Forensic Analysis

• Forensafe
  iOS MeWe

• Manuel Guerra at Glider
  Análisis Forense de un Spoofing tipo Vishing. Parte 2

• Debbie Garner at Hexordia
  Digital Forensics On-Scene Triage: A Best Practice Discussion

• Matthew Plascencia
  MSAB Mobile Forensics Summit 2026 iOS CTF Writeup

• System Weakness
  Digital Forensics-[Ali Hadi — Web Server Case #3]

• Mike Cohen at Rapid7
  Velociraptor CLI

Threat hunting/threat intelligence

• Madeline Lawrence at Aikido
  axios compromised on npm: maintainer account hijacked, RAT deployed

• Akamai
  The Telnyx PyPI Compromise and the 2026 TeamPCP Supply Chain Attacks

• Any.Run
  Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More 

• ASEC

  • A malicious LNK that spreads a Python-based backdoor and how it’s spreading (Kimsuky group)
  • Ransom & Dark Web Issues Week 1, April 2026
  • BreachForums analyzes data breach incident (“Doomsday The Story of James”)

• BlackFog

  • Venom Stealer Turns ClickFix Into a Full Exfiltration Pipeline
  • The State of Ransomware: March 2026

• Censys

  • ICS & Iran, Part 2: Revisiting Exposure of Previously Targeted Devices
  • BrewJack: Censys Researchers Uncover First Malware Campaign Targeting IP over Avian Carriers
  • Cutting Through the Noise: A Technique-Based Approach to Hunting Web-Delivered Malware

• CERT-AGID

  • L’esposizione dell’app-server Codex senza autenticazione può consentire esecuzione remota di comandi
  • Sintesi riepilogativa delle campagne malevole nella settimana del 28 marzo – 3 aprile
  • Rilasciati su Telegram oltre 500 MB di documenti d’identità italiani rubati

• Certitude
  Abusing Modern Browser Features for Phishing

• Check Point

  • 30th March – Threat Intelligence Report
  • ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime
  • Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
  • Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East

• Cisco’s Talos

  • Ransomware in 2025: Blending in is the strategy
  • UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications
  • Qilin EDR killer infection chain
  • Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders
  • An overview of ransomware threats in Japan in 2025 and early detection insights from Qilin cases
  • The democratisation of business email compromise fraud
  • Do not get high(jacked) off your own supply (chain)
  • Axios NPM supply chain incident

• CloudSEK
  The Scanner Was the Weapon: 36 Months of Precision Supply Chain Attacks Against DevSecOps Infrastructure

• Enrico Silverio at Cofense
  One Click Away: Inside a LinkedIn Phishing Attack

• Christian Feuchter at Compass Security
  Common Entra ID Security Assessment Findings – Part 2: Privileged Unprotected Groups

• CrowdStrike

  • Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse
  • STARDUST CHOLLIMA Likely Compromises Axios npm Package

• CTF导航
  当电网遭遇APT：我们用"智能数字沙盘"推演了一场没有硝烟的战争（上）

• Ctrl-Alt-Intel

  • Inside the UPMI Phishing-as-a-Service Platform
  • The BuddyBoss Attack: Claude’s Supply-Chain Attack
  • The BuddyBoss Attack: Full Incident Analysis

• Cybersec Sentinel
  Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

• Cyble

  • Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer in Global Infostealer Campaign
  • Hybrid Warfare 2026: When Cyber Operations and Kinetic Attacks Converge

• Cyfirma
  Weekly Intelligence Report – 03 April 2026

• Daniel Wyleczuk-Stern

  • Container Escape Telemetry, Part 1: Isolation Primitives and the eBPF Observability Model
  • Container Escape Telemetry, Part 2: Methodology and Tool Architecture
  • Container Escape Telemetry, Part 3: What Each Tool Actually Captured
  • Container Escape Telemetry, Part 4: Volume, Signal-to-Noise, and Choosing a Tool
  • Container Escape Telemetry, Part 5: Tuning eBPF Tools From Defaults to Detection
  • Container Escape Telemetry, Part 6: TeamPCP and What the Lab Predicted
  • Container Escape Telemetry: Series Overview

• Christophe Tafani-Dereeper at Datadog Security Labs
  Compromised axios npm package delivers cross-platform RAT

• Sebastian Degner at DCSO CyTec
  From Axios NPM Supply Chain Attack to Tracking DPRK’s BlueNoroff

• Detect FYI
  Threats based on Clipboards actions (+ KQL Query)

• Dr. Web

  • Doctor Web’s Q1 2026 review of virus activity on mobile devices
  • Doctor Web’s Q1 2026 virus activity review

• Elastic Security Labs

  • Inside the Axios supply chain compromise – one RAT to rule them all
  • Fake Installers to Monero: A Multi-Tool Mining Operation
  • Elastic releases detections for the Axios supply chain compromise
  • Hooked on Linux: Rootkit Detection Engineering
  • How we caught the Axios supply chain attack
  • Elastic Security Integrations Roundup: Q1 2026

• Elliptic
  Drift Protocol exploited for $286 million in suspected DPRK-linked attack

• Esentire
  Tycoon 2FA Infrastructure Update: Threat Actors Adapt Following Global Coalition Takedown

• Flare
  Code Names, Fake Personas, and Iranian Recruits: New Details from Inside the NKITW Operation

• Flashpoint
  The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

• Adolf Středa and Vladimír Žalud at Gen
  Why Join the Navy if You Can Be a Pirate?

• Google Cloud Threat Intelligence

  • North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
  • vSphere and BRICKSTORM Malware: A Defender’s Guide

• GreyNoise
  The Invisible Army: Why IP Reputation Fails Against the Rotation Economy

• Group-IB

  • Phantom Stealer: Credential Theft as a Service
  • Hooking the Archipelago: Dissecting a Phishing Campaign Targeting Philippine Banking Users

• Hunt IO

  • 33K Exposed LiteLLM Deployments and the C2 Servers Behind TeamPCP’s Supply Chain Attack
  • TheGentlemen Ransomware Exposed on Russian Proton66 Server: Complete Toolkit, Victim Credentials, and Ngrok Tokens

• Hunt IO
  Breaking Down the Axios Attack: Obfuscated Dropper, Cross-Platform RATs, and the TA444/BlueNoroff Connection

• InfoSec Write-ups
  The Invisible Threat: Detecting Early-Stage Phishing & Scam Campaigns

• Intel 471

  • TeamPCP Supply Chain Attacks
  • Turning Geopolitical Tension into Actionable Intelligence

• Invictus Incident Response
  Axios Supply Chain Attack: Analysis & Incident Response

• JPCERT/CC
  TSUBAME Report Overflow (Jul-Sep 2025)

• Malwarebytes
  Axios supply chain attack chops away at npm trust

• Microsoft Security

  • WhatsApp malware campaign delivers VBScript and MSI backdoors
  • Mitigating the Axios npm supply chain compromise
  • Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments
  • Threat actor abuse of AI accelerates from tool to cyberattack surface

• Idan Cohen and Yael Ben Yair at Mitiga
  007: License to SKILL P.2 – Slack Compromise Through Claude Code

• Allison Henao and Alice Koeninger at MITRE ATT&CK
  Defense Evasion Split: A Tale of Two Tactics

• Alice Koeninger at MITRE Engage™
  Where the Wild Things Are: How to Become the King of AI Agents by Embracing the Chaos

• Nextron Systems
  The AIX Blind Spot – Getting Visibility Where EDR Can’t Run

• Thomas Papaloukas at NVISO Labs
  The Axios npm supply chain incident: fake dependency, real backdoor

• Oleg Skulkin at ‘Know Your Adversary’

  • 384. Adversaries Abuse Spotify and Chess.com
  • 385. Threat Actors Abuse iSCSI Initiator Control Panel to Bypass UAC

• OpenSourceMalware

  • Has TeamPCP Pivoted To Using The PureHVNC RAT?
  • One of the most popular JavaScript packages on earth Axios has been compromised
  • TasksJacker: Latest DPRK Attack Skips the Fake Interview and Goes Straight to Compromising GitHub Users
  • The Social Engineering Playbook Attackers Use to Target OSS Maintainers

• OSINT Team
  Hunting APT29 Part 2: I Searched One ProcessID. 1,129 Events Came Back.

• OX Security

  • TeamPCP’s Telnyx Windows Malware: Technical Analysis
  • Axios Compromised With A Malicious Dependency

• Palo Alto Networks
  Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure

• Picus Security

  • Axios npm Supply Chain Attack: Cross-Platform RAT Delivery via Compromised Maintainer Credentials
  • T1547.013 XDG Autostart Entries in MITRE ATT&CK Explained
  • T1547.014 Active Setup in MITRE ATT&CK Explained
  • What Is Data Exfiltration?
  • T1547.015 Login Items in MITRE ATT&CK Explained

• Proofpoint

  • Security brief: tax scams aim to steal funds from taxpayers
  • I’d come running back to EU again: TA416 resumes European government espionage campaigns

• Luke Jennings at Push Security
  Analysing the rise in device code phishing attacks in 2026

• Rapid7

  • Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing
  • New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay

• Recorded Future
  Latin America and the Caribbean Cybercrime Landscape

• Thassanai McCabe and Andrew Currie at ReliaQuest
  DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion

• Toni Dujmović at ReversingLabs
  ClickFix: YARA Rules Catch What AV Misses

• SANS Internet Storm Center

  • DShield (Cowrie) Honeypot Stats and When Sessions Disconnect, (Mon, Mar 30th)
  • Application Control Bypass for Data Exfiltration, (Tue, Mar 31st)
  • TeamPCP Supply Chain Campaign: Update 004 – Databricks Investigating Alleged Compromise, TeamPCP Runs Dual Ransomware Operations, and AstraZeneca Data Released, (Mon, Mar 30th)
  • Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)
  • TeamPCP Supply Chain Campaign: Update 005 – First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows, (Wed, Apr 1st)
  • Attempts to Exploit Exposed “Vite” Installs (CVE-2025-30208), (Thu, Apr 2nd)
  • TeamPCP Supply Chain Campaign: Update 006 – CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments, (Fri, Apr 3rd)

• Sansec
  Mass PolyShell attack wave hits 471 stores in one hour

• Sekoia
  New widespread EvilTokens kit: device code phishing as-a-service – Part 1

• Seqrite

  • Homoglyph Attacks: How Lookalike Characters Are Exploited for Cyber Deception
  • Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity

• Simone Kraus
  How Russia’s Dual-Use Cyber Infrastructure Fuels a Destructive Shadow War

• Snyk

  • Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT
  • How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM

• Socket

  • Supply Chain Attack on Axios Pulls Malicious Dependency from npm
  • The Hidden Blast Radius of the Axios Compromise
  • Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

• Sophos

  • Incident responders, s’il vous plait: Invites lead to odd malware events
  • Axios npm package compromised to deploy malware

• Squiblydoo
  The CertGraveyard

• SuspectFile
  Nova Ransomware: between propaganda, threats, and contradictions – what emerges from direct interaction with the group

• Team Cymru

  • StrangerStrings: Yurei Ransomware Operator Toolkit Exposed
  • Cyber Security Intelligence: Analysis of Edge Devices Amid Growing Vulnerabilities

• The Hunter’s Ledger

  • Open Directory at 193.56.255.154 — XiebroC2 v3.1 Go Implant and Covenant C2 Toolkit
  • Shadow RAT & XWorm Open Directory Campaign

• The Raven File
  Inside TeamPCP’s Shell Arsenal

• Third Eye intelligence
  ThirdEye Intelligence: The Blacklist – Global Connectivity Solutions LLP

• Lauren Proehl at THOR Collective Dispatch
  Vibe Coding The Holidays Away

• ThreatMon
  Ransomware Isn’t Slowing Down It’s Changing Shape

• Trend Micro

  • From Anarchy to Authority: Closing the Governance Gap in Agentic AI
  • Guarding LLMs With a Layered Prompt Injection Representation
  • Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads

• Daniel Kelley at Varonis
  A Quiet “Storm”: Infostealer Hijacks Sessions, Decrypts Server-Side

