Belkasoft X v2.10: More Evidence. Less Manual Effort. – Acquisition support for 40+ new Android devices – Deeper artifact extraction from Discord, Snapchat, iOS Biome, and more – Magnet Axiom (.mfdb) case import – Conversation context support and smarter artifact search in BelkaGPT – Built-in facial recognition for person-of-interest search Request your trial of Belkasoft X today

Sponsored by Belkasoft

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Django Faiola at ‘Appunti di Informatica Forense’
  Deep‑Dive Forense in Box per iOS
  
  
• Oleg Afonin at Elcomsoft
  • The C:\User Data in Windows Forensics
  • Android Pre-Installed Apps: What Could Possibly Go Wrong?
    
    
• Forensafe
  Apple Spotlight
  
  
• Justin De Luna at ‘The DFIR Spot’
  From Chaos to Chronology: The Power of Forensic Timelines
  

THREAT INTELLIGENCE/HUNTING

• Ilyas Makari at Aikido
  Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
  
  
• Anton Chuvakin
  Google Cloud Security Threat Horizons Report #13 (H1 2026) Is Out!
  
  
• Aditya K Sood at Aryaka
  Kernel in the Crosshairs: The BlackSanta Threat Campaign Targeting Recruitment Workflows
  
  
• Paul Reid at AttackIQ
  Defending Against Iranian Cyber Threats in the Wake of Operation Epic Fury 
  
  
• Bitdefender
  • Bitdefender Threat Debrief
  • Windows and macOS Malware Spreads via Fake “Claude Code” Google Ads
    
    
• Brian Krebs at ‘Krebs on Security’
  • How AI Assistants are Moving the Security Goalposts
  • Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 7 – 13 marzo
  
  
• Check Point
  • 9th March – Threat Intelligence Report
  • China-Nexus Activity Against Qatar Observed Amid Expanding Regional Tensions
  • Global Cyber Attacks Remain Near Record Highs in February 2026 Despite Ransomware Decline
  • Iranian MOIS Actors & the Cyber Crime Connection
  • “Handala Hack” – Unveiling Group’s Modus Operandi
    
    
• Jen Sells, Claudio Jolowicz, and Nico Gutierrez at Cloudflare
  Investigating multi-vector attacks in Log Explorer
  
  
• Kahng An at Cofense
  Weaponizing Telegram Bots: How Threat Actors Exfiltrate Credentials
  
  
• Cyberdom
  Sentinel MCP for Threat Hunting and Investigations
  
  
• Cybersec Sentinel
  • VodkaStealer Malware Harvests Browser Credentials and Session Token
  • Microsoft Excel Vulnerability CVE-2026-26144 May Allow Data Exposure Through Copilot
    
    
• Cyfirma
  Weekly Intelligence Report – 13 March 2026
  
  
• Andrea Draghetti at D3Lab
  Phishing EasyPark: il brand sfruttato per sottrarre dati di pagamento e documenti di identità
  
  
• Damien Lewke
  Two Dudes and a GPU
  
  
• Darktrace
  NetSupport RAT: How Legitimate Tools Can Be as Damaging as Malware
  
  
• Martin McCloskey at Datadog Security Labs
  Behind the console: Active phishing campaign targeting AWS console credentials
  
  
• Detect FYI
  • The Red Queen’s Race: Arms Race Dynamics in Threat Detection
  • Beyond the IP: Identifying Compromised Identities in RDP Sessions
    
    
• Elastic Security Labs
  Managing Elastic Security Detection Rules with Terraform
  
  
• FalconFeeds
  • Following the Money: The 82-Wallet Bitcoin Cluster Linked to Iran’s IRGC-CEC
  • CyberBan News Agency: Inside Iran’s Dual-Use Cyber Propaganda and Influence Platform
  • War-Time Data Leaks: How Threat Actors Use Stolen Documents for Political Influence
  • Technical and Strategic Analysis of the OpenClaw Ecosystem: Security Vulnerabilities, Deployment Risks, and the Evolution of Agentic AI
  • 313 Team and the Iran–Israel Shadow War
  • Exposed Eyes: CCTV Vulnerabilities and Surveillance Threats in the Middle East and India (2025 – 2026)
  • Charming Kitten in the Iran–Israel Cyber War From DNS Tunnelling to Persistent State-Sponsored Espionage
  • OilRig in the Iran–Israel Cyber War: From DNS Tunnelling to Persistent State-Sponsored Espionage
    
