No sponsor this week. If your organisation is interested, head over here to find out more.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Chamindu Pushpika
  Scattered Spider Uncaged – The AB Projekt Blue Investigation
  
  
• Elcomsoft
  • Perfect Acquisition: The True Physical Acquisition
  • Forensic Analysis of Windows 10 and 11 Event Logs
    
    
• Magnet Forensics
  Windows Forensics: Understanding and Analyzing Pagefile.sys Artifacts
  
  
• Marco Neumann at ‘Be-binary 4n6’
  • BUBBLES!!! BUBBLES! [gibbering] MY BUBBLES! – Chats (export/backups) need bubbles
  • Samsung Trash Provider App – Traces of deleted files never hurt
    
    
• Haider at HK_Dig4nsics
  UpScrolled Forensic Artifacts on iOS
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  1 little known secret of sti_ci.dll
  
  
• Ilyas Makari at Aikido
  npm backdoor lets hackers hijack gambling outcomes
  
  
• ASEC
  • January 2026 APT Group Trends
  • January 2026 Security Issues in Korean & Global Financial Sector
  • January 2026 Threat Trend Report on Ransomware
  • January 2026 Phishing Email Trends Report
  • January 2026 Infostealer Trend Report
    
    
• CJ Moses at AWS Security
  AI-augmented threat actor accesses FortiGate devices at scale
  
  
• Lawrence Abrams at BleepingComputer
  Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps
  
  
• Brian Krebs at ‘Krebs on Security’
  • Kimwolf Botnet Swamps Anonymity Network I2P
  • ‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 febbraio
  
  
• Check Point
  • 16th February – Threat Intelligence Report
  • AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks
    
    
• Cofense
  • Invitation to Trouble: The Rise of Calendar Phishing Attacks
  • Brand Trust as a Weapon: Multi-Brand Impersonation Campaigns Deliver JWrapper Malware
    
    
• CTM360
  Ninja Browser & Lumma Infostealer
  
  
• Cyber and Ramen
  • Tracking DigitStealer: How Operator Patterns Exposed C2 Infrastructure
  • LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices Across Continents
    
    
• Cybersec Sentinel
  MIMICRAT Campaign Uses Fake Verification Lure
  
  
• Cyfirma
  Weekly Intelligence Report – 20 February 2026
  
  
• Delivr.to
  DragFix: And you thought ClickFix was a drag?
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week6)
  
  
• Elastic Security Labs
  • Speeding APT Attack Confirmation with Attack Discovery, Workflows, and Agent Builder
  • MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites
    
    
• FalconFeeds
  • Diplomacy Disrupted: The Cyber Siege on International Negotiations, Peace Talks, and Summits
  • Hacktivism as Statecraft: When Geopolitical Flashpoints Ignite State-Aligned Cyber Militias
  • Digital Embargoes: Can Cyber Sanctions Deter State-Backed Threat Actors?
  • Leaking for Leverage: The Strategic Timing of Data Leaks to Influence Political Agendas
    
    
• Flare
  Widespread OpenClaw Exploitation by Multiple Threat Groups
  
  
• Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., and Rich Reece at Google Cloud Threat Intelligence
  From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
  
  
• GreyNoise Labs
  GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-13
  
  
• Group-IB
  • Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
  • Operation Olalampo: Inside MuddyWater’s Latest Campaign
    
    
• GuidePoint Security
  Ransomware Trends by Industry: Insights from the GRIT 2026 Ransomware & Cyber Threat Report
  
  
• Hudson Rock
  • Hudson Rock Identifies Real-World Infostealer Infection Targeting OpenClaw Configurations
  • 2026 Infostealer Trends I’m Monitoring at Hudson Rock
    
    
• Hunt IO
  Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix
  
  
• IC3
  Increase in Malware Enabled ATM Jackpotting Incidents Across United States
  
  
• Infoblox
  Banners, Bots and Butchers: An Automated Long Con Targeting Japan, Asia, and Beyond
  
  
• Intel 471
  How AI and the human advantage beat tomorrow’s threats
  
  
• Arya Satya Saputra at MII Cyber Security
  Mengenal Pyramid Of Pain
  
  
• Jarrett Polcari at Nebulock
  Hunting the Notepad++ Update Hijack
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 374. Hunting for Suspicious Service Stopping Events
  • 375. The New ClickFix Variant: Do We Really Need To Detect It?
  • 376. Another Employee Monitoring Tool is Being Used by Attackers
    
    
• Moshe Siman Tov Bustan at OX Security
  Newly discovered NPM worm is hijacking CI workflows and targeting AI-based packages
  
  
• Palo Alto Networks
  • 2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster
  • Critical Vulnerabilities in Ivanti EPMM Exploited
  • VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
    
    
• Umut Bayram at Picus Security
  Top 10 Ransomware Groups of 2025
  
  
• Proofpoint
  (Don’t) TrustConnect: It’s a RAT in an RMM hat
  
  
• Recorded Future
  • GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack
  • 2025 Cloud Threat Hunting and Defense Landscape
    
