Forensic Analysis

• Hal Pomeranz at ‘Righteous IT’
  jq For Forensics

• Elizabeth McPherson at Hexordia
  The Android Googlfication Spectrum

• Kenneth G. Hartman at Lucid Truth Technologies
  How to Authenticate Social Media Evidence: Screenshots Are Not Enough

• Mohit Dhabuwala
  The $MFT — the one artifact I check first on every Windows investigation

• North Loop Consulting
  Enjoy the Bounty – Proactive Harvesting in Apple Biomes

Threat hunting/threat intelligence

• Abnormal Security

  • Meet VENOM: The PhaaS Platform That Neutralizes MFA
  • EvilTokens: Turning OAuth Device Codes into Full-Scale BEC Operations

• Ilyas Makari at Aikido
  GlassWorm goes native: New Zig dropper infects every IDE on your machine

• ASEC

  • Q1 2026 Attack Technique Trends Report
  • LOLBins – Analyzing attack techniques with MSBuild
  • March 2026 Infostealer Trend Report
  • Q1 2026 Vulnerability Trends Report

• Ayelen Torello at AttackIQ
  Emulating the Concealed Sinobi Ransomware

• Axel Z at Victory Road
  Threat Actors are playing the META

• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | April 2026

• Blackpoint Cyber
  Defending What Attackers Already Trust: 2026 Annual Threat Report

• BleepingComputer

  • German authorities identify REvil and GandCrab ransomware bosses
  • Webinar: From noise to signal – What threat actors are targeting next

• Brad Duncan at Malware Traffic Analysis
  2026-04-06: SmartApeSG activity

• Brian Krebs at ‘Krebs on Security’

  • Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
  • Russia Hacked Routers to Steal Microsoft Office Tokens

• Daniel Whitcombe, Alex Jones, Joshua Penny, and Nathan Richards at Bridewell
  Intelligence Insights: March 2026

• Censys
  Iranian-Affiliated APT Targeting of Rockwell/Allen-Bradley PLCs

• CERT EU
  Threat Landscape Report 2025: A Year in Review

• CERT-AGID

  • Phishing su Microsoft via device code flow. Automazione e AI ne amplificano la diffusione. Impatto sulla PA italiana
  • Agenzia delle Entrate – campagna di phishing mirata alle Pubbliche Amministrazioni
  • Sintesi riepilogativa delle campagne malevole nella settimana del 4 – 10 aprile

• Check Point

  • 6th April – Threat Intelligence Report
  • March 2026 Cyber Threat Landscape Shows No Relief as Ransomware Rebounds and GenAI Risks Intensify

• Cisco’s Talos

  • The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines
  • Year in Review: Vulnerabilities old and new and something React2
  • New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations
  • From the field to the report and back again: How incident responders can use the Year in Review
  • The threat hunter’s gambit

• Alberto Giust, Alessandro Strino, and Federico Valentini at Cleafy
  Mirax: a new Android RAT turning infected devices into potential residential proxy nodes

• CloudSEK

  • Large Scale Traffic Brokerage Campaign using Fake Lures targeting Global Brands Across Multiple Regions
  • Kitten Had the Map all Along : RAISING GCC TENSIONS & THE PRE-POSITIONING MAP

• Cofense

  • Weaponizing Fear: Iran Conflict-Themed Phishing Uses Fake Emergency Alerts
  • The Growing Abuse of GitHub and GitLab in Phishing Campaigns
  • From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud

• Christian Feuchter at Compass Security
  Common Entra ID Security Assessment Findings – Part 3: Weak Privileged Identity Management Configuration

• Ctrl-Alt-Intel
  Supply-Chain Attacks, TP-Link devices & a pair of socks

• Cybersec Sentinel
  BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product

• Cyfirma
  Weekly Intelligence Report – 10 April 2026

• Disconinja
  Weekly Threat Infrastructure Investigation(Week15)

• FalconFeeds
  From Shadows to Sanctions: Unmasking 35 Iranian Cyber Operatives Driving State-Sponsored Warfare

• Flare

  • 22 Illicit Cybercrime Sources to Monitor in 2026
  • State of the Dark Web in 2026: Russian-Speaking Cybercrime Ecosystem, Continued Threat of Infostealer Malware & Telegram
  • 4 Threat Intelligence Feeds for Security Teams in 2026

• Gambit Security
  The AI-Assisted Breach of Mexico’s Government Infrastructure

• Gaetan Ferry at GitGuardian
  Renovate & Dependabot: The new Malware Delivery System

• GreyNoise

  • Introducing C2 Detection: Know When Your Edge Devices Are Calling Home to Attackers
  • Just 21 IP Addresses Are Now Behind Nearly Half of All RDP Scanning on the Internet

