| Try Belkasoft X with BelkaGPT—Free 30-Day Trial One platform for computer, mobile, cloud, car, and drone forensics. – Support for 1,500+ artifact types out of the box – Advanced tools for data search, visualization, and deep dives into source files – BelkaGPT—offline AI for media analysis and evidence search with natural language Learn more at belkasoft.com |
| Sponsored by Belkasoft |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Christopher Eng at Ogmini
- Marc Tanner at Compass Security
WinGet Desired State: Initial Access Established - Oleg Afonin at Elcomsoft
- Forensafe
- Forensic Science International: Digital Investigation
Volume 56 - Adam Hachem at Hexordia
- Hussam Shbib at Cyber Dose
Think the Web History Is Gone? - Magnet Forensics
- The Volatility Foundation
The 2025 Volatility Plugin Contest results are in!
THREAT INTELLIGENCE/HUNTING
- Adan Alvarez
A Backdoor You Can Talk To: Persistence via Bedrock AgentCore - Any.Run
- Arctic Wolf
SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh - Ayelen Torello at AttackIQ
Emulating the Systematic LokiLocker Ransomware - Australian Cyber Security Centre
INC Ransom Affiliate Model Enabling Targeting of Critical Networks - BI.Zone
Utilizing adversary infrastructure insights to derail attacks - Radu Tudorica at Bitdefender
APT36: A Nightmare of Vibeware - Ben Bowman at Black Hills Information Security, Inc.
The “P” in PAM is for Persistence: Linux Persistence Technique - Rebecca Harpur at BlackFog
The State of Ransomware: February 2026 - Daniel Whitcombe and Alex Jones at Bridewell
Intelligence Insights: Feb 2026 - CERT Ukraine
Кібератаки UAC-0252 з використанням стілерів SHADOWSNIFF та SALATSTEALER (CERT-UA#20032) - CERT-AGID
- Chainalysis
- Check Point
- Chris Partridge
It’s tax season! You can tell by the malware campaigns impersonating the IRS - Peter Bailey at Cisco
The Emerging Workload Security Threat, a Retrospective on VoidLink - Cisco’s Talos
- ClearSky Cyber Security
Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow - Cloudflare
- CloudSEK
- Confiant
Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign - Ctrl-Alt-Intel
- Mike at Cyber and Ramen
Before the Proxy: Uncovering Active PlugX Staging Infrastructure Linked to Three PRC Actors - Cyble
- Cyfirma
Weekly Intelligence Report – 05 March 2026 - Darktrace
Inside Cloud Compromise: Investigating Attacker Activity with Darktrace / Forensic Acquisition & Investigation - Detect FYI
- Disconinja
Weekly Threat Infrastructure Investigation(Week8) - Elastic Security Labs
Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft - Esentire
- FalconFeeds
- Doxxing for Pressure: How Handala RedWanted Platform Escalates the Cyber Conflict
- MuddyWater in the Iran–Israel Cyber War: From PowerShell Scripts to Rust Implants
- The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict
- Military, Kinetic, and Maritime Security Developments in the Iran–Israel War
- Mapping the Cyber Battlefield: Threat Actor Activity Across the Middle East
- Israel’s BadeSaba Hack: How a Prayer App Became a Psychological Weapon
- DieNet: The DDoS Shock Troops of Iran’s Hybrid War
- Inside the Middle East’s Cyber Shadow War: Mapping 72+ Pro-Iran and Anti-Iran Groups
- Handala: The Silent Weapon of Tehran’s Cyber Shadow War
- Inside the Shadows: Investigating Claims of Betrayal and Intelligence Leaks in Khamenei’s Death
- Intelligence Report: Cyber Warfare & Information Operations in the Iran–Israel Conflict
- Flashpoint
Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains - Amanda Gerut at Fortune
Feds are hunting teenage hacking groups like ‘Scattered Spider’ who have targeted $1 trillion worth of the Fortune 500 since 2022 - Gi7w0rm
Amos Stealer “malext” variant spread in a global malvertising campaign using free text-sharing… - Google Cloud Threat Intelligence
- GuidePoint Security
- Matt Haynes at Howler Cell
Crisis in Iran: Are We Entering a New Chapter in a 20-Year Ongoing Cyber Conflict? - HP Wolf Security
HP Wolf Security Threat Insights Report: March 2026 - Hudson Rock
Infected by GTA 5 Cheats: How an Infostealer Infection Unmasked a North Korean Agent - Hunt IO
- Zafir Ansari and Darin Johnson at Infoblox
Connecting Dots with SSL Certificates: Finding Threat Actors with Graph Theory - Ahmad Abolhadid at Insinuator.net
BlackBoxAI: AI Agent can get your computer fully compromised - Intel 471
- Microsoft Security