    
• Flare
  • Active Phishing Campaign on Hosting Infrastructure with Alleged Links to Iranian State Aligned Activity
  • Webshells Threat Hunting: A Data-Driven Look Beyond Backdoors
    
    
• Flashpoint
  Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report
  
  
• Gen
  • Engineering the Future of Agentic Threat Hunting
  • Promptmorphism: How LLMs Are Mass-Producing Disposable Stage 1 Loaders
    
    
• Group-IB
  • Six Supply Chain Attack Groups to Watch Out for in 2026
  • The Rise of Fake Shipment Tracking Scams in MEA
    
    
• Hudson Rock
  How One Infostealer Infection Solved a Global Supply Chain Mystery and Unmasked DPRK Spies in U.S. Crypto
  
  
• Stephan Meza at Hunt & Hackett
  Spearhead: One-to-many IOC hunting across multiple single-tenant environments
  
  
• Hunt IO
  Operation Roundish: Uncovering an APT28 Roundcube Toolkit Used Against Ukrainian Government Targets
  
  
• IC3
  AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort
  
  
• InfoSec Write-ups
  • The Prestige of Malware: Unmasking ClickFix, Destructor Hijacking, and the “Dictionary Symphony”
  • CTI Research: Sandworm / APT44
    
    
• Intel 471
  • Israeli, US strikes against Iran triggers a surge in hacktivist activity
  • OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery
    
    
• Invictus Incident Response
  The Invisible Architecture of Modern Phishing
  
  
• Lumen
  Silence of the hops: The KadNap botnet
  
  
• Stefan Dasic at Malwarebytes
  Fake Temu Coin airdrop uses ClickFix trick to install stealthy malware
  
  
• Matt Suiche
  Odd Lots: Cyberwar in the Age of AI
  
  
• Microsoft Security
  • Contagious Interview: Malware delivered through fake developer job interviews
  • Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft
  • Detecting and analyzing prompt abuse in AI tools
    
    
• Arya Satya Saputra at MII Cyber Security
  Hunting Suspicious RDP (Remote Desktop Protocol) Access from Infosec skills labs.
  
  
• Mitiga
  • An Uninvited Guest
  • Strictly Come Detecting
    
    
• Eugenio Benincasa at Natto Thoughts
  Faux Amis: How France Stands Apart in Europe’s High-Risk University Cyber Partnerships with China
  
  
• Olaf Schwarz at NVISO Labs
  Ivanti EPMM ‘Sleeper Shells’ not so sleepy?
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 379. Hunting for Suspicious Compiled HTML Files
  • 380. Hunting for Suspicious System Language Discovery Events
  • 381. In Some Cases, Attackers Can Simply Export Your Passwords
  • 382. Handala Hack Abuses NetBird
    
    
• Palo Alto Networks
  • Insights: Increased Risk of Wiper Attacks
  • Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia
    
    
• Andi Ahmeti at Permiso
  CO-PILOT, DISENGAGE AUTOPHISH: The New Phishing Surface Hiding Inside AI Email Summaries
  
  
• Picus Security
  • T1059.004 Unix Shell in MITRE ATT&CK Explained
  • T1059.006 Python in MITRE ATT&CK Explained
  • The Role of Generative AI in BAS: Why Attackers Move in Minutes and Defenders Still Take Days
  • T1059.005 Visual Basic in MITRE ATT&CK Explained
  • MITRE ATT&CK T1055 Process Injection clone test
  • T1059.008 Network Device CLI in MITRE ATT&CK Explained
  • T1059.007 JavaScript in MITRE ATT&CK Explained
  • T1059.009 Cloud API in MITRE ATT&CK Explained
  • Fragmented Tools Can’t Keep Up in the AI Era. Gartner Maps What Replaces Them.
  • T1059.010 AutoHotKey & AutoIT in MITRE ATT&CK Explained
  • T1059.011 Lua in MITRE ATT&CK Explained
  • T1059.012 Hypervisor CLI in MITRE ATT&CK Explained
    
    
• Praetorian
  • When Proxies Become the Attack Vectors in Web Architectures
  • Et Tu, RDP? Detecting Sticky Keys Backdoors with Brutus and WebAssembly
    
