Offline AI—built for DFIR BelkaGPT saves you days of manual review and reporting: – Transcribes audio and video – Describes and classifies pictures – Searches for similar faces – Answers questions about case data – Understands over 100 languages Let AI ease your workload! Grab a 30-day free license of Belkasoft X with BelkaGPT

Sponsored by Belkasoft

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Christian Peter
  Shall I describe it to you …? ALEAPP Live Data Parsing

• Forensafe
  Android Any.do

• Haider at HK_Dig4nsics
  Exploring Apple Intelligence Artifacts in iOS

• Hal Pomeranz at ‘Righteous IT’
  Linux Forensic Scenario

• InfoSec Write-ups
  • [13 Cubed] Trouble at ACME Challenge — Investigating Windows Endpoint
  • FAT CAT (Forensics)— KJSSE CTF 3.0

• Joshua Hickman at ‘The Binary Hick’
  Old Dog, New Tricks – Lost Apples 2.0

• Matthew Plascencia
  MSAB Mobile Forensics Summit CTF 2026 Android CTF Writeup

• North Loop Consulting
  Bloomin’ Biomes – Meet Sedgwick

• Seth Enoka
  ShellBags and User Navigation: What Windows Remembers About Exploration
  
  
• Noam Leipold at Synacktiv
  Kubernetes forensics 1/3 : what the container ?
  

THREAT INTELLIGENCE/HUNTING

• Abdul Mhanni
  ESC8s and Where to Find Them

• Aikido
  • CanisterWorm Gets Teeth: TeamPCP’s Kubernetes Wiper Targets Iran
  • Popular telnyx package compromised on PyPI by TeamPCP

• Arctic Wolf
  The AI Malware Surge: Behavior, Attribution, and Defensive Readiness

• Jon Baker and William Booth at AttackIQ
  What Does MITRE ATT&CK Coverage Really Mean?

• Jade Brown at Bitdefender
  Ransomware Attacks Against the US: 2026 Insights

• Brian Krebs at ‘Krebs on Security’
  ‘CanisterWorm’ Springs Wiper Attack Targeting Iran

• Censys
  Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework

• CERT Ukraine
  Кібератака UAC-0255 під виглядом сповіщення від CERT-UA із застосуванням програмного засобу AGEWHEEZE (CERT-UA#21075)

• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 marzo

• Check Point
  • 23rd March – Threat Intelligence Report
  • North America’s Cyber Security Threat Reality in 2026

• Christopher Eng at Ogmini
  Credential Phishing

• Cisco’s Talos
  2025 Talos Year in Review: Speed, scale, and staying power

• CloudSEK
  • p6.arpa Wildcard Abuse: Hunting Phishing Infrastructure Across IPv6 Prefixes
  • Honey for Hackers: A Study of Attacks Targeting the Recent CVE-2026-21962 and Other Critical WebLogic Vulnerabilities on a High Interactive Oracle Honeypot

• Cofense
  • The Unintentional Enabler: How Cloudflare Services are Abused for Credential Theft and Malware Distribution
  • Xiaomi Phishing Attempt – Red Flags You Can’t Afford to Ignore

• Christian Feuchter at Compass Security
  Common Entra ID Security Assessment Findings – Part 1: Foreign Enterprise Applications With Privileged API Permissions

• Confiant
  Tracking Software Weaponized by Criminals

• Mike Dean at Cyberbit
  Understanding and detecting process injection with Sysmon

• Cybersec Sentinel
  TeamPCP Injects Credential Stealer Into Trivy Releases and Spreads to npm via CanisterWorm

• Cyble
  • The Energy Sector’s Ransomware Nightmare: Why Critical Infrastructure Can’t Catch a Break
  • China’s APT41 and the Expanding Enterprise Attack Surface: What Security Teams Must Prepare For

• Andrea Draghetti at D3Lab
  • Falsa email su ChatGPT: nuova campagna di phishing in Italia ruba dati delle carte e codici OTP
  • BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022–2026)

• Darktrace
  Tracking & Detecting GhostSocks Malware

• Nick Frichette, Sebastian Obregoso, Christophe Tafani‑Dereeper, and Emile Spir at Datadog Security Labs
  LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign

• Detect FYI
  • Detecting RegPwn by Behavior, Not Binary
  • Ghost in LSASS: Detecting KslKatz Credential Dumping Framework
  • A Detection Researcher Mindset — DCSYNC T1003.006
  • A Detection Researcher Mindset

• Elliptic
  UK sanctions Xinbi marketplace and entities connected to #8 Park in latest crackdown on illicit cryptoassets

• Esentire
  EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

• Flare
  • Leak Bazaar: Inside the New Criminal Platform Turning Stolen Data Into a Structured Marketplace
  • North Korean IT Worker Employment Fraud: What Security Teams and HR Need to Know
  • Infostealers Doesn’t Discriminate: 10,000 Logs Show Who’s Getting Hit

• Gen
  • Torg Grabber: Anatomy of a New Credential Stealer
  • The Malware with a Secret Identity: How We Unmasked Torg Grabber
  • The Reservation Hijack Scam: How attackers hijack hotel accounts to target guests

• GitGuardian
  • Honeytokens on the Developer Workstation: When Cleanup Takes Time
  • Trivy’s March Supply Chain Attack Shows Where Secret Exposure Hurts Most
  • The Team PCP Snowball Effect: A Quantitative Analysis

• Google Cloud Threat Intelligence
  M-Trends 2026: Data, Insights, and Strategies From the Frontlines

• GreyNoise
  Ghost Fleet: Half of All New Scanning IPs Last Week Geolocated to Hong Kong — Nearly None Completed a Connection

• GreyNoise Labs
  Bucklog’s Machine: Inside a Kubernetes Scanning Fleet

• Group-IB
  • Cloud Phones: The Invisible Threat
  • Esquema de Phishing GTFire: Evitando la detección mediante servicios de Google

• Jim at Grumpy Goose Labs
  Web-Exploitation

• Hudson Rock
  The New Era of Initial Access: How Infostealer Lookup Services are Changing Cybercrime

• Huntress
  • Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure
  • A _declassified Look Inside the Dark Economy of Cybercrime
  • 7 Key Manufacturing Cybersecurity Trends for 2026 | Huntress

• Infoblox
  No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution

• Dzianis Skliar
  Microsoft Power BI API Credential Exposure: From Public Postman Workspace to Data Exfiltration in…

• Intel 471
  CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform

• Intrinsec
  Rewinding the Breach: a CSIRT-CTI-Investigation

• Isaac Dunham
  What Should I Ingest Into My SIEM?

• ITSec
  RagaSerpent (SideWinder-Adjacent) ‘Tax Audit’ Cluster: Multi-Country Targeted Chain (2025–2026)

• Kirtar Oza
  The Geometry of a Hack: The Geometric Weaponisation of Language Models

• Microsoft Security
  • Guidance for detecting, investigating, and defending against the Trivy supply chain compromise
  • How Microsoft Defender protects high-value assets in real-world attack scenarios

• Ilia Kulmin at Morphisec
  Inside Pay2Key: Technical Analysis of a Linux Ransomware Variant 

• Natto Thoughts
  Wargaming a China-Taiwan Conflict and Its Cyber Scenarios

• Jake Scheetz at NetSPI
  LiteLLM Supply Chain Compromise

• Oleg Skulkin at ‘Know Your Adversary’
  383. Hunting for Warlock’s Tactics, Techniques and Procedures

• OpenSourceMalware
  • TeamPCP Defaces Aqua Security’s Internal GitHub Org — 44 Repos Exposed
  • TeamPCP Hijacks LiteLLM’s PyPI Package — Credential Stealer Hits 40k-Star Project
  • TeamPCP Supply Chain Campaign: A March 2026 Retrospective

• OSINT Team
  • DragonForce Ransomware: Exfiltration Cartel Analysis | Privacy Insight Solutions
  • Detection Engineering (Part 1 of 3)
  • Data vs Information vs Intelligence: A CTI Analyst’s Guide to Communicating What Matters
  • Hidden Persistence in Cloud Identity Attacks
  • WMI Event Consumer Persistence: How APT29 Achieves Fileless Persistence (Part 1)
  • RaaS Business Plan: Ransomware Unit Economics 2026