• Wiz

  • Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild
  • Axios NPM Distribution Compromised in Supply Chain Attack
  • Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign

• Chris Kelvin at Блог Solar 4RAYS
  Распаковываем Smart Install Maker статически

Upcoming events/webinars

• Magnet Forensics

  • Magnet One Case Stream: Accelerating digital investigations through connected workflows
  • Getting the right amount of mobile data required for corporate investigations

• Monolith Forensics
  Monolith Mondays

• Rob Lee
  Registration is OPEN: Find Evil! Hackathon for autonomous AI incident response

• Silent Push
  Webinar — Shedding Light on The Dark Corners of Bulletproof Hosters

Presentations/podcasts

• ADF Solutions
  What’s New? ADF v6.3.0 Features: May 2026

• Black Hat
  Black Hat USA 2025 | Uncovering and Responding to the tj-actions Supply Chain Breach

• Cellebrite
  Tip Tuesday: Validating Data in Reader

• Cisco’s Talos
  [Video] The TTP Ep 21: When Attackers Become Trusted Users

• Cloud Security Podcast by Google
  EP269 Reflections on RSA 2026 – Beyond AI AI AI AI AI AI AI

• Dr Josh Stroschein

  • 02 – Identifying Signs of Runtime-Linking using CAPA and IDA Pro
  • LIVE – Workflow Optimizations in IDA Pro with @allthingsida (Elias Bachaalany)

• InfoSec_Bret
  IR – SOC291 – System Time Lookup Detected

• John Hammond

  • HUGE npm axios supply chain attack
  • 🚨 NPM axios Supply Chain Attack 🚨
  • The Payload Podcast #005 – AI with Shane Caldwell

• Magnet Forensics

  • Bridging the air gap: Accelerating mobile forensics in secure, offline labs
  • Legal Unpacked S1:E6 // AI on trial: Understanding AI for lawyers

• MSAB
  #MSABMonday – CTF Q&A Part 2 | Deep Dive into Evidence Analysis with XAMN

• MyDFIR
  SOC Investigation Request: How Far Can You Go?

• Nextron Systems
  The AIX Blind Spot – THOR Running on AIX 7.3 (POWER9)

• Off By One Security
  Reversing and Binja: What’s New; What’s Next! …with Jordan Wiens

• Parsing the Truth: One Byte at a Time
  Karen Read 1-5; Ian Whiffin Testimony P2

• Permiso Security
  Episode 8 – Introducing SandyClaw: Dynamic Analysis for Malicious Skills and Prompts

• SANS
  2026 SANS Cyber Threat Intelligence Summit

• Team Cymru
  Pipeline Peril, Citrix Bleed 3.0, and the Hacktivist Playbook

• The Cyber Mentor
  Getting Started With The Windows Registry

• THE Security Insights Show
  The “AI” Security Insights Show Episode 288 – The Recap Edition. OOOO…Anthropic made a BooBoo! We got to meet the security legends, Clive Watson and Craig Fretwell!

• Three Buddy Problem
  LLMs writing exploits, engineers losing skills, and a case for the generative OS

Malware analysis

• Artem Baranov
  Introducing the Rootkit Techniques Matrix and updates to the Guide

• CERT Polska

  • Analysis of FvncBot campaign
  • Analysis of cifrat: could this be an evolution of a mobile RAT?

• Mike at Cyber and Ramen
  OtterCookie Expands Targeting to AI Coding Tools: Analysis of a Trojanized npm Campaign

• Cara Lin at Fortinet
  DPRK-Related Campaigns with LNK and GitHub C2

• K7 Labs
  Resoker: A Telegram Based Remote Access Trojan

• Ahmad Zubair Zahid at McAfee Labs
  Operation NoVoice: Rootkit Tells No Tales

• Securelist
  A laughing RAT: CrystalX combines spyware, stealer, and prankware features

• Shubho57
  Analysis of LIUSHEN Ransomware (Python File)

• Splunk
  The Certificate Decoding Illusion: How Blank Grabber Stealer Hides Its Loader

• John Rainier Navato at Trend Micro
  TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

• Zhassulan Zhussupov

  • MacOS malware persistence 7: Re-opened applications. Simple C example
  • MacOS hacking part 13: sysinfo stealer via VirusTotal API. Simple C example
  • MacOS malware persistence 8: periodic scripts. Simple C example

• ZScaler
  Latest Xloader Obfuscation Methods and Network Protocol

• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”

  • Killada
  • Exitium

Miscellaneous

• Brett Shavers

  • Stop Building Shrines to Your Own Bias
  • AI Won’t Replace DFIR Investigators. But It Will Replace Those Who Don’t Investigate.

