| Stop scaling headcount. Scale your SecOps. Most security teams don’t have a talent problem, they have a noise problem. Material Security unifies your cloud workspace, providing detection and response across email, files, and accounts. From automating phishing remediation to revoking risky OAuth permissions and auditing file shares, we eliminate manual toil. Stop fighting fragmented consoles. Simplify your workspace security with Material. |
| Sponsored by Material Security |
As always, thanks to those who give a little back for their support!
Forensic Analysis
-
Christopher Eng at Ogmini
-
Brian Carrier at Cyber Triage
AI + DFIR: How To Share Your “SKILLS” With the LLM -
Elcomsoft
-
Forensafe
Memory Certificates -
Hal Pomeranz at ‘Righteous IT’
Fun With volshell -
InfoSec Write-ups
From Memory Dump to Attack Story: Building DeepProbe v2 -
Kevin Stokes
Running Claude Skills Inside OpenRelik: An AI Worker for your DFIR Tools -
Joseph Williams at Pen Test Partners
AI can help in DFIR, but it cannot replace investigator judgement -
The DFIR Report
Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting -
ThinkDFIR
Trust but Verify: Amcache’s OriginalFilename Field Isn’t Always Accurate
Threat hunting/threat intelligence
-
Callie Baron and Elizabeth Swantek at Abnormal AI
2026 Attack Landscape Report: BEC Tactics Adapt to Your Operations -
Acronis
Same packet, different magic: Mustang Panda hits India’s banking sector and Korea geopolitics -
Aikido
-
Akamai
-
ASEC
-
Australian Cyber Security Centre
Defending against China-nexus covert networks of compromised devices -
Axel Z at Victory Road
Pulling the Thread — Invite Only -
Eric J. Taylor at Barricade Cyber Solutions
CTI Report: ShadowByt3$ Retaliation Package Targeting Eric J. Taylor -
Shad Malloy at Bishop Fox
Taking Maestro in Stride: AI Threat Modeling Frameworks -
BlackFog
-
Brad Duncan at Malware Traffic Analysis
2026-04-23: SmartApeSG activity -
Brian Krebs at ‘Krebs on Security’
‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty -
Andrew Northern at Censys
Oluomo: Microsoft OAuth AiTM Phishing Using a Naturalization-Form Lure -
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 aprile -
Check Point
-
CISA
Supply Chain Compromise Impacts Axios Node Package Manager -
Cisco’s Talos
- Phishing and MFA exploitation: Targeting the keys to the kingdom
- Bad Apples: Weaponizing native macOS primitives for movement and execution
- IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist
- UAT-4356’s Targeting of Cisco Firepower Devices
-
Cofense
-
Ctrl-Alt-Intel
-
Cybersec Sentinel
Android NFC Stealer NGate Targets Brazil via Fake Lottery and Counterfeit Google Play Page -
Cyble
-
Joanna Ng, Min Kim, and Tara Gould at Darktrace
How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2 -
Detect FYI
-
Disconinja
Weekly Threat Infrastructure Investigation(Week17) -
Doug Metz at Baker Street Forensics
From QR to Threat Identification in one Click -
Jimmy Wylie at Dragos
ZionSiphon: Why This Malware Isn’t A Credible ICS Threat -
Elastic Security Labs
-
FalconFeeds
-
FIRST
-
JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair at Google Cloud Threat Intelligence
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite -
Alexander Grabko and Konstantinos Angelopoulos at Group-IB
Anatomy of a Fraud Operation: Mule Account Creation on B2B Fintech Platforms in France -
Hudson Rock
Breaking: Vercel Breach Linked to Infostealer Infection at Context.ai -
Huntress
-
IC3
Defending Against China-nexus Covert Networks of Compromised Devices -
Intrinsec
-
Vladimir Pazukhin and Nir Avraham at Jamf
Three lessons from DarkSword: inside a government-grade iPhone exploit kit -
Jeffrey Bellny at CatchingPhish
If I recall… -
Kevin Beaumont at DoublePulsar
Microsoft Vibing — capturing screenshots and voice samples without governance -
Adam Goss at Kraven Security
MCP Servers for CTI in 2026: The Tools, the Risks, and What Comes Next -
Taha El Graini at Kudelski Security
No Zero-Days Needed: How Five Hygiene Failures Handed Ransomware Operators the Keys -
Natalie Zargarov at LayerX
StealTok: 130k Users Compromised by Data Stealing TikTok Video “Downloaders” -
LevelBlue SpiderLabs
-
Mat Fuchs
Your AI Detections Are Rotting: Model Drift as a Hidden Risk in Security Operations -