• Anastasia Tikhonova at Group-IB
  Cyber Saga: In the Footsteps of the DPRK IT Workers

• Grumpy Goose Labs
  Threat Detection Engineering: Precision & Recall

• Hunt IO
  Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan

• Huntress

  • Decoding NightSpire: Ransomware IOCs Aren’t Set in Stone
  • That “Friendly” Prompt is ClickFix
  • Supply Chain Compromise of axios npm Package
  • The Three-Finger Test
  • OpenClaw, Rogue Agents, and Application Hygiene

• IC3
  Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

• Infoblox

  • Scams, Slaves and (Malware-as-a) Service: Tracking a Trojan to Cambodia’s Scam Centers
  • Hiding in Plain Sight: Abusing Composite Domain Names

• Bert-Jan Pals at KQL Query
  Unlock Different Security Perspectives with Kusto Graph Functions

• LayerX

  • Vibe Hacking: Claude Code Can Be Turned Into A Nation-State-Level Attack Tool With No Coding At All
  • The AI Tool in Your Browser Is Probably the Biggest Security Risk You’re Not Thinking About

• Lookout Threat Lab
  Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linke | Threat Intel

• Microsoft Security

  • Inside an AI‑enabled device code phishing campaign
  • Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
  • SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks
  • Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk
  • The agentic SOC—Rethinking SecOps for the next decade
  • Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees
  • Inside an AI‑enabled device code phishing campaign

• Maretta Morovitz at MITRE Engage™
  From Idea to Capability: Making Living Off the Land Repeatable

• Natto Thoughts
  Cybersecurity Strategy in China’s 15th Five-Year Plan

• NCSC
  APT28 exploit routers to enable DNS hijacking operations

• Eric Brown at Nebulock
  Hunt Mode: Supply Chain Compromises LiteLLM & Axios

• Nik Alleyne at ‘Security Nik’

  • Beginning Message Context Protocol (MCP): Attacking and Defending MCP
  • Beginning Message Context Protocol (MCP): MCP Security
  • Beginning Message Context Protocol (MCP): But what is MCP?

• Carina Schwabe at NVISO Labs
  Security’s Blind Spot: Physical Keyloggers That Bypass Antivirus Entirely

• Jeremy Kirk and Mathew Woodyard at Okta
  BreachForums logs reveal anonymizers of choice for shady characters

• Oleg Skulkin at ‘Know Your Adversary’
  386. Ransomware Affiliates Abuse Bandizip for Data Collection

• OpenSourceMalware
  Velora (formerly ParaSwap) SDK Version 9.4.1 Compromised And Installing Malware

• Eyal Rafian and Bill Batchelor at Palo Alto Networks
  Understanding Current Threats to Kubernetes Environments

• Profero
  The Theater of Cyber War: How Russian “Hacktivists” Are Performing for Iran Without Actually Hacking Anything

• Eric Carey, Olivia Henderson, and Noah Hemker at Rapid7
  FortiGate CVE-2025-59718 Exploitation: Incident Response Findings

• Robin Dost at Synaptic Systems
  Obfuscation Without Effort: Breaking a UAC-0226 GIFTEDCROOK Stealer

• SANS Internet Storm Center

  • How often are redirects used in phishing in 2026?, (Mon, Apr 6th)
  • A Little Bit Pivoting: What Web Shells are Attackers Looking for?, (Tue, Apr 7th)
  • Number Usage in Passwords: Take Two, (Thu, Apr 9th)
  • TeamPCP Supply Chain Campaign: Update 007 – Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Apr 8th)
  • More Honeypot Fingerprinting Scans, (Wed, Apr 8th)
  • Obfuscated JavaScript or Nothing, (Thu, Apr 9th)

• Sansec

  • SVG Onload Tag Hides Magecart Skimmer on 99 Stores
  • ClickFix malware hits DoD cybersecurity vendor homepage

• Securelist

  • Financial cyberthreats in 2025 and the outlook for 2026
  • The long road to your crypto: ClipBanker and its marathon infection chain

• Security Alliance
  Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom calls

• Sekoia
  EvilTokens: an AI-augmented Phishing-as-a-Service for automating BEC fraud – Part 2

• SentinelOne
  Edge Decay: How a Failing Perimeter Is Fueling Modern Intrusions

• Kartikkumar Jivani at Seqrite
  Advisory: Middle East Conflict & Cyber Escalation

• Siddhant Mishra
  When the Tool Is the Weapon: Security Lessons from Agent Skills

• Socket

  • North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
  • Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers

• SOCRadar
  Dark Web Profile: TeamPCP

• Step Security
  @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence

• Manish Rawat at System Weakness
  Hunting APT29 Part 3: I Traced the Process Tree Back to the Beginning