    
• Proofpoint
  Iran conflict drives heightened espionage activity against Middle East targets
  
  
• Rapid7
  • Rapid7 Detection Coverage for Iran-Linked Cyber Activity
  • Iran’s Cyber Playbook in the Escalating Regional Conflict
    
    
• Raymond Roethof
  Microsoft Ownerless Agents: The silent risk in your Entra tenant
  
  
• Tre Wilkins at Red Canary
  Moving up the Assemblyline: Exposing malicious code in browser extensions
  
  
• SANS Internet Storm Center
  • Encrypted Client Hello: Ready for Prime Time?, (Mon, Mar 9th)
  • Analyzing “Zombie Zip” Files (CVE-2026-0866), (Wed, Mar 11th)
  • When your IoT Device Logs in as Admin, It?s too Late! [Guest Diary], (Wed, Mar 11th)
  • A React-based phishing page with credential exfiltration via EmailJS, (Fri, Mar 13th)
  • SmartApeSG campaign uses ClickFix page to push Remcos RAT, (Sat, Mar 14th)
    
    
• Filipi Pires at Scythe
  APT28 — BadPaw / MeowMeow: From Manual Lab to Continuous Emulation
  
  
• Aleksandar Milenkoski & Razvan Gabriel Cirstea at SentinelOne
  From Narrative to Knowledge Graph | LLM-Driven Information Extraction in Cyber Threat Intelligence
  
  
• Alex Delamotte, Stephen Bromfield, Mary Braden Murphy & Amey Patne at SentinelOne
  FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
  
  
• Priya Patel at Seqrite
  Operation CamelClone: Multi-Region Espionage Campaign Targets Government and Defense Entities Amidst Regional Tensions
  
  
• Simone Kraus
  Ukraine, Iran, and the New Sequencing of Hybrid War
  
  
• SOC Fortress
  Over 100 GitHub Repositories Distributing BoryptGrab Stealer
  
  
• Socket
  • 6 Malicious Packagist Themes Ship Trojanized jQuery and FUNNULL Redirect Payloads
  • 73 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies
    
    
• SOCRadar
  Dark Web Profile: Handala Hack
  
  
• Sophos
  • Evil evolution: ClickFix and macOS infostealers
  • Initial access techniques used by Iran-based threat actors
    
    
• Varun Sharma at Step Security
  ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push
  
  
• Surya Teja
  When the Admin Console Becomes the Weapon: Hunting the Handala Threat Actor in Microsoft…
  
  
• Sygnia
  Exfiltration in Plain Sight: SafePay’s OneDrive Play
  
  
• Tenable
  Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
  
  
• RakeshKrish at The Raven File
  TENGU RANSOMWARE
  
  
• Third Eye intelligence
  From Missiles to Malware – When Geopolitics enters the network
  
  
• Threatmon
  Handala Hack Team and the Stryker Breach: When Hacktivism Masks State-Level Cyber Warfare
  
  
• Trellix
  • Fileless Multi-Stage Remcos RAT: From Phishing to Memory-Resident Execution
  • Malware-As-A-Service Redefined: Why XWorm is outpacing every other RAT in the underground malware market
    
    
• Trend Micro
  • Azure Control Plane Threat Detection With TrendAI Vision One™
  • Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites
  • Cracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2
    
    
• TrustedSec
  • Building a Detection Foundation: Part 3 – PowerShell and Script Logging
  • LnkMeMaybe – A Review of CVE-2026-25185
    
    
• Блог Solar 4RAYS
  Solar 4RAYS: Хроники расследований инцидентов в 2025 году
  

UPCOMING EVENTS

• Black Hills Information Security
  • Do it, do it NOW! – A Pre-Incident Checklist w/ Patterson
  • Talkin’ Bout [infosec] News 2026-03-16 #infosec #news
    
    
• Cellebrite
  • Building the Force of the Future: People, Culture, and the Road to 2030
  • Investigate at the Speed of Now: AI, Automation, and the Modern Workflow
  • The New Crime Scene: Intelligence, Data, and the Cloud Advantage
  • Digital Policing 2030: How Artificial Intelligence is Reshaping Law Enforcement
    
    
• Magnet Forensics
  • Signals in the noise: Five years of enterprise DFIR trends and what comes next
  • Bridging the air gap: Accelerating mobile forensics in secure, offline labs
    
