Forensic Analysis

• Chad Gish at Magnet Forensics
  Windows forensics: Understanding and analyzing Pagefile.sys artifacts

• Christopher Eng at Ogmini
  Velociraptor – Tailscale Artifact

• Brian Carrier at Cyber Triage
  AI + DFIR Primer: Agents and Scalability

• DFIR Review

  • Traces of Edited Messages in Signal
  • Analyzing Google’s Map cache

• Digital Forensics Myanmar
  Deep Drive into SSD Recovery and Forensics

• Forensafe

  • Memory Events
  • Memory Files

• Manuel Guerra at GLIDER.es
  ¡Agente, yo no he sido! Análisis Forense de IA OpenClaw

• Hal Pomeranz at ‘Righteous IT’

  • Linux Investigation (Part 1)
  • Linux Investigation (Part 2)
  • Linux Investigation (Part 3)
  • Linux Investigation (Part 4)

• Nicholas Dubois at Hexordia
  MachO Execution Shims – containermