat-Informed Detection Engineering
  
  
• Aikido
  npx Confusion: Packages That Forgot to Claim Their Own Name
  
  
• Andrew Skatoff at ‘DFIR TNT’
  Introducing Huntable CTI Studio
  
  
• Christine Barry at Barracuda
  Lessons from Black Basta’s collapse
  
  
• BI.Zone
  Approaching cyclone: Vortex Werewolf attacks Russia
  
  
• Bitdefender
  • Nitrogen ransomware ESXi bug makes decryption impossible
  • The Evolution of Ransomware – Key Moments
  • Helpful Skills or Hidden Payloads? Bitdefender Labs Dives Deep into the OpenClaw Malicious Skill Trap
    
    
• Rebecca Harpur at BlackFog
  The State of Ransomware: January 2026
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2026-02-01: Seven days of scans and probes and web traffic hitting my web server
  • 2026-02-02: KongTuke ClickFix activity leads to Async RAT
  • 2026-02-03: GuLoader for AgentTesla style malware with FTP data exfiltration
    
    
• CERT Ukraine
  “Бюлетень небезпеки”: UAC-0001 (APT28) здійснює кібератаки у відношенні України та країн ЄС з використанням експлойту CVE-2026-21509 (CERT-UA#19542)
  
  
• CERT-AGID
  • Si diffonde la truffa WhatsApp “prestami dei soldi”: attenti anche alle sessioni attive
  • Sintesi riepilogativa delle campagne malevole nella settimana del 31 gennaio – 6 febbraio
    
    
• Check Point
  • 2nd February – Threat Intelligence Report
  • The Three Most Disruptive Cyber Trends Impacting the Financial Industry Today
  • Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia
  • SaaS Abuse at Scale: Phone-Based Scam Campaign Leveraging Trusted Platforms
    
    
• CloudSEK
  Cross-Border Cryptocurrency Investment Scam Leveraging Social Messaging Channels and Fake Regulatory Credentials
  
  
• Coveware
  • Nitrogen Ransomware: ESXi malware has a bug!
  • Why Zero-Day Downstream Mass Data Extortion Campaigns are Losing Their Bite
    
    
• CrowdStrike
  Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike’s Linux Sensor Capabilities
  
  
• Cybersec Sentinel
  Notepad++ Compromise Reinforces the Need for Strict Software Governance
  
  
• Cyble
  Ransomware Attacks Have Surged 30% Since Q4 2025
  
  
• Cyfirma
  Weekly Intelligence Report – 06 February 2026
  
  
• Damien Lewke
  Claws for Concern
  
  
• Ryan Simon at Datadog Security Labs
  Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious
  
  
• Daylight Security
  • MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users
  • North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft
    
    
• Detect FYI
  • Move and Countermove: Game Theory Aspects of Detection Engineering
  • Introducing the Adversarial Detection Engineering Framework: A Taxonomy for Detection Logic Bugs
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week4)
  
  
• Elastic Security Labs
  • The Engineer’s Guide to Elastic Detections as Code
  • From Qradar to Elastic: Automate your Detection Rule Migration
  • DYNOWIPER: Destructive Malware Targeting Poland’s Energy Sector
  • Automating GOAD and Live Malware Labs
    
    
• Erik Hjelmvik at Netresec
  njRAT runs MassLogger
  
  
• Alexandros Pallis and Miltos Kalodoukas at Falcon Force
  FalconFriday — Need for Speed: going Underground with near-real-time (NRT) rules — 0xFF26
  
  
• Assaf Morag at Flare
  Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape
  
  
• GreyNoise
  • The Noise in the Silence: Unmasking CISA’s Hidden KEV Ransomware Updates
  • React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
    
    
• GreyNoise Labs
  • Dual-Mode Citrix Gateway Reconnaissance: When Residential Proxies Meet Version Hunting
  • Vive La Vulnérabilité: French Kubernetes Cluster Hunts Your Webhook Endpoints
  • GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-06
    
    
• Group-IB
  Shaping Shadows: Breaking Down New ShadowSyndicate Methods and Infrastructure
  
  
• HackTheBox
  • NetworkMiner on Linux: Where traditional packet analysis still fits in modern incident response
  • Detecting and investigating Command-and-Control (C2) Communication: A quick guide for security teams
    
    
• Hudson Rock
  AI Agents’ Most Downloaded Skill Is Discovered to Be an Infostealer
  
  
• Hunt IO
  Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways
  
  
• Huntress
  • They Got In Through SonicWall. Then They Tried to Kill Every Security Tool
  • Windows Projected File System (ProjFS) Internals: A Technical Deep Dive
    
    
• Infoblox
  Compromised Routers, DNS, and a TDS Hidden in Aeza Networks
  
  
• Intel 471
  Likely fake ransomware operator 0APT causes panic — Our analysis
  
  
• Jeffrey Appel
  Automatic Windows event auditing configuration for Defender for Identity V3.x sensor
  
  
• Jeffrey at Catching Phish
  The Business of Being First After a Data Breach
  
  
• Lab52
  The GRU illegals
  
  
• Microsoft Security
  • Infostealers without borders: macOS, Python stealers, and platform abuse
  • Detecting backdoored language models at scale
  • New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
  • The security implementation gap: Why Microsoft is supporting Operation Winter SHIELD
  • Analysis of active exploitation of SolarWinds Web Help Desk
  • Cloud forensics: Forensic readiness and incident response in Azure Virtual Desktop
    
    
• Moonlock
  6 key trends to watch in macOS malware in 2026
  
  
• MuSecTech
  Triage Analysis at Scale Using OpenSearch
  
  
• Sydney Marrone at Nebulock
  Hunting OpenClaw and Agentic AI Through Behavior
  
  
• Ray Canzanese at Netskope
  Malicious Bing Ads Lead to Widespread Azure Tech Support Scams
  
  
• Ceri Coburn at NetSPI
  Pipe Dreams: Remote Code Execution via Quest Desktop Authority Named Pipe 
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  372. The Notepad++ Supply Chain Attack: Detection and Hunting Opportunities
  
  
• OpenSourceMalware
  Malicious ClawHub Skills Use External Websites to Hide in Plain Sight (and bypass VirusTotal)
  
  
• Palo Alto Networks
  • The Shadow Campaigns: Uncovering Global Espionage
  • Novel Technique to Detect Cloud Threat Actor Operations
    
    
• Ian Ahl at Permiso
  Inside the OpenClaw Ecosystem: What Happens When AI Agents Get Credentials to Everything
  
  
• Picus Security
  • MITRE ATT&CK T1078 Valid Accounts Explained
  • Is Babuk Back? Uncovering the Truth Behind Babuk Locker 2.0
  • CVE-2026-21509: APT28 Exploits Microsoft Office Zero-day Vulnerability
    
    
• Dhiral Vyas at Praetorian
  Gone Phishing, Got a Token: When Separate Flaws Combine
  
  
• Apurv Singh Gautam, Chaitanya Haritash, Eric Taylor, Ellis Stannard, and Olivier Ferrand at Ransom ISAC
  Ransomware Leak Collection & Analysis
  
  
• Ivan Feigl at Rapid7
  The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
  
  
• Recorded Future
  Rublevka Team: Anatomy of a Russian Crypto Drainer Operation
  
  
• Robin Dost at Synaptic Systems
  APT28: Geofencing as a Targeting Signal (CVE-2026-21509 Campaign)
  
  
• Tim Geschwindt at S-RM
  Impostor ransomware actor 0APT triggers panic
  
  
• SANS Internet Storm Center
  • Scanning for exposed Anthropic Models, (Mon, Feb 2nd)
  • Detecting and Monitoring OpenClaw (clawdbot, moltbot), (Tue, Feb 3rd)
  • Malicious Script Delivering More Maliciousness, (Wed, Feb 4th)
  • Broken Phishing URLs, (Thu, Feb 5th)
    
    
• Georgy Kucherin and Anton Kargin at Securelist
  The Notepad++ supply chain attack — unnoticed execution chains and new IoCs
  
  
• Security Joes
  Hunting OpenClaw: Detection and Containment Guidance for Defenders
  
  
• Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee at Securonix
  Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery and Self-Parsing Batch Scripts to Deploy In-Memory Shellcode
  
  
• Seqrite
  Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering
  
  
• Silent Push
  Silent Push Identifies More Than 10,000 Infected IPs as Part of SystemBC Botnet Malware Family
  
  
• SOCRadar
  Dark Web Profile: 0APT Ransomware
  
  
• Sophos
  Malicious use of virtual machine infrastructure
  
  
• Splunk
  • When AI Tools Turn Against You: Operationalizing MCP Server Security with the Splunk MCP TA
  • TOTAL-REPLAY: The Bridge to Replay Attacks Using the Security Content Metadata
  • Print, Leak, Repeat: UEBA Insider Threats You Can’t Ignore
  • Splunking Isovalent Data: Initial Setup and Overview
    
    
• Alex Hegyi at Stairwell
  Stairwell Detects Widespread Exposure to Critical WinRAR Vulnerability Across Customer Environments
  
  
• Kyle Eaton at Sublime Security
  Scammers actively targeting real estate agents with remote access attacks · Blog · Sublime Security
  
  
• Alon Eliassaf, Ronen Regev, and Amir Sadon at Sygnia
  Inside a Sophisticated Recovery Scam Network: Evidence from a Live Investigation into Legal Services Impersonation
  
  
• Symantec Enterprise
  Black Basta: Defense Evasion Capability Embedded in Ransomware Payload
  
  
• Noah Chaslin at Synacktiv
  Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound
  
  
• Alessandro Brucato and Michael Clark at Sysdig
  AI-assisted cloud intrusion achieves admin access in 8 minutes
  
  
• System Weakness
  • Unmasking Lumma Malware in 2026
  • Detection Engineering Practice: Detecting CMD Hidden Window Execution
    
    
• Team Cymru
  • Payment Fraud Detection: How ATO and Phishing Kits Drive Modern Abuse
  • MediaLand Isn’t Dormant: The Reality of Active OFAC-Sanctioned Infrastructure
    
    
• The Raven File
  LOGICAL LIMITATIONS OF AI MODELS IN THREAT INTELLIGENCE
  
  
• Trellix
  • The Crown Jewels of Active Directory: How Trellix Helix Detects NTDS.dit Theft
  • APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure
  • Why Attackers Hope You Ditch Your On-Premises EDR
    
    
• Truesec
  Russian Hacktivist Group “Russian Legion” Initiate OpDenmark
  
  
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – January Update
  
  
• Allison Nixon at Unit 221B
  Harassment, Scare Tactics, & Why Victims Should Never Pay ShinyHunters
  
  
• Kenneth Kinion and Elliot Roe at Valdin
  Exploring the C2 Infrastructure of the Notepad++ Compromise
  
  
• Bernardo Quintero at VirusTotalVirusTotal
  • From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized
  • From Automation to Infection (Part II): Reverse Shells, Semantic Worms, and Cognitive Rootkits in OpenClaw Skills
    
    
• Gal Nagli at Wiz
  Hacking Moltbook: The AI Social Network Any Human Can Control
  
  
• Chloe Chamberland at Wordfence
  Quarterly WordPress Threat Intelligence Report – Q4 2025
  
  
• YARA-X
  Introducing the YARA language server
  
  
• Блог Solar 4RAYS
  Обзор уязвимостей веб-приложений за 4 квартал 2025 и полный 2025 год
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-02-11
  
  
• Cellebrite
  • 2026 Industry Trends: How Digital Forensics is Redefining Public Safety
  • Audit-Ready iOS App Security for Financial Institutions
    
    
• Magnet Forensics
  • Get smarter searches and faster results with Magnet Review Intelligent Search
  • Smarter mobile investigations: Tools for today’s forensic service providers
    
    
• Off By One Security
  • Read Only to RCE: Discovering New Kubernetes Attack Paths with Graham Helton
  • Windows Secure Calls in Practice: VSM, VTLs, and SkBridge with Connor McGarrr!
    
    
• Picus Security
  The Silence of the Parasite: The New Art of Staying Undetected
  
  
• SANS
  Agile Incident Response: How Leading Teams Execute Fast
  
  
• Spur
  Suspicious Origins
  

PRESENTATIONS/PODCASTS

• Behind the Binary by Google Cloud Security
  EP22 Jailbreaking, Prompt Injection, and the “Agentic” Flaw in MCP with Kevin Harris
  
  
• Cellebrite
  Tip Tuesday: Searching for Binary Objects
  
  
• Erik Pistelli at Cerbero
  Memory Challenge 16: MemLabs Lab 1 – Beginner’s Luck
  
  
• Cloud Security Podcast by Google
  EP261 No More Aspiration: Scaling a Modern SOC with Real AI Agents
  
  
• Kajetan Porwolik at CQURE Academy
  CQURE Hacks #71: 5 KQL tricks to speed up threat hunting
  
  
• Dr Josh Stroschein
  • ASCII vs. Unicode Strings | Strings & Imports | Lesson 2
  • Quick Tips – How to Disable DEP in Windows (The “Nuclear Option”)
    
    
• Frank Victory
  Digital Forensics Lab: Memory Analysis with Sysinternals & PowerShell (Part 1)
  
  
• InfoSec_Bret
  IR – SOC270 – AsyncRAT Malware Detected
  
  
• John Hammond
  • JHT Course Launch: Dark Web 2 – CTI Researcher
  • The Payload Podcast #001 with Jonny Johnson & Max Harley
    
    
• Magnet Forensics
  • Six pillars of digital forensics
  • Digital investigations for data-driven threat hunting
    
    
• Michael Haggis
  Build a Detection Engineering “Brain” for LLMs | Security Detections MCP 2.0 Release
  
  
• Monolith Forensics
  How to Use Global Search in Monolith
  
  
• MSAB
  #MSABMonday – XAMN Pro Report Builder
  
  
• MyDFIR
  I Wasted Hundreds on Separate Courses – Until I Found This All-in-One Solution
  
  
• Parsing The Truth: One Byte at a Time Podcast
  S1 E38: Printed Emails Aren’t Digital Evidence
  
  
• Permiso Security
  Episode 05 – OpenClaw, MoltBook, and the Rise of Agent Identity Abuse
  
  
• The Weekly Purple Team
  Cracking Credential Guard with DumpGuard
  

MALWARE

• Ashley Shen at Cisco’s Talos
  Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
  
  
• Cybereason
  Fake Installer: Ultimately, ValleyRAT infection
  
  
• Darktrace
  • Darktrace Malware Analysis: Unpacking SnappyBee
  • AppleScript Abuse: Unpacking a macOS Phishing Campaign
    
    
• Rahul Ramesh and Reegun Jayapaul at Howler Cell
  RenEngine Loader and HijackLoader: Dual-Stage Attack Chain Fueling Stealer Campaigns
  
  
• Guy Korolevski and Ofri Ouzan at JFrog
  Breaking AppSec Myths – Obfuscated Packages
  
  
• Alex and Oren Yomtov at Koi Security
  ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting
  
  
• Lenny Zeltser
  Using AI Agents to Analyze Malware on REMnux
  
  
• Richard Christopher
  • DLL Sideloading – JRTools.dll
  • Malware Roulette #1 – GachiLoader pt. 1
    
    
• Securelist
  Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT
  
  
• Shubho57
  Analysis of a JSE File (Kimsuky APT)
  
  
• Aleksei Kudrinskii, Hemang Sarkar, Kristian Bonde Nielsen, Liran Tal, Luca Beurer-Kellner, and Marco Milanta at Snyk
  
  280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys and PII
  
  
• Kush Pandya at Socket
  Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise
  
  
• VMRay
  Climbing the Pyramid of Lumma Pain
  
  
• Zhassulan Zhussupov
  MacOS malware persistence 3: Dylib hijacking (VLC). Simple C example
  
  
• ZScaler
  • APT28 Leverages CVE-2026-21509 in Operation Neusploit
  • Technical Analysis of Marco Stealer
    
    
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Sicari
  

MISCELLANEOUS

• Brett Shavers
  I Thought Legal Would Catch It. They didn’t.
  
  
• Cellebrite
  • Digital Intel from the Frontline: Extracting Enemy Intelligence from Captured Mobile Devices
  • Cellebrite’s 2026 Industry Trends Report Reveals Smartphones as the Leading Source of Digital Evidence in Investigations at 97%
    
    
• Decrypting a Defense
  Federal Watchlists for Protesters, Ghost Gun Bogeyman, ALPR Virginia Court Decision, File Signatures and Carving & More
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 02/02/26
  
  
• F-Response
  Being Pushy – Deploying F-Response over the Network
  
  
• Forensic Focus
  • Digital Forensics Jobs Round-Up, February 02 2026
  • Bridging The Gap In UAV Investigations: The Case For A 360-Degree Drone Forensics Curriculum
  • How To Master Triage For Your Forensic Investigations
  • Digital Forensics Round-Up, February 04 2026
  • Occupational Trauma In Digital Forensics: What One Child’s Experience Reveals
  • Forensic Focus Digest, February 06 2026
  • Three Investigative Bottlenecks – Three New Baseline Capabilities
    
    
• Debbie Garner at Hexordia
  Continuous Digital Forensics Training: The Non-Negotiable Investment
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (February 2026)
  
  
• Magnet Forensics
  Revolutionizing digital forensics: How Magnet Automate is eliminating lab backlogs at scale
  
  
• Patrick Siewert at ‘The Philosophy of DFIR’
  An Exploration of the Grad School Decision in DF/IR
  

SOFTWARE UPDATES

• Arsenal Recon
  Swap Recon v1.0.0.14
  
  
• Canadian Centre for Cyber Security
  Assemblyline v4.7.0.stable4
  
  
• CyberChef
  v10.21.0
  
  
• Datadog Security Labs
  GuardDog Release v2.9.0
  
  
• Digital Sleuth
  winfor-salt v2026.1.9
  
  
• Michael Karsyan at Event Log Explorer blog
  Understanding Windows Events Made Easier: Event Log Explorer Meets Microsoft Copilot
  
  
• IntelOwl
  v6.5.1
  
  
• Magnet Forensics
  New in Magnet Nexus: Deeper Windows evidence, faster macOS ARM collections
  
  
• MSAB
  XRY 11.3.1: Market-first GPS device support.
  
  
• OpenCTI
  6.9.16
  
  
• Phil Harvey
  ExifTool 13.50 (production release)
  
  
• PuffyCid
  Artemis v0.18.0 – Released!
  
  
• Ryan Benson at dfir.blog
  Hindsight v2026.01 Released!
  
  
• Xways
  X-Ways Forensics 21.7 Beta 3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!