    
• SANS
  2026 Threat Landscape Reality Check: Turning Threat Intelligence into Analytic Advantage
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: S2EP5: Forensics Role Call: Examining Sworn vs. Non-Sworn Digital Forensics Examiners
  
  
• Adversary Universe Podcast
  Breaking Down the New National Cybersecurity Strategy
  
  
• BlueMonkey 4n6
  Magnet Virtual Summit – Capture The Flag – Feb 2026 – MacOS walk through
  
  
• Cellebrite
  Tip Tuesday: Top Speakers + Top Training at the C2C User Summit
  
  
• Cloud Security Podcast by Google
  EP266 Resetting the SOC for Code War: Allie Mellen on Detecting State Actors vs. Doing the Basics
  
  
• Doug Metz at Baker Street Forensics
  The Game Is Afoot: Introducing the MalChela Video Series
  
  
• Dr Josh Stroschein
  01 – Building a Reverse Shell Game Plan with a Simple C Program
  
  
• Frank Victory
  Practical SOC Skills: Mastering TCPdump, Snort, and Snorby
  
  
• 2 Cyber Chicks
  Turning Threat Intelligence Into Real-World Action | 2 Cyber Chicks S8 E1
  
  
• Huntress
  • The Hottest IPO on the DarkWeb
  • The Massive Cyber Threat Hiding In Plain Sight
    
    
• InfoSec_Bret
  Challenge – ICS FuelStation
  
  
• John Hammond
  • An Interview with Allie Mellen (author: CODE WAR)
  • GraphSpy: Hacker’s Tooling Deep Dive (w/ creator @RedByte1337!)
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Build your own AI Malware Analysis Lab with Remnux
  
  
• Magnet Forensics
  • Magnet Virtual Summit 2026
  • Protecting your organization from manipulated media with Magnet Verify
  • A unified workflow for modern CSAM investigations
    
    
• Microsoft Threat Intelligence Podcast
  AI as Tradecraft: How Threat Actors Are Operationalizing AI
  
  
• Monolith Forensics
  • Creating a New Audit in Monolith
  • SQLite for Investigators: Databases, Structures & Queries
    
    
• MSAB
  #MSABMonday Capture the Flag Tips Part 5
  
  
• MyDFIR
  SOC Analysts: Learn This Skill ASAP
  
  
• Cerbero
  Memory Challenge 18: Reminiscent
  
  
• Parsing The Truth: One Byte at a Time Podcast
  S1 E43: Karen Read 1-2: Jessica Hyde Testimony Part 1
  
  
• Permiso Security
  Episode 7 – Hidden Prompts, Trusted Output: Inside Copilot Summary Abuse
  
  
• Proofpoint
  TrustConnect RAT: Inside a Vibe-Coded Malware Ecosystem
  
  
• Team Cymru
  • Cybersecurity Incident Response at Thermo Fisher: How the Ransomware Landscape Has Evolved
  • JWT Cracks, South American Telecom Breaches, and the Kinetic-Cyber Nexus in Iran
    
    
• The Cyber Mentor
  • Project Helix Blue Team CTF Teaser – Coming Wednesday!
  • 5 Books That Shaped My DFIR Career
    
    
• Three Buddy Problem
  Handala wiper attacks, APT28 implant devs are back, Signal’s verification problems
  

MALWARE

• Any.Run
  MicroStealer Analysis: A Fast-Spreading Infostealer with Limited Detection 
  
  
• ASEC
  • February 2026 Infostealer Trend Report
  • February 2026 APT Group Trends Report
  • February 2026 Phishing Email Trends Report
    
    
• Esentire
  MuddyWater APT + Tsundere Botnet: EtherHiding the C2
  
  
• John Dador at G Data Software
  Endgame Harvesting: Inside ACRStealer’s Modern Infrastructure
  
  
• Andrey Pautov at InfoSec Write-ups
  • PE Import Analyzer: A Practical Guide for Malware Analysts and Reverse Engineers
  • Unpacker: A Practical Guide to Modular Malware Packer Detection and Unpacking
    
    
• Tomoya Kamei at JPCERT/CC
  Study of Binaries Created with Rust through Reverse Engineering
  
  
• Debmalya Datta at K7 Labs
  GIBCRYPTO: The Destructive Ransomware with a Snake Keylogger Connection 
  
  
• Lab52
  DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear
  
  
• Securelist
  BeatBanker: A dual‑mode Android Trojan
  
  
• Thomas Roccia at SecurityBreak
  Malware Reverse Engineering is no longer a human problem!
  
