Forensic Analysis

• Andrew Garrett
  A Digital Forensic View: How iOS 15+ Lets You Change Photo & Video Timestamps (And What It Really Means)

• Brian Carrier at Cyber Triage
  DFIR + AI: Using Local LLMs with DFIR MCP Servers

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  SEAL and JavaScript

• Marco Neumann at ‘Be-binary 4n6’
  What Hides in the WAL — SQLite Forensics with crush

• Oleg Afonin at Elcomsoft

  • Digital Triage Masterclass
  • New Security Features and Low-Level Extraction of iOS 26
  • Elcomsoft Phone Breaker 11 Restores iCloud Access

• Steve Whalen at Sumuri
  What Your Mac Forensic Tool Isn’t Telling You About Metadata

• Vikas Singh
  Hunting NTDS.dit Theft via VSS & NTFS Logs

Threat hunting/threat intelligence

• Callie Baron and Elizabeth Swantek Abnormal Security
  ROI Calculator: Discover Your Abnormal Return on Investment

• Aikido

  • Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
  • Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud

• Arctic Wolf
  BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector

• Axel Z at Victory Road
  Pulling the Thread: Pivoting on DPRK IT Worker Infrastructure

• Ashitosh Deshnur at Barracuda
  Threat Spotlight: Boutique phishing kit Saiga 2FA hides behind ‘lorem ipsum’ metadata

• BI.Zone
  Using insights into vulnerabilities and adversary techniques to prevent attacks

• Alyssa Snow at Black Hills Information Security, Inc.
  A Practical Guide to BloodHound Data Collection

• BleepingComputer
  Inside an OPSEC Playbook: How Threat Actors Evade Detection

• Brad Duncan at Malware Traffic Analysis
  2026-04-22: Malicious ad leads to ClickFix-style page for macOS malware

• Brian Krebs at ‘Krebs on Security’
  Anti-DDoS Firm Heaped Attacks on Brazilian ISPs

• Censys
  The cPanel Situation Is…

• CERT-AGID

  • GitHub e GitHub Enterprise Server: vulnerabilità RCE CVE-2026-3854
  • Sintesi riepilogativa delle campagne malevole nella settimana del 25 – 30 aprile

• Check Point

  • 27th April – Threat Intelligence Report
  • VECT: Ransomware by design, Wiper by accident

• Martin Lee at Cisco’s Talos
  AI-powered honeypots: Turning the tables on malicious AI agents

• Cole Adkins at Cofense
  The Meta 2FA Trap: From Verified Badge to Account Takeover

• Coveware
  Patch management goes from hard, to ludicrous in the agentic AI era

• CrowdStrike
  Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield

• Ctrl-Alt-Intel

  • Watch Guard! Qilin affiliate exploits network appliances for initial access
  • South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940)

• Cybersec Sentinel

  • Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap
  • Copy Fail, The Nine-Year Linux Kernel Flaw That Gives Any User Root in Seconds

• Cyfirma
  Weekly Intelligence Report – 01 May 2026

• Dark Atlas

  • In-Depth Technical Analysis Of VECT Ransomware
  • Beyond TTPs: A Better Way to Attribute APT Activity Through Campaign Linkage

• Nathaniel Bill at Darktrace
  Jenkins honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

• Detect FYI

  • The Life-Dinner Principle in Detection
  • Tuned by Design: Why Detection Engineering Needs Its Own Development Lifecycle

• Disconinja
  Weekly Threat Infrastructure Investigation(Week18)

• Dragos
  Why Is Manufacturing the Most Targeted Sector for OT Cyber Attacks?

• Elastic Security Labs

  • CI/CD pipeline abuse: the problem no one is watching
  • DFIR: From alert to root cause using Osquery without leaving Elastic Security

• FalconFeeds

  • Manufacturing Under Siege: Ransomware Convergence on Industrial Targets
  • Vidar & StrelaStealer IOC Alert: Fresh Infrastructure Signals Active Credential Theft Campaigns
  • Iran – Israel Conflict Malware Landscape: Common Malware Families, Technical Analysis, IOC Compendium & Attribution Mapping

• Flare

  • Inside the Floor: A Quantitative Analysis of 1 Year Exploit Forum Data
  • From Pirated Software to Full Access to FIFA: Tracing the 2026 World Cup Infostealer Pipeline

• GitGuardian

  • The Bot Left a Fingerprint: Detecting and Attributing LLM-Generated Passwords
  • A Mini Shai-Hulud Targeting the SAP Ecosystem

• Ha Thi Thu Nguyen and Sia Fei at Group-IB
  Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

• Hudson Rock
  Inside the Coinbase Cartel: How Infostealer Credentials Fueled a 100+ Company Ransomware Spree

• Hunt IO
  xlabs_v1 DDoS-for-Hire IoT Botnet Exposed: One Operator Error. An Entire Operation Revealed

• Huntress

  • Attackers Didn’t Wait for AI. They Built Workflows Around It.
  • Untangling a Linux Incident With an OpenAI Twist (Part 2)
  • Tradecraft Tuesday Recap: axios npm Supply Chain Compromise
  • ClickFix Removes Your Background but Leaves the Malware
  • Komari Red: The Monitoring Tool with a Built-in Reverse Shell

• InfoSec Write-ups
  How to Detect DNS Tunneling with Elastic SIEM: SOC Analyst Hands-On Lab | Hunt Forward Lab #003

• Invictus Incident Response
  Atlas Lion Threat Profile: History, Tactics & Defenses

• Itochu Cyber & Intelligence
  Observations of “Japanese Malspam” in 2026 Q1: Analysis of Emails Delivering ValleyRAT

• Kasada
  KasadaIQ’s Q1 Insights: How AI Became Adversary Infrastructure

• Kroll
  March Threat Intelligence Spotlight Report

• Kudelski Security
  Mini Shai Hulud Supply Chain Attack – Kudelski Security Research Center

• LayerX

  • Extension Developers Sell The Data of At Least 6.5 Million Users – And It’s All Completely Legal
  • CursorJacking: Every Cursor User Is Vulnerable to API Key Theft by Rogue Extensions

• LevelBlue SpiderLabs
  Inside Vect Ransomware-as-a-Service

• Microsoft Security

  • Email threat landscape: Q1 2026 trends and insights
  • CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments

• Amy L. Robertson at MITRE ATT&CK
  ATT&CK v19: The Defense Evasion Split, ICS Sub-Techniques, New AI & Social Engineering Coverage…

• Sydney Marrone at Nebulock
  Hunt Mode: MCP Server Exploitations

• Gianpietro Cutolo at Netskope
  Shai-Hulud resurfaces: intercom-client@7.0.4 harvesting Github credentials

• Oleg Skulkin at ‘Know Your Adversary’

  • 389. Another Group Leverages Social Engineering to Deliver Linux Backdoors
  • 390. A New ClickFix Variant Abuses Cmdkey

• OpenSourceMalware

  • AI Full-Stack Development: The Anti-Patterns Rise Against Us – Part 1
  • Mini Shai-Hulud Borrowed Its Best Trick From PolinRider
  • PolinRider Rides Again: North Korean Attack Expands Across GitHub

• OSINT Team

  • TAMECAT: Iranian APT42 Group New PowerShell Backdoor Targeting Military and Government Officials
  • Hunting APT29 Part 4: I Found Hardcoded Credentials in a Single Command Line

• OX Security

  • Shai-Hulud Hits SAP: Stolen Credentials Found in 1,200 GitHub Repos
  • 8.3M Downloads Compromised: Lightning Python Package Infected in Latest Shai-Hulud Attack

• Palo Alto Networks

  • That AI Extension Helping You Write Emails? It’s Reading Them First
  • Essential Data Sources for Detection Beyond the Endpoint

• Recorded Future
  Lazarus Doesn’t Need AGI

• ReliaQuest
  Ransomware and Cyber Extortion in Q1 2026

• SANS Internet Storm Center

  • TeamPCP Supply Chain Campaign: Update 008 – 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)
  • HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)
  • Today’s Odd Web Requests, (Wed, Apr 29th)
  • Danger of Libredtail [Guest Diary], (Wed, Apr 29th)
  • Malicious Ad for Homebrew Leads to MacSync Stealer, (Fri, May 1st)

• Scout Scholes at Expel

  • How AI is reshaping the threat landscape, and what our Q1 2026 data shows (part one)
  • The AI threat that’s actually worth worrying about from Q1 2026 (part two)

• Security Alliance
  Beware of cold reachouts – Infostealer malware campaigns targeting crypto

• Simone Kraus
  Technical Analysis of the LAMEHUG Campaign (APT28)

• Snyk

  • Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers
  • lightning PyPI Compromise: A Bun-Based Credential Stealer in Python

• Socket

  • Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables
  • SAP CAP npm Packages Hit by Supply Chain Attack
  • Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI
  • Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise
  • Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack
  • lightning PyPI Package Compromised in Supply Chain Attack

• Scott Lang at Spur
  Why Context Beats Fraud Scores: A Better Way to Evaluate IP Risk

• Sujay Adkesar
  PhonePe Forensics in iOS What Your iPhone Stores and How Investigators Read It