- OAuth redirection abuse enables phishing and malware delivery
- Signed malware impersonating workplace apps deploys RMM backdoors
- Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale
- Malicious AI Assistant Extensions Harvest LLM Chat Histories
- AI as tradecraft: How threat actors operationalize AI
- Moonlock
Fake VCs target crypto talent in a new ClickFix campaign - Nisos
Exposing a Fraudulent DPRK Candidate - OSINT Team
ShinyHunters: Inside the Threat Group - Palo Alto Networks
- Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
- Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild
- Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran
- An Investigation Into Years of Undetected Operations Targeting High-Value Sectors
- Adithya Vellal at Petra Security
When Attackers Modify Your Mail Flow - Picus Security
- Notepad++ Supply Chain Attack & Chrysalis Backdoor
- T1059.001 PowerShell in MITRE ATT&CK Explained
- BAS for Small and Mid-Sized Enterprises: Breaking the Enterprise-Only Myth
- Measuring BAS ROI: A CISO’s Guide to Justifying Security Validation Investments
- T1059.002 AppleScript in MITRE ATT&CK Explained
- T1059.003 Windows Command Shell in MITRE ATT&CK Explained
- Iranian Threat Actors: What Defenders Need to Know
- Proofpoint
Disruption targets Tycoon 2FA, popular AiTM PhaaS - Jacques Louw at Push Security
InstallFix: Weaponizing malvertized install guides - Alex.Turing and Acey9 at Qi’anxin X Lab
Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks - Luke Rusten at Recon Infosec
Iranian Government Affiliated Intrusions: Documented Tradecraft - Recorded Future
Ongoing Iran Conflict: What You Need to Know - Red Canary
- Resecurity
Cyber Battlefield: Ariomex, Iran-Based Crypto Exchange, Suffers Data Leak - SANS Internet Storm Center
- Quick Howto: ZIP Files Inside RTF, (Mon, Mar 2nd)
- Wireshark 4.6.4 Released, (Mon, Mar 2nd)
- Want More XWorm?, (Wed, Mar 4th)
- Bruteforce Scans for CrushFTP , (Tue, Mar 3rd)
- Differentiating Between a Targeted Intrusion and an Automated Opportunistic Scanning [Guest Diary], (Wed, Mar 4th)
- YARA-X 1.14.0 Release, (Sat, Mar 7th)
- Securelist
- Michael Centrella at Security Scorecard
Iran Conflict and the Expanding Cyber Front: What Government Leaders Need to Know - Marco Pedrinazzi at SecurityBreak
Introducing the Nova Rules Validation and Testing Pipeline - Securonix
VOID#GEIST: Stealthy MultiStage Python Loader with Embedded Runtime Deployment, Startup Persistence, and Fileless Early Bird APC Injection into explorer.exe - David Greenwood at Sekoia
Shadow IT: The Initial Access You Didn’t Log - Shadowserver
Tycoon 2FA Phishing-as-a-Service Disruption - Simone Kraus
- SOCRadar
Dark Web Profile: APT41 - Sophos
Hacktivist campaigns increase as United States, Iran, and Israel conflict intensifies - Hugh Oh at Sublime Security
How we built high speed threat hunting for email security · Blog · Sublime Security - Sujay Adkesar
How DNS Hides Inside HTTPS - Surya Teja
“If Your Security Tool Goes Down, Does It Take Everyone With It?” - Symantec Enterprise
Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company - Sysdig
Security briefing: February 2026 - System Weakness
- Team Cymru
- Tenable
Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations - THOR Collective Dispatch
- Trellix
- Carlos Perez at TrustedSec
Building a Detection Foundation: Part 2 – Windows Security Events - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – February Update - Valdin
Aye-Coruna: Tracing the iOS Exploit Kit from Ukraine to Iran War Lures - Caleb Boyd at Varonis
Copy, Paste, Ransom: Making Data Exfiltration As Easy as AzCopy - Lucie Cardiet at Vectra AI
5-Minute Hunt: Six Queries to Detect Iranian APT Activity by Lucie Cardiet - ZScaler
- Блог Solar 4RAYS
Форензика Linux: переменные окружения
UPCOMING EVENTS
- Black Hills Information Security
Talkin’ Bout [infosec] News 2026-03-09 #infosec #news - Huntress
Tradecraft Tuesday | Breaking Down the Huntress 2026 Cyber Threat Report - Magnet Forensics
- Off By One Security
PRESENTATIONS/PODCASTS
- Behind the Binary by Google Cloud Security
EP23 Immutable C2: How EtherHiding and Frontend Attacks are Weaponizing the Blockchain - Black Hat
- BlueMonkey 4n6
Magnet Virtual Summit – Capture The Flag – Feb 2026 – iOS walk through - Jai Minton at Breach Log
Ep3: Care to Exchange 0-days? - Cellebrite
Tip Tuesday: Join us for year 2 of the C2CUserSummit - Cloud Security Podcast by Google