  
• Shubho57
  Analysis of an executable leads to Shadowsniff
  
  
• Kirill Boychenko at Socket
  5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files
  
  
• WeLiveSecurity
  • Sednit reloaded: Back in the trenches
  • Cyber fallout from the Iran war: What to have on your radar
    
    
• Sudeep Singh and Yin Hong Chang at ZScaler
  China-nexus Threat Actor Targets Persian Gulf Region With PlugX
  

MISCELLANEOUS

• CyberBoo
  • Microsoft Defender for Office 365 Part 2: Deployment & Configuration Guide
  • Microsoft Defender for Office 365 Part 3: Email Authentication Deep Dive
    
    
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 03/09/26
  
  
• Forensic Focus
  • Emma Pickering, Head Of Technology-Facilitated Abuse And Economic Empowerment, Refuge
  • Forensics Europe Expo Returns To London In July 2026
  • Yuri Gubanov, Founder And CEO, Belkasoft
  • UPCOMING WEBINAR – 2026 Industry Trends: How Digital Forensics Is Redefining Public Safety
  • Digital Forensics Round-Up, March 11 2026
  • Establishing Vehicle Occupant Actions & Involvement Through Vehicle Data
  • Why Event Log Archiving Is Critical For Timeline Reconstruction
  • If You Review Digital Evidence, This 15-Minute Session Is Worth Watching
    
    
• Manuel Feifel at InfoGuard Labs
  Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR
  
  
• Magnet Forensics
  • Announcing the winners of the 2026 Magnet Virtual Summit CTF
  • Now open for registration: AP100 – Axiom Digital Evidence Reporting: A Prosecutor’s Toolkit
  • Magnet Automate: Making backlogs disappear for good 
    
    
• Matt Shannon at F-Response
  Automation Station, Scripting and F-Response
  
  
• MISP
  Have You Ever Thought About Drones in MISP?
  
  
• Salvation DATA
  Admissibility Challenges of Artificial Intelligence Evidence in Criminal Justice
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.210!
  
  
• Steve Whalen at Sumuri
  SUMURI Confirms RECON ITR Compatibility with Newly Released MacBook Neo on Launch Day
  
  
• Bella San Lorenzo at THOR Collective Dispatch
  All Roads Lead to Where You Already Are
  
  
• Victor M. Alvarez at YARA-X
  Enforcing YARA metadata standards
  

SOFTWARE UPDATES

• Alexandre Borges
  Malwoverview 7.1.2
  
  
• Amped
  Authenticate Update 40074: Faster and Updated Deepfake Detection, Improved Geometrical Analysis, New Inspector Panel, and more!
  
  
• Arkime
  v6.0.1
  
  
• Arsenal
  LevelDB Recon v1.0.0.53
  
  
• Didier Stevens
  • Update: emldump.py Version 0.0.16
  • Update: search-for-compression.py 0.0.6
  • Update: pecheck.py Version 0.7.20
  • Update: zipdump.py Version 0.0.34
  • Update: pdf-parser.py Version 0.7.14
  • Update: oledump.py Version 0.0.84
    
    
• Digital Sleuth
  winfor-salt v2026.5.0
  
  
• Google
  Timesketch 20260311
  
  
• MALCAT
  0.9.13 is out: MacOS port, MCP server and dark mode
  
  
• Marco Neumann at ‘Be-binary 4n6’
  • xLEAPP – Helper scripts for pulling/cloning and creation of Windows exe
  • Bubbly now with GUI – New Release 1.2.4
    
    
• MISP
  MISP Workbench `v1.0` (beta) Released
  
  
• North Loop Consulting
  Fetch v5.2
  
  
• OpenCTI
  • 6.9.26
  • 7.260309.0-lts1
    
    
• Security Onion
  Security Onion 2.4.211 Is Now Available and Resolves Several Issues!
  
  
• SigmaHQ
  pySigma v1.2.0
  
  
• The Metadata Perspective
  KMLer: a CSV / XLSX to KML Tool
  
  
• Xways
  • Miscellaneous – NSRL RDS hash sets
  • X-Ways Forensics 21.8 Preview 2
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!