• Manish Rawat at System Weakness
  The PowerShell Detection Gap That’s Costing Organizations Millions

• Stephen Campbell at Team Cymru
  Targeting the Defense Industrial Base: What Network Telemetry Reveals About Nation-State Pre-Positioning

• The Hunter’s Ledger
  AdaptixC2 Open Directory Exposure — 45.130.148.125 Operator Toolkit

• Third Eye intelligence
  ThirdEye Blacklist Series – Kr3pto

• Lauren Proehl at THOR Collective Dispatch
  Hunting the Infostealer-to-SaaS Pipeline: When Third-Party Trust Becomes Lateral Movement

• Trend Micro

  • Update on Exposed MCP Servers: The Threat Widens to the Cloud
  • Kuse Web App Abused to Host Phishing Document

• Daniel Kelley at Varonis
  Meet Bluekit: The AI-Powered All-in-One Phishing Kit

• Vasilis Orlof at Cyber Intelligence Insights

  • C2 in the Ether
  • Mapping Remus Infostealer

• Wiz

  • Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)
  • Key Takeaways from the 2026 State of AI in the Cloud Report
  • Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
  • The (In)security Landscape of AI-Powered GitHub Actions (Part 2/2)

Upcoming events/webinars

• Simply Cyber
  Parsing Unsupported 3rd Party Apps

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-05-04

• Cellebrite

  • Digital Evidence is Now Central to VAWG Investigations. Are Your Investigators Equipped?
  • The Digital Trail Doesn’t Lie. But You Have to Know Where to Look.

• Huntress
  EvilTokens: Big Cybercrime’s AI Platform Built to Bypass Your MFA

• Magnet Forensics

  • Cyber Unpacked S3:E2 // IR Beyond Malware: Investigating Business Email Compromise and Fraud
  • Magnet Axiom: Faster time to evidence with smarter, more flexible investigations

• SANS
  Stay Ahead of Ransomware Livestream: May 2026

• Spur
  When Good IPs Go Bad

Presentations/podcasts

• Hexordia
  Truth in Data: S2E8: Wish List! What We Want From DF Tool Providers

• Anuj Soni
  Getting Started with AI for Malware Analysis: Without Losing Control

• Cellebrite
  Tip Tuesday: Generic Profiles

• Cloud Security Podcast by Google
  EP274 AI, Zero Trust and Secure by Design Walk into a Bar…

• CQURE Academy
  CQURE Hacks #80: Detecting DDoS Attacks in Real Time with KQL & Azure Data Explorer

• Dr Josh Stroschein
  05 – Creating Position Independent Code using CALL $+5

• Huntress

  • EvilTokens: The PhaaS Kit That Bypasses MFA
  • The Anatomy of a Modern Linux Attack
  • The Security Threats Actually Compromising Organizations Right Now

• InfoSec_Bret
  Challenge – RDP Bitmap Cache

• Jamf
  Jamf After Dark: mobile forensics

• John Hammond
  FAKE Zoom Taxes MALWARE

• Magnet Forensics

  • Mobile Unpacked S4:E4 // Demystifying translation features of iOS & Android
  • Inside Magnet Nexus for scalable remote endpoint investigations
  • Responding to a cyber incident as a federal employee

• Monolith Forensics

  • Monolith Mondays – Evidence Items
  • Contacts in Monolith

• MSAB
  #MSABMonday – XAMN Multiple Conversations

• MyDFIR

  • Where SOC Analysts Should Start With Windows Event Logs
  • Day 53 of the 90-Day SOC Accelerator: A Member’s Story

• Off By One Security
  Automated Reverse Engineering with LibGhidra, GhidraSQL, and AI Agents

• OpenSourceMalware

  • OpenSourceMalware Show Episode #2 – April 30, 2026
  • OpenSourceMalware Show Episode #1 – April 23, 2026

• Parsing The Truth: One Byte at a Time Podcast
  Karen Read 1-9: Richard Green Testimony P1

• Proofpoint
  Champagne with Our Campaigns: A 100th Episode Happy Hour

• Richard Davis at 13Cubed
  Hunting Copy Fail: 732 Bytes to Root

• Team Cymru
  The AI Zero-Day Engine, China’s Cyber Rise, and CI/CD Poisoning

• The Cyber Mentor
  A Guide to LNK File Forensics

• The Defender’s Advantage Podcast
  Google’s Disruption Mission

• The Weekly Purple Team
  Getting Adaptix C2 By Defender with Beatrice

• Three Buddy Problem
  Cracking the Fast16 sabotage malware mystery

Malware analysis

• c3rb3ru5d3d53c
  [1] Binlex ARM64 LLVM Lift Optimize & Reconstruct Removing Opaque Predicates