• OX Security
  • LiteLLM Malware: Malicious PyPI Versions Steal Cloud and Crypto Credentials
  • Telnyx Malware: TeamPCP Strikes Again Following LiteLLM Compromise

• Palo Alto Networks
  • Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team
  • Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

• Picus Security
  • T1547.002 Authentication Package in MITRE ATT&CK Explained
  • Cyber Kill Chain Explained
  • T1547.003 Time Providers in MITRE ATT&CK Explained
  • Dark Web Shopping Center Explained
  • T1547.004 Winlogon Helper in MITRE ATT&CK Explained
  • What Are Living Off the Land (LOTL) Attacks?
  • T1547.006 Kernel Modules and Extensions in MITRE ATT&CK Explained
  • What Is a Watering Hole Attack?
  • T1547.007 Re-opened Applications in MITRE ATT&CK Explained
  • T1547.009 Shortcut Modification in MITRE ATT&CK Explained
  • T1547.008 LSASS Driver in MITRE ATT&CK Explained
  • T1547.010 Port Monitors in MITRE ATT&CK Explained
  • T1547.012 Print Processors in MITRE ATT&CK Explained

• Pulsedive
  The Operations of the Swarm: Inside the Complex World of Mirai-Based Botnets

• Dan Green at Push Security
  Business TikTok accounts targeted with AITM phishing kits

• Rapid7
  BPFdoor in Telecom Networks: Sleeper Cells in the Backbone

• Raymond Roethof
  Microsoft Entra Agent ID: A Practical Guide to Blueprints and Agent Identities

• Recorded Future
  ClickFix Campaigns Targeting Windows and macOS

• Red Canary
  Scarlet Goldfinch’s year in ClickFix

• Resecurity
  Pro-Iranian Nasir Security is Targeting The Energy Sector in the Middle East

• Robin Dost at Synaptic Systems
  Following Gamaredons Infrastructure Rotations using Kraken

• SANS Internet Storm Center
  • Tool updates: lots of security and logic fixes, (Mon, Mar 23rd)
  • SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)
  • Detecting IP KVMs, (Tue, Mar 24th)
  • TeamPCP Supply Chain Campaign: Update 001 – Checkmarx Scope Wider Than Reported, CISA KEV Entry, and Detection Tools Available, (Thu, Mar 26th)
  • TeamPCP Supply Chain Campaign: Update 002 – Telnyx PyPI Compromise, Vect Ransomware Mass Affiliate Program, and First Named Victim Claim, (Fri, Mar 27th)
  • TeamPCP Supply Chain Campaign: Update 003 – Operational Tempo Shift as Campaign Enters Monetization Phase With No New Compromises in 48 Hours, (Sat, Mar 28th)

• Sansec
  Novel WebRTC skimmer bypasses security controls at $100+ billion car maker

• Securelist
  Anatomy of a Cyber World Global Report 2026

• Pierre Le Bourhis and Coline Chavane at Sekoia
  Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware

• Matin Tadvi at Seqrite
  Weaponizing Legitimate Low-Level Tools: How Ransomware Evades Antivirus Protections

• Socket
  • Trivy Supply Chain Attack Expands to Compromised Docker Images
  • 5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys
  • TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem
  • Widespread GitHub Campaign Uses Fake VS Code Security Alerts to Deliver Malware
  • TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
  • TeamPCP Partners With Ransomware Group Vect to Target Open Source Supply Chains

• Sophos
  NICKEL ALLEY strategy: Fake it ‘til you make it

• Step Security
  • CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem
  • Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags
  • litellm: Credential Stealer Hidden in PyPI Wheel
  • TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package
  • Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor

• Sygnia
  • Lessons from the Stryker Incident
  • One Commit Away from Theft: When Supply Chain Attacks Hit the Crypto Ecosystem
  • TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions

• Manish Rawat at System Weakness
  Hunting APT29 in 196,071 Logs: What I Found in EventID 1

• Team Cymru
  Industrial Cybersecurity Risks from Internet-Exposed ICS Devices

• Maulik Maheta and Henry Bernabe at Trellix
  The Ghost SPN Attack: Catching Stealthy Kerberoasting Before It’s Too Late Using Trellix NDR