EP265 Beyond Shadow IT: Unsanctioned AI Agents Don’t Just Talk, They Act! - Dr Josh Stroschein
Analyzing Runtime Linking | Strings & Imports | Lesson 6 - Eric Conrad
Detecting Malware via HTTPS Analysis - Frank Victory
Technical Breakdown: Phishing, Reverse Shells, and Persistence - InfoSec_Bret
Challenge – Remote Access Regret - John Hammond
crypto scammers phish with physical mail - Yuki Yano at JPCERT/CC
JSAC2026 -Workshop/Lightning Talk Session/Panel Discussion- - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Deobfuscating NodeJs pkg packed stealer MythJs - Magnet Forensics
- Michael Haggis
I Built an Autonomous Detection Engineering System (MCP 3.0 + AI Agents) - Monolith Forensics
Hash Uploads in Monolith’s Case File System - MSAB
#MSABMonday – Capture the Flag Tips Part 4 - MyDFIR
Microsoft Cloud SOC Project Idea - Off By One Security
Evilginx MFA Phishing Evolution With Phishlets 2.0 with Kuba Gretzky - Parsing The Truth: One Byte at a Time Podcast
Karen Read 1-1: Richard Green Affidavit - SANS
Stay Ahead of Ransomware: Building an AI-Powered Ransomware Intelligence Agent - Security Alliance
darkMode 2026: What You Missed - Team Cymru
- The Cyber Mentor
LIVE: 🕵️ Memory Forensics | Blue Cape | Cybersecurity - The Weekly Purple Team
Coercing Machine Accounts Through Microsoft Defender for Endpoint - Three Buddy Problem
MALWARE
- Doug Metz at Baker Street Forensics
MalChela Meets AI: Three Paths to Smarter Malware Analysis - Karsten Hahn at G Data Software
Use of LLMs for Malware Analysis: Doing it the right way - Gilbert Kallenborn at Intrinsec
Analysis of AuraStealer, an emerging infostealer - Dhanush at K7 Labs
MAAS VIP_Keylogger Campaign - Stefan Dasic at Malwarebytes
A fake FileZilla site hosts a malicious download - Richard Christopher
GachiLoader pt. 3 – Smart Contract C2 - Shubho57
Analysis of PromptSpy Spyware - Socket
- Mingyue Shirley Yang at Trend Micro
New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages - Zhassulan Zhussupov
Malware and cryptography 44 – encrypt/decrypt payload via Discrete Fourier Transform. Simple C example.
MISCELLANEOUS
- Brett Shavers
20 Minutes Up Front Reduces Hours of Waste Later. - Cyber Triage
SOC Software: Tools Your Team Needs in 2026 - Decrypting a Defense
NYPD Sock Puppets, Ring Searches for Dogs (and Humans?), Improper ID Case, Electronic Monitoring Data & More - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 03/02/26 - Forensic Focus
- Digital Forensics Jobs Round-Up, March 02 2026
- Detego Global Achieves ISO 27001:2022 Certification, Reinforcing Commitment To Information Security
- Argentine Federal Police Rapidly Solve High-Profile Homicide Investigation Using SS8’s Discovery
- Digital Forensics Round-Up, March 04 2026
- Detego Global Launches Artefact_Compare For Rapid Device Integrity Verification
- Forensic Focus Digest, March 06 2026
- UK Parliament Has Spoken: Digital Forensics Has A Mental Health Problem
- Magnet Forensics Shares The 2026 State Of Enterprise DFIR Report
- Hal Pomeranz at ‘Righteous IT’
Linux Notes: ls and Timestamps - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (March 2026) - Matthew Plascencia
Attracting Forensic Innovations - Jason Suryoatmojo at MII Cyber Security
Attacking Kerberos 1: Understanding - MISP
The Economic Power of Federated Threat Intelligence - Oxygen Forensics
Direct Huawei extraction with Oxygen Forensic® Detective - Patrick Siewert at ‘The Philosophy of DFIR’
The Case Against Limited-Scope Warrants for Digital Evidence - Salvation DATA
Dashcam Video Recovery: The Importance and Methods of Recovering Dashcam Footage - The Metadata Perspective
What It Is Like to Work in Digital Forensics (Without Being a Digital Forensics Examiner)
SOFTWARE UPDATES
- Arkime
v6.0.0 - Canadian Centre for Cyber Security
Assemblyline v4.7.1.stable7 - Costas K
LNK & Jumplist Browser - Didier Stevens
Update: base64dump.py Version 0.0.29 - Digital Sleuth
winfor-salt v2026.2.3 - Hexastrike
PyrsistenceSniper - Manabu Niseki
Mihari v8.4.0 - MISP
MISP v2.5.33: Performance, Security, and the New Overmind Theme - MobilEdit
MOBILedit New Live Updates: Advanced UNISOC & EXYNOS Security Bypassing - OpenCTI
7.260306.1 - Rapid7
Velociraptor Release 0.76 - Renzon Cruz
IRFlow Timeline - Security Onion
Security Onion 2.4.210 Now Available with Updated Components and New Features including Local Model Support for Onion AI!
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.