Microsoft Security
-
Eugenio Benincasa at Natto Thoughts
Chinese Firm Claims AI-Driven Bug Discovery Near Claude Mythos Scale -
Obsidian Security
The Vercel Breach and the Growing SaaS Supply Chain Challenge -
Oleg Skulkin at ‘Know Your Adversary’
388. Ransomware Gang Abuses FTK Imager for Defense Evasion -
OSINT Team
Email Analysis & Investigation -
Outpost24
Handala Hack Team: Threat Actor Profile -
OX Security
-
Palo Alto Networks
The npm Threat Landscape: Attack Surface and Mitigations -
Alexander Badaev and Maxim Shamanov at Positive Technologies
An alarm you can’t snooze: how CapFix targets Russian organizations -
Push Security
-
Raymond Roethof
Microsoft Entra ID: Understanding OAuth App Consent and Permissions -
Red Canary
Intelligence Insights: April 2026 -
Red Piranha
Inside the Sinobi Ransomware Playbook: Risks, Tactics, and Defence Strategies -
SANS Internet Storm Center
-
Securelist
-
Security Alliance
Malicious Google Ads Targeting Crypto -
Matt Berry at SentinelOne
Hypersonic Supply Chain Attacks: One Solution That Didn’t Need to Know the Payload -
Sujay Adkesar
Amcache-ProgramID — The Orphan Dll Attribution -
SuspectFile
-
Symantec Enterprise
-
Synacktiv
-
System Weakness
-
Eli Woodward at Team Cymru
Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure & Post-Exposure Analysis -
The Hunter’s Ledger
-
Sydney Marrone at THOR Collective
Three New Ways to Use HEARTH -
ThreatHunter AI
-
Trend Micro
-
Alex Ball at TrustedSec
Kerberos with Titanis -
Alex Groyz and Zack Abzug Vectra AI
Azure Logging just Changed – Your Detections May be Missing it -
WeLiveSecurity
-
Блог Solar 4RAYS
Ransomware-атака на маленькую компанию через крупного подрядчика
Upcoming events/webinars
-
ADF Solutions
-
Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2026-04-27 -
Cellebrite
-
Magnet Forensics
Presentations/podcasts
-
Adversary Universe Podcast
The “Vuln-pocalypse” Looms: Are We Cooked? -
Black Hat
- SecTor 2025 | How Adversaries Beat User-Mode Protection Engines for Over a Decade
- SecTor 2025 | Unmasking a North Korean IT Farm
- SecTor 2025 | Tracing Adversary Steps through Cyber-Physical Attack Lifecycle
- SecTor 2025 | EDR Bypass Testing: A Systematic Approach to Validating Endpoint Defenses
- SecTor 2025 | What If We Caught SUNBURST in CI/CD?
-
Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2026-04-20 -
Cellebrite
Seeking Truth Through Data: Honoring the Idaho Four -
Cisco’s Talos
[Podcast] It’s not you, it’s your printer: State-sponsored and phishing threats in 2025 -
Cloud Security Podcast by Google
EP273 From CISA to Cloud: AI Assurance, Concentration Risk, and the New Regulatory Frontier -
CQURE Academy
CQURE Hacks #79: Azure Storage Misconfiguration in Practice From Public Blob to Key Vault Access -
Dr Josh Stroschein
04 – Wrapping Shellcode into PE Files and Debugging with IDA Pro -
FIRST
-
Huntress
-
InfoSec_Bret
IR -SOC176 – RDP Brute Force Detected -
John Hammond
The Payload Podcast #005 – Casey Smith -
Magnet Forensics
-
Microsoft Threat Intelligence Podcast
The Cybercrime Shift: From Opportunistic Attacks to Marketplace-Driven Ecosystem -
Monolith Forensics
-
MyDFIR
Certifications Won’t Get You a SOC Job (Do This Instead) -
Off By One Security
Live Malware Unpacking: Debugging AgentTesla with DotDumper -
Paraben Corporation
Digital Investigator Membership Program -
Parsing The Truth: One Byte at a Time Podcast
S1 E49: Karen Read 1-8: Nick Guarino Part 2 -
Richard Davis at 13Cubed
The AI Conversation I’ve Been Avoiding -
SANS
-
SentinelOne
LABScon25 Replay | Are Your Chinese Cameras Spying For You Or On You? -
Team Cymru
Trend AI’s Robert McArdle on Criminal Business Models Surviving Tech Revolutions -
Three Buddy Problem
Mark Dowd on AI hacking, exploit chains, zero-day sales
Malware analysis
-
Any.Run
-
c3rb3ru5d3d53c
[0] Binlex Tutorial – YARA Rule Generation Example -
CISA
FIRESTARTER Backdoor -
Joselyn Canuela at G Data Software
Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control -
Gen
When Malware Authors Study Algebra: The Group Theory Inside Bedep’s DGA -
Hunt IO
DinDoor’s Caddy Problem: How One HTTP Header Exposed 20 Active C2 Servers -
InfoSec Write-ups
Malware Analysis: payloadfinal.bin (Agent Tesla) -