• Trend Micro
  • Old Vulnerabilities, New AI Era, Amplified Risk: How Outdated Flaws Continue to Fuel the N-Day Exploit Market
  • Unconventional Attack Surfaces: Identity Replication via Employee Digital Twins
  • Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities
  • Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise

• Carlos Perez at TrustedSec
  Building a Detection Foundation: Part 4 – Sysmon

• Lucie Cardiet at Vectra AI
  Detecting Sliver C2: When Advanced Beaconing Tries to Hide in Plain Sight by Lucie Cardiet

• VMRay
  Malware & Phishing Threat Landscape Report – 2025/2

•  Aliz Hammond and McCaulay Hudson at watchTowr Labs
  The Sequels Are Never As Good, But We’re Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread)

• Dominik Breitenbacher and Takahiro Sajima at WeLiveSecurity
  A cunning predator: How Silver Fox preys on Japanese firms this tax season

• Wiz
  • KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack
  • Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign

• Блог Solar 4RAYS
  Техника Dead Drop Resolver в Spotify и Chess
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-03-30

• Cellebrite
  • Episode 4: The Network
  • Episode 3: The Digital Trail
  • Episode 2: The Insider
  • Episode 1: The First Red Flag

• Magnet Forensics
  • Bridging the air gap: Accelerating mobile forensics in secure, offline labs
  • Legal Unpacked S1:E6 // AI on trial: Understanding AI for lawyers

• SANS
  Stay Ahead of Ransomware – Initial Access via Evolving Social Engineering
  

PRESENTATIONS/PODCASTS

• Hexordia
  The Artifact and the Assumption: Decoding Digital Forensics Bias

• Cellebrite
  Tip Tuesday: PASX and PASR Files

• Cisco’s Talos
  Beers with Talos breaks down the 2025 Talos Year in Review

• Cloud Security Podcast by Google
  EP268 Weaponizing the Administrative Fabric: Cloud Identity and SaaS Compromise in M Trends 2026

• CQURE Academy
  CQURE Hacks #76: Evading EDR Using Signed Driver

• Dr Josh Stroschein
  01 – Basic Analysis of the Sample

• FBI
  • Ahead of the Threat Podcast: Season 2, Episode 3 — Amy Herzog
  • Ahead of the Threat Podcast: Season 2, Episode 4 — Sherrod DeGrippo

• InfoSec_Bret
  • Challenge – AS-REP Challenge
  • Tunnel Vision Talk

• Adam Goss at Kraven Security
  Data vs Information vs Intelligence: A CTI Analyst’s Guide to Communicating What Matters

• Magnet Forensics
  Mobile Unpacked S4:E3 // Deducing the duplications: Understanding duplicated data in file systems

• Microsoft Threat Intelligence Podcast
  Winter SHIELD: Closing the Security Control Gap

• Monolith Forensics
  • Audit Reports in Monolith Forensics
  • Using Webhooks & Monolith’s API to Automate Processes in Your Lab

• MSAB
  • #MSABMonday – CTF Q&A Part 1 | Using XAMN to Solve Challenges
  • Forensic Fix Episode 26

• MyDFIR
  Is the CyberDefenders CCDL1 Worth It? Honest Review for Aspiring SOC Analysts

• Off By One Security
  • AI is Changing Cybersecurity and IT What Many People (and Students) Are Missing
  • Thoughts on AI Security from the RSA Conference

• Parsing The Truth: One Byte at a Time Podcast
  S1 E45: Karen Read 1-4: Ian Whiffin P1

• Proofpoint
  Regional Threats, Global Impact: A TA2725 Case Study

• Sandfly Security
  Linux Password Hash Risks and Security Overview

• SANS Cloud Security
  When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Attack

• Team Cymru
  • Operation Ghost Mail, Starlink Evasion, and the Stoat Waffle Threat
  • You Can’t Trust Your Zoom Call Anymore. Deepfakes, DPRK & the New Attack Surface

• The Cyber Mentor
  Project Helix Walkthrough: Blue Team CTF

• The Defender’s Advantage Podcast
  Using GTI to Hunt Adversaries on the Dark Web

• Three Buddy Problem
  Google’s Cyber Disruption Unit; Coruna is Triangulation, US Bans Foreign-Made Routers
  