• Cellebrite
  A Forensic Focus Review of Cellebrite Endpoint Inspector

• Coalition, Inc
  The Great Ransomware Refusal

• Craig Ball at ‘Ball in your Court’
  A Dog and Its Tail: Don’t Let Version Uncertainty Cloud Linked Attachment Production

• CyberBoo
  Microsoft Defender for Office 365 Part 5: Anti-Phishing & Impersonation Protection

• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 03/30/26

• Elcomsoft

  • The Geography of Coercion: a Study of Compelled Decryption Laws
  • Digital Rights vs. State Power – The Protectors
  • Compelled Decryption: The East Asian Region

• Forensic Focus

  • Belkasoft X Streamlines Investigations With AI-Powered Picture Analysis
  • Mastering Triage: Intro To ADF Pro
  • Digital Forensics Jobs Round-Up, March 30 2026
  • Up To 50 GB/s: TaskForce Imagers Receive Fiber Network Extension
  • Cellebrite Changes The Investigative Game With The Launch Of Genesis, The Groundbreaking Agentic AI Solution For Making Our World Safer
  • Digital Forensics Round-Up, April 01 2026
  • Cellebrite Launches Guardian Investigate, The AI-Powered Nerve Center That Revolutionizes How Investigative Teams Close Cases
  • Learn From The Experts At Amped Connect US 2026
  • Forensic Focus Digest, April 03 2026

• Michelle Duell
  Demystifying GIAC Exam Prep: Where to Start

• Shatakshi Khadke at Paraben Corporation
  If Digital Evidence Could Lie: How Machines Create False Truths

• Patrick Wardle at Objective-See
  No Paste for You!

• Aditya Vats at Permiso
  Introducing SandyClaw – The First Dynamic Sandbox for AI Agent Skills and Prompts

• Pulsedive
  Update: Introducing Pulsedive Docs

• RexorVc0
  The Art of Threat Hunting

• Security Onion
  6 month EOL notice for Security Onion 2.4

• Raymond Chen at The Old New Thing
  A question about the maximimum number of values in a registry key raises questions about the question

• Kurt Muhl at TrustedSec
  Reduce Repetition and Free up Time With Mobile File Extractor

• ZephrSec
  Jenny was a Friend of Mine – MCPs and Friends

Software releases/updates

• Amped
  Amped DVRConv and Engine Update 40286

• Arsenal Consulting
  Arsenal Image Mounter v3.12.344

• Canadian Centre for Cyber Security
  Assemblyline v4.7.2.stable4

• Cellebrite

  • Cellebrite Spring Release: New Industry-Leading Device Access and Multi-Cloud Expansion
  • Scaling Automotive Software Testing Beyond Physical Hardware

• Costas K
  LNK & Jumplist Browser

• Digital Sleuth
  winfor-salt v2026.5.5

• Flip Forensics
  AI Forensic Triage (AIFT) V1.4.1 – QoL improvements coming with Linux analysis

• Mandiant
  Capa v9.4.0

• Metaspike
  Forensic Email Intelligence v2.3.760

• OpenCTI
  7.260401.0

• Paraben Corporation
  Paraben Corporation Unveils E3 Platform Dilithium Version 4.5 with Major Speed and Accuracy Enhancements

• Passware
  Passware Kit 2026 v2 Now Available

• Phil Harvey
  ExifTool 13.54

• Security Onion
  Security Onion 3.0.0 Now Available with New and Improved Interface and Much More!

• Tsurugi Linux
  4 April 2026 (release 26.03)

• Xways
  X-Ways Forensics 21.8 Preview 6