    
• Red Canary
  Intelligence Insights: February 2026
  
  
• Ashlee Benge at ReversingLabs
  How to Use YARA Retrohunting for Defense
  
  
• Sandfly Security
  BPFDoor Detection, Analysis, and Hunting Tactics on Linux
  
  
• SANS Internet Storm Center
  • 2026 64-Bits Malware Trend, (Mon, Feb 16th)
  • Fake Incident Report Used in Phishing Campaign, (Tue, Feb 17th)
  • Tracking Malware Campaigns With Reused Material, (Wed, Feb 18th)
  • Under the Hood of DynoWiper, (Thu, Feb 19th)
  • Japanese-Language Phishing Emails, (Sat, Feb 21st)
    
    
• Sansec
  • Building a faster YARA engine in pure Go
  • Digital skimmer hits global supermarket chain
    
    
• Thomas Roccia at SecurityBreak
  From GenAI to GenUI: Why Your AI CTI Agent Is Sh*T
  
  
• SOCRadar
  • Operation DoppelBrand: Massive Fortune 500 Brand Impersonation Campaign Uncovered
  • Dark Web Profile: Sinobi Ransomware
  • Dark Web Profile: Lotus Blossom
    
    
• Montel Oliver and Kyle Eaton at Sublime Security
  Fake Google Meet invitation, fake Microsoft Store, real malware attack · Blog · Sublime Security
  
  
• Marco A. De Felice aka amvinfe at SuspectFile
  Inside Bashe: The Interview with the Ransomware Group Known as APT73
  
  
• Sygnia
  What 2025’s Major Cyber Incidents Taught Executives About Incident Response Readiness
  
  
• System Weakness
  • “ RedLine ” CyberDefenders writeup
  • WMI Event Consumer Persistence: How APT29 Achieves Fileless Persistence (Part 1)
    
    
• Lauren Proehl at THOR Collective Dispatch
  • Ask-a-Thrunt3r: January 2026 – Season 2 Premiere 🐏
  • PACMap Is Live – And It’s Open Source!
    
    
• ThreatPatrol
  MITRE ATT&CK Enterprise Overview
  
  
• Trellix
  • Technical Deep Dive: The Monero Mining Campaign
  • Turf Wars vs. Supply Chains: The Great Divergence in State Cyber Threats
    
    
• Trend Micro
  Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
  
  
• Triskele Labs
  • Kairos: The Extortion Group Changing the Ransomware Playbook
  • From Torrented Software to Ransomware
  • DFIR Technical Analysis: From Torrented Software to Ransomware
    
    
• UnderDefense
  A Ghost Attacker in RAM: Neutralizing a Fileless Breach
  
  
• Daniel Kelley at Varonis
  How Cybercriminals Buy Access: Logins, Cookies, and Backdoors
  
  
• Wiz
  Would You Click ‘Accept’? Automatically detecting malicious Azure OAuth applications using LLMs
  
  
• Блог Solar 4RAYS
  Анализ фишинговой кампании Cloud Atlas
  

UPCOMING EVENTS

• Cellebrite
  Collection Types Strategy: Confidently Collect the Right Data for Any Case
  
  
• Magnet Forensics
  • Magnet Virtual Summit 2026
  • Magnet Review: Collaborate in real-time for faster, stronger digital investigations
  • End to end digital investigations: From first access to final verdicts
    
    
• Sygnia
  Incident Response in Crypto: Gaps between Perception and Best Practice
  

PRESENTATIONS/PODCASTS

• Black Hat
  • Black Hat USA 2025 | Advanced Active Directory to Entra ID Lateral Movement Techniques
  • Black Hat USA 2025 | Exploiting DNS for Stealthy User Tracking
    
    
• Black Hills Information Security
  Talkin’ Bout [infosec] News 2026-02-16 #infosec #news
  
  
• Jai Minton at Breach Log
  Ep2: The Unseen Impact of Ad Fraud with Max
  
  
• Cellebrite
  Tip Tuesday: The ‘Go To’ Button
  
  
• Cloud Security Podcast by Google
  EP263 SOC Refurbishing: Why New Tools Won’t Fix Broken Processes (Even With AI)
  
  
• Daniel at CQURE Academy
  CQURE Hacks #72: KQL Threat Hunting – One Query, Three Hunts
  
  
• Dr Josh Stroschein
  • Windows Internals & EDR Development – Live with Pavel Yosifovich!
  • Navigating the Binary: Data vs. Pointers | Strings & Imports | Lesson 4
    
    
• Frank Victory
  DFIR 8 2 Memory Forensics Processor Forensics
  
  
• InfoSec_Bret
  IR – SOC299 – Potential UAC Bypass Attempt Detected
  
  
• John Hammond
  The Payload Podcast #002 with Connor McGarr
  
  
• JPCERT/CC
  JSAC2026 -Day 1-
  
  
• Magnet Forensics
  Unlocking workflow efficiencies in video forensics: What’s new in 2026
  
  
• Monolith Forensics
  • Add a New QA Review to a Case in Monolith
  • Forensic Reports: Your Expertise as an API
    
    
• MSAB
  #MSABMonday – Capture the Flag Tips Part 2
  
  
• MyDFIR
  Cybersecurity SOC Analyst Lab – Memory Analysis (RedLine)
  
  
• Parsing The Truth: One Byte at a Time Podcast
  S1 E40: Was it suicide or murder? The Leslie Harman Case
  
  
• Richard Davis at 13Cubed
  The Key to Switching Apps
  
  
• SANS
  2025 SANS Hack & Defend Summit
  
  
• The Weekly Purple Team
  Can Vulnerable Drivers Still Kill Your EDR in 2026?
  