• Tenable
  What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure

• The Hunter’s Ledger

  • OpenStrike Beacon Toolkit — Open Directory 172.105.0.126
  • OpenStrike Expanded Toolkit — 106 New Files, Complete CS Arsenal Exposed

• Mohideen Abdul Khader F at Trellix
  Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion

• Trend Micro

  • Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do
  • U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026

• TrustedSec

  • Building a Detection Foundation: Part 5 – Correlation in Practice
  • IAM the Captain Now – Hijacking Azure Identity Access

• Wiz
  Cloud Threats Retrospective 2026: What AI Changed (and What It Didn’t)

• Блог Solar 4RAYS
  Мертвые души в инфраструктуре — атака Shedding Zmiy на здравоохранение

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Arctic Wolf
  止まらないランサムウェア被害 – Qilinの事案から読み解く、検知、対応と経営判断

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-04-13

• Cellebrite
  Advancing Digital Access: Unlock Capabilities & Roadmap for Belgian Law Enforcement

• Amy Ciminnisi at Cisco’s Talos
  Talos Takes: 2025’s ransomware trends and zombie vulnerabilities

• Huntress
  Tradecraft Tuesday | npm install axios: Software Supply Chain Threats

• Magnet Forensics

  • Legal Unpacked S1:E7 // Overcoming AI & deepfake defense in ICAC cases
  • Unmasking hidden threats: Rethinking standard DFIR approaches

• Emma Burdett at Rapid7
  A First Look at Our Speaker Lineup and Agenda for the Rapid7 2026 Global Cybersecurity Summit

• Sandfly Security
  Agentless Linux EDR for Government and Critical Infrastructure

• Sygnia
  A Tale of Two Incidents: Same Threat Actor, Different Outcomes

Presentations/podcasts

• Adversary Universe Podcast
  Hunting Supply Chain Attacks with Jared Myers, Director, CrowdStrike OverWatch

• Archan Choudhury at BlackPerl
  BlackPerl Certified Advanced Defender V2

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-04-06

• Cellebrite
  Tip Tuesday: Data Interpreter

• Hazel Burton at Cisco’s Talos
  [Video] The TTP Ep. 22: The Collapse of the Patch Window

• Cloud Security Podcast by Google

  • EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security
  • EP271 Can AI-Native MDR Actually Fix Your Broken SOC Workflows or Just Automate the Mess?

• CQURE Academy
  CQURE Hacks #77: From SQL Login to Full System Compromise

• Dr Josh Stroschein
  01 – The Build Environment, Required Tools, and Series Resources

• Endace

  • Webinar: Why are APTs so hard to Find, Investigate and Resolve?
  • What’s hiding in your DNS and other traffic?
  • Secure Networks Ep 31 – The Packet Forensics Files – Kamal Khlefat, LinkShadow
  • Don’t be the Next Target – how to prepare for the next supply chain attack
  • Introducing EndaceProbe Cloud
  • The Packet Forensic Files, Ep 65 with Andrew Cook, CTO Recon Infosec, on SecOps and Threat Hunting.
  • Building Cyber Investigation Skills with Immersive and Endace’s Always-on Packet Capture
  • Integrating Always-On Packet Capture with Google SecOps

• FBI
  Ahead of the Threat Podcast: Season 2, Episode 5 — Joe Levy

• Huntress

  • The Identity Breach You Didn’t Know You Had: Google Workspace
  • The Fake Microsoft Teams Update: Huntress SOC Incident Walkthrough

• InfoSec_Bret
  IR -SOC281 – System Network Configuration Discovery Detected

• Jai Minton at Breach Log
  Ep4: Think Twice Before You Fix It with Cameron

• Adam Goss at Kraven Security
  Threat Profile: Scattered Spider

• Magnet Forensics

  • Magnet One Case Stream: Accelerating digital investigations through connected workflows
  • Getting the right amount of mobile data required for corporate investigations

• Microsoft Threat Intelligence Podcast
  Ransomware: From Isolated Attacks to Global Criminal Ecosystem

• Monolith Forensics

  • Unexpected Use Cases for AI in Digital Forensics
  • Creating a Task Template in Monolith

• MSAB
  #MSABMonday – CTF Q&A Part 3 | Advancing Your Investigative Workflow

• MyDFIR
  How to Actually Use MITRE ATT&CK as a Beginner (Not Just Memorize It)

• Parsing the Truth: One Byte at a Time
  Karen Read: Special Guest Ian Whiffin

• Sumuri

  • How to Use Global Search in RECON ITR v26.0 | Cross-Plugin Search for Mac Forensic Triage
  • How to Image an Apple Silicon Mac Live Using RECON ITR | Live Imaging Tutorial | SUMURI

• Team Cymru

  • APJ Ransomware, Axios NPM Hijack, and AI Privacy Nightmares
  • Scott Scher on Why CTI Teams Forecast Instead of Predict