MALWARE

• Any.Run
  • Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide 
  • Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud 

• ASEC
  Green Blood v2.0 ransomware analysis with decryption

• Elastic Security Labs
  • Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework
  • Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER

• G Data Software
  When Malware Talks Back: Real-Time Interaction with a Threat Actor During the Analysis of Kiss Loader

• InfoSec Write-ups
  Shellcode Analysis: Egg Hunters, Encoders, and Polymorphism

• Malwarebytes
  • Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka
  • GlassWorm attack installs fake browser extension for surveillance

• Securelist
  • Coruna: the framework used in Operation Triangulation
  • An AI gateway designed to steal your data
    

MISCELLANEOUS

• Belkasoft
  Tips to Optimize DFIR Analysis Time in Belkasoft X

• Cellebrite
  • How Real-Time Evidence Sharing Helped the Orange County Sheriff’s Office Solve a Florida Homicide 
  • From Digital Investigations to Business Resilience: Key Private Sector Trends for 2026

• CyberBoo
  Microsoft Defender for Office 365 Part 4: Anti-Spam & Anti-Malware

• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 03/23/26

• diyinfosec
  Entra — Finding App Name using deviceauth Endpoint

• Elastic Security Labs
  Security Automation with Elastic Workflows: From Alert to Response

• Oleg Afonin at Elcomsoft
  • Distributed Password Recovery Goes 64-bit: Ready for RTX 5090
  • Arrested by AI

• Forensic Focus
  • Beyond Keywords: AI Classification For Forensic Email Review
  • Digital Forensics Round-Up, March 25 2026
  • England Police Rugby Set For Argentina And Uruguay Tour With Detego Global As Main Sponsor
  • AI Email Classification Achieves 97.9% Accuracy—With No Training Phase Required

• Jeffrey Appel
  Defending with Microsoft: A Deep Dive into the Microsoft Defender Suite – Blog series intro

• LockBoxx
  Book Review: “Adverserial AI Attacks, Mitigations, and Defense Strategies”

• Magnet Forensics
  • Tool proliferation in DFIR: Why our toolkits keep growing (and what that really means)
  • Bridging the air gap: Strengthening mobile workflows with Graykey Fastrak and Axiom Express Extraction

• Oxygen Forensics
  Oxygen Remote Explorer vs. Oxygen Forensic® Detective: Choosing the right digital investigation platform for private and public sector organizations

• Patrick Wardle at Objective-See
  Building a Firewall …via Endpoint Security!?

• Richard Bejtlich at TaoSecurity
  Mandiant Global Median Dwell Time Deteriorates from 11 to 14 Days

• Rob T. Lee
  Why 47? The Math Behind “AI Attacks 47x Faster Than Humans”

• Travis Green
  The Port Scoping Paradox: When Optimization Makes Things Slower
  

SOFTWARE UPDATES

• Sergiy Pasyuta at Atola
  25G Fiber extension + TaskForce 2026.2 update
  
  
• Amped
  Amped Replay Update 40205: Magnify and Spotlight Improvements, Bookmarks Updates and More!
  
  
• Apache
  23 March 2026: Apache Tika Release
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.23.2 – March 27, 2026
  
  
• Falconpy
  Version 1.6.1
  
  
• Elcomsoft
  Elcomsoft Distributed Password Recovery goes 64-bit, adds NVIDIA Blackwell support
  
  
• Ghassan Elsman
  Crow-Eye v0.8.0
  
  
• Google
  Timesketch 20260326
  
  
• Joe T. Sylve, Ph.D.
  Announcing ida-mcp 2.0: A Headless MCP Server for IDA Pro
  
  
• MSAB
  Q1 2026 Major Release is now available
  
  
• OpenCTI
  7.260326.0
  
  
• Sandfly Security
  Sandfly 5.7 – Performance Upgrade
  
  
• Serviço de Perícias em Informática
  IPED 4.3.1
  
  
• Sumuri
  RECON ITR Version 26.0.0
  
  
• Thiago Canozzo Lahr
  uac-3.3.0-rc1
  
  
• Xways
  X-Ways Forensics 21.8 Preview 5

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!