LockBoxx
Don’t Run This Game: Inside the Myth Journey Malware Campaign -
Gabriele Orini at Malwarebytes
Malicious trading website drops malware that hands your browser to attackers -
Jan Michael Alcantara at Netskope
macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections -
Anna Širokova at Rapid7
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained -
Vitaly Kamluk & Juan Andrés Guerrero-Saade at SentinelOne
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet -
Socket
- Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware
- Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions
- [Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign](Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign)
- 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations
-
Step Security
- CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister
- TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
- elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection
-
Team Cymru
Hacktivist Hoaxes, DPRK Zoom Exploits, and Defending with AI -
Prashanth A N and Mallikarjun Wali at Trellix
PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing -
Zhassulan Zhussupov
MacOS malware persistence 10: caffeinate LOLBin. Simple C example -
Yin Hong Chang and Sudeep Singh at ZScaler
Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener
Miscellaneous
-
Adam at Hexacorn
Some unintelligent fun with ms-notepad protocol -
Belkasoft
Scaling Your DFIR Practice: Choosing the Right Digital Forensic Tools for Small Teams -
Emmett Ross at Cellebrite
How Digital Intelligence Is Transforming Contraband Phone Investigations in Correctional Facilities -
Christopher Eng at Ogmini
BSides South Jersey 2026 -
CyberBoo
Microsoft Defender for Office 365 Part 7: Zero-Hour Auto Purge (ZAP) & Post-Delivery Protection -
darkdefender
Context Switching in DFIR -
Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 04/20/26 -
Forensic Focus
- Rachael Medhurst, Co-Founder, Positive Cyber Solutions Ltd
- Belkasoft X Brings AI-Powered Speech Recognition To DFIR Investigations
- Magnet Forensics Acquires V2 Forensics, Expanding Leadership In Drone-Related Digital Investigations
- Digital Forensics Round-Up, April 22 2026
- Introducing Magnet Autokey, A New Solution Enabling Fast Access To Encrypted Vehicle Data
- Forensic Focus Digest, April 24 2026
-
Francisco Dominguez at DiabloHorn
-
Grumpy Goose Labs
Not Another (Incident Response) Framework -
Elizabeth McPherson at Hexordia
New Lumyx Essentials Course at Hexordia -
Howard Oakley at ‘The Eclectic Light Company’
The secret life of the xattr -
Intel 471
Ransomware negotiations: What CISOs should know before negotiating -
Magnet Forensics
-
Amber Schroader at Paraben Corporation
Why do tools show different results? -
Pyae Heinn Kyaw
-
Salvation DATA
-
Security Onion
Security Onion Documentation Printed Book Now Updated for Security Onion 3.0!
Software releases/updates
-
Alexis Brignoni
-
Arkime
v6.2.0 -
Canadian Centre for Cyber Security
Assemblyline 4.7.3.1 -
Digital Sleuth
winfor-salt v2026.7.1 -
DougBurks
ohmypcap v1.0.0 -
Elcomsoft
-
Eric Zimmerman
ChangeLog -
F-Response
F-Response 8.8.1.13 Now Available -
IntelOwl
v6.6.1 -
IsoBuster
IsoBuster 5.8 beta released -
Joe T. Sylve, Ph.D.
ida-mcp 2.2: From Tool Calls to Analysis Scripts -
Lethal Forensics
MemProcFS-Analyzer Smarter analysis, faster truth: Introducing Intelligent Insights for Magnet Review -
Magnet Forensics
- Smarter analysis, faster truth: Introducing Intelligent Insights for Magnet Review
- What’s new in Magnet Axiom 10.0: smarter artifacts, faster insight, and stronger intelligence
- Accelerating your vehicle investigations: Introducing Magnet Autokey
- Media Triage in Magnet Graykey now integrated with Magnet Griffeye®
-
Mandiant
flare-floss QUANTUMSTRAND beta 3 -
Marco Neumann at ‘Be-binary 4n6’
Introducing crush: A DFIR Workbench for Surfing Through Data Formats -
Mohamed AlJawarneh
Auto-Compromise-assessment-Tool -
Nedim Šabić
fibratus 7.260422.0 -
North Loop Consulting
Arsenic v3.0 iOS File Tree View -
OpenCTI
7.260423.0 -
Raymond Garay-Paravisini
ChronosFracture — supertimeline -
SigmaHQ
pySigma v1.3.3 -
Toño Diaz
masstin v1.0.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.