• Three Buddy Problem
  The Claude Mythos, Project Glasswing Shockwave

Malware analysis

• Bob Rudis
  [un]prompted Spring 2026: Threat Hunting In The Matrix

• Darktrace
  New Chaos Malware Variant found Exploiting Misconfigurations in the Cloud

• Esentire
  STX RAT: A new RAT in 2026 with Infostealer Capabilities

• Vojtěch Krejsa and Jan Rubín at Gen
  Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer

• Howler Cell

  • BlueHammer: Inside the Windows Zero-Day
  • How CPUID’s HWMonitor Supply Chain Was Hijacked to Deploy STX RAT

• Evgen Blohm at InfoGuard Labs
  Slithering Through the Noise – Deep Dive into the VIPERTUNNEL Python Backdoor

• Andrey Pautov at InfoSec Write-ups
  Android APK Analysis Tool: AI-Powered Static Malware Analysis in Your Terminal

• Jamf

  • ClickFix technique uses Script Editor instead of Terminal on macOS
  • Inside Predator’s kernel engine

• Jason Reaves at Walmart

  • Mapping Ottercookie Infrastructure
  • Shub Stealers Fake Crypto Apps

• Joe T. Sylve, Ph.D.
  ida-mcp 2.1: Progressive Tool Discovery, Background Analysis, and Batch Operations

• LevelBlue SpiderLabs

  • Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
  • Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet

• Moonlock
  Notorious hacker returns with a new Mac stealer targeting $10K+ crypto wallets

• Jan Michael Alcantara at Netskope
  From ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel

• Shubho57
  Analysis of DarkWatchman RAT (executable file)

• Zhassulan Zhussupov
  MacOS malware persistence 9: emond (The Event Monitor Daemon). Simple C example

• ZScaler

  • In-Memory Loader Drops ScreenConnect
  • Fileless In-Memory Loader Drops ScreenConnect
  • China-nexus Threat Actor Targets Arabian Gulf Region With PlugX

Miscellaneous

• Jason Garman and Vaishnav Murthy at AWS Security
  A framework for securely collecting forensic artifacts into S3 buckets

• Belkasoft
  Automatic Speech Recognition in DFIR Investigations

• Brian Maloney
  Creating a Fuji/WinFE external drive

• Brian Carrier at Cyber Triage
  How to Let AI Access Your DFIR and SOC Investigation Data

• Decrypting a Defense
  Age Verification Laws, Buying Data to Violate Your Rights, ID Case and Facial Recognition, Tracking Down Phone Callers & More

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 04/06/26

• Forensic Focus

  • GMDSOFT Tech Letter Vol.20 – Health App Data Analysis
  • Making The Case For Triage: Transforming Your Digital Forensics For Smarter Investigations
  • Digital Forensics Round-Up, April 08 2026
  • Cellebrite Spring Release: New Industry-Leading Device Access And Multi-Cloud Expansion
  • DFIR Backlogs, Burnout And Cognitive Fatigue: The Silent Operational Risk

• Horizon3
  Incident Response Remediation: How to Eliminate Attack Paths After a Breach

• Invictus Incident Response
  SaaS Security Risks: Defending Against OAuth Abuse & Shadow

• Magnet Forensics

  • Building your public sector digital forensics lab
  • A guide to navigating the modern digital evidence landscape in civil litigation
  • That One Artifact: How an overlooked device uncovered a hidden crime scene

• Malfind Labs
  Testing local LLMs: Qwen 3.5 vs. PowerShell Obfuscation

Software releases/updates

• AppliedIR
  Valhuntir v0.6.0

• Arkime
  v6.1.1

• Berla
  iVe Software v4.15 Release

• Darksp33d
  HyperHives macOS Infostealer — Full Technical Analysis

• Digital Sleuth
  winfor-salt v2026.6.7

• GCHQ
  CyberChef v10.23.0

• IntelOwl
  v6.6.0

• MobilEdit

  • MOBILedit Forensic 9.8: Advanced Bypassing & 16 Languages
  • Newly supported and added appliactions in 9.8

• Obsidian Forensics
  unfurl v2026.04

• Open Source DFIR
  Plaso 20260119 released

• OpenCTI

  • 6.9.29
  • 7.260309.0-lts.3

• Phil Harvey
  ExifTool 13.55 (production release)

• Rapid7

  • Velociraptor v0.75.7
  • Velociraptor v0.76.2

• Security Onion
  Security Onion 2.4.211 Hotfix 20260407 Now Available!

• Toño Diaz
  masstin v0.11.0

• Vound
  Intella 3.1 Release Notes

• Xways

  • X-Ways Forensics 21.7 SR-3
  • X-Ways Forensics 21.8 Beta 2