• Doug Metz at Baker Street Forensics
  Unmasking the Moon: Comparing LunaStealer Samples with MalChela and Claude

• Profero
  WindowsAudit Backdoor: Inside a .NET RAT That Hides in Discord

• Anton Kargin, Vladimir Gursky, Victoria Vlasova, Anna Lazaricheva at Securelist
  Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

• Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee at Securonix
  Deep#Door Stealer: Stealthy Python Backdoor and Credential Stealer Leveraging Tunneling, Multi-Layer Persistence, and In-Memory Surveillance Capabilities

• Shubho57
  Analysis of Snowlight Dropper

• Zhassulan Zhussupov
  MacOS malware persistence 11: osascript LOLBin. Simple C example

• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Vect, Vect 2.0

Miscellaneous

• Alexandre Borges at ‘Exploit Reversing’
  Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)

• Cellebrite

  • AI-Generated CSAM: Staying Ahead of the Threat
  • 7 Data Collection Mistakes That Compromise Corporate Investigations and How to Avoid Them 

• Craig Ball at ‘Ball in your Court’
  A Refresh of the Annotated ESI Protocol

• Brian Carrier at Cyber Triage
  AI+DFIR 2026 Challenge: The Good vs The Ugly

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 04/27/26

• Forensic Focus

  • Register Free For Forensics Europe Expo 2026
  • Digital Forensics Jobs Round-Up, April 2026
  • Techno East 2026: Advancing The Future Of Digital Forensics
  • Magnet Forensics Unveils Magnet AI, Advancing The Next Era Of Digital Investigative Intelligence
  • Magnet Forensics Redefines Digital Investigations With Evolution Of Magnet One
  • Digital Forensics Round-Up, April 29 2026
  • Detego Global Stands Out As Sole Digital Forensics Finalist At UK Security & Policing Awards
  • Magnet Forensics Honors 2026 Agency Impact And Scholarship Award Recipients

• Intel 471
  How Much Does Anthropic’s Mythos Change Enterprise Security?

• Kenneth G. Hartman at Lucid Truth Technologies
  FRE 707 AI Evidence: What Defense Attorneys Must Know Before Adoption

• Kevin Pagano at Stark 4N6
  Magnet User Summit 2026 Recap

• Lenny Zeltser

  • Plant Honeytokens to Detect Intrusions
  • Build a Decoy MCP Server to Catch AI Agent Attackers

• Magnet Forensics

  • From backlogs to breakthroughs: AI’s role in evidence review
  • Shadow labs and the case for purpose‑driven forensics
  • C2PA and media authentication: What you need to know

• Matthew Plascencia
  Data Recovery with testdisk on Linux

• Joachim Metz at Open Source DFIR
  “Forensics tools” where are your tests?

• Patrick Siewert at ‘The Philosophy of DFIR’
  Observations In The Land of Experts

• TobyG at sentinel.blog
  Sentinel-As-Code: Wave 2

Software releases/updates

• Crowdstrike
  Falconpy Version 1.6.2

• DFIR-IRIS
  IRIS-Web v2.4.29

• Doug Metz at Baker Street Forensics
  The Long Game: MalChela v4.0

• Elcomsoft

  • Elcomsoft Quick Triage receives a major update
  • iOS Forensic Toolkit 10.02 adds agent-based extraction for iOS 26
  • ElcomSoft Phone Breaker 11: full overhaul of iCloud extraction

• GCHQ
  CyberChef v11.0.0

• Lethal Forensics
  Microsoft-Analyzer-Suite v1.7.1

• Marco Neumann at ‘Be-binary 4n6’
  Crush-forensics new version – 0.6.0 – ist out

• Metaspike
  Forensic Email Collector (FEC) Changelog – v4.4.787.1266

• Microsoft
  msticpy MSTICPy 3.0.0 Release

• MISP
  MISP 2.5.37 – Templates, Assemble!

• OpenCTI
  7.260430.0

• Raj Upadhyay
  Chrome Forensics: History + Session (SNSS) Parsing

• Rapid7
  Velociraptor v0.76.4

• Ryan Benson at dfir.blog
  Hindsight v2026.04 Released!

• Sigma
  Release r2026-04-01

• Volatility Foundation
  Volatility3 Volatility 3 2.28.0

• WithSecure Labs
  Chainsaw v2.15.0

• Xways
  X-Ways Forensics 21.8 Beta 4

• Yamato Security
  Hayabusa v3.9.0 – Showa Day Release