  
• Three Buddy Problem
  GitLab doxxes North Korea .gov hackers; fresh Ivanti zero-days; AI addiction and human purpose
  

MALWARE

• Any.Run
  LATAM Businesses Hit by XWorm via Fake Financial Receipts: Full Campaign Analysis 
  
  
• CERT Polska
  ClickFix in action: how fake captcha can lead to a company-wide infection
  
  
• Ctrl-Alt-Int3l
  • Aeternum Loader: When your C2 lives forever
  • Aeternum Loader: Inside the binary
    
    
• Cara Lin at Fortinet
  Massive Winos 4.0 Campaigns Target Taiwan
  
  
• Tim Berghoff and Karsten Hahn at G Data Software
  Testing with live malware: Good Intentions, Problematic Execution
  
  
• Rahul Ramesh and Reegun Jayapaul at Cyderes
  0APT Bluff Campaign Evolves Into Potential Threat
  
  
• InfoSec Write-ups
  The Family Laptop Trap: Unmasking a Go-Based Crypto-Heist
  
  
• Calvin So at Kandji
  macOS Malware Analysis: Music Plugin DMG Loader
  
  
• Patrick Wardle at Objective-See
  ClickFix: Stopped at ⌘+V
  
  
• Pepe berba
  AEMonitor: Monitoring Apple Events for Malware Analysis and Detection
  
  
• Securelist
  • Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets
  • Arkanix Stealer: a C++ & Python infostealer
    
    
• Socket
  SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains
  
  
• Lukas Stefanko at WeLiveSecurity
  PromptSpy ushers in the era of Android threats using GenAI
  

MISCELLANEOUS

• Brett Shavers
  Why AI Will Replace Every DFIR “Tool Operator” by 2027.
  
  
• Christopher Eng at Ogmini
  Magnet Virtual Summit 2026 CTF – Pre-Challenges and Thoughts
  
  
• Craig Ball at ‘Ball in your Court’
  Electronic Evidence Workbook 2026
  
  
• Cyber Triage
  How a Fortune 100’s IR Team Accelerated Client Investigations
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 02/16/26
  
  
• Forensic Focus
  • In The Age Of Synthetic Media, Authenticity Can No Longer Be Assumed
  • Digital Forensics Jobs Round-Up, February 16 2026
  • 5 Reasons Why Detego Case Manager For DFIR Is Ideal For Investigative Teams
  • Magnet Virtual Summit 2026 Kicks Off February 23!
  • International Well-Being Study: What The Early Data Shows
  • Digital Forensics Round-Up, February 18 2026
  • Into The Light Index 2025: What The Global CSAM Findings Mean For Digital Forensic Investigators
  • Belkasoft Advances AI-Assisted DFIR With Major Update To Belkasoft X And BelkaGPT
  • Forensic Focus Digest, February 20 2026
  • Repeated Exposure To Explicit Material Is No Longer Unavoidable
    
    
• Debbie Garner at Hexordia
  Reopening the Digital Files: Solving Cold Cases with Digital Forensics
  
  
• Koen Van Impe at MISP
  MISP architecture choices
  
  
• Sandfly Security
  Advantages of Agentless EDR for Linux
  

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 39780: Playback Control Options, TIME File Improvements, Video Duration Control when Removing Frames, Updates to Resize and Aspect Ratio, and Much More
  
  
• Fuji
  1.2.0 – Recovery mode
  
  
• Arkime
  v6.0.0-rc3
  
  
• Belkasoft
  Belkasoft X v2.10 Released! Major BelkaGPT Enhancements: Contextual Q&A, BelkaGPT Hub Extension, Magnet Axiom Import, Similar Face Search, Timestamped Speech Recognition; Acquisition of 40+ New Android Devices plus Enhanced iOS and Android Artifact Extraction.
  
  
• Canadian Centre for Cyber Security
  Assemblyline v4.7.1.stable2
  
  
• Cerbero
  Memory Analysis Package 0.9
  
  
• Costas K
  LNK & Jumplist Browser
  
  
• Didier Stevens
  Update: rtfdump.py Version 0.0.15
  
  
• Digital Sleuth
  winfor-salt v2026.2.1
  
  
• FlipForensics
  AIFT — AI Forensic Triage V1.1.1
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.4.719.1135
  
  
• MISP
  FlowIntel 3.0.0 released and MISP integration
  
  
• OpenCTI
  6.9.21
  
  
• Phil Harvey
  ExifTool 13.51
  
  
• radare2
  6.1.0
  
  
• SigmaHQ
  pySigma v1.1.1
  
  
• Xways
  X-Ways Forensics 21.7 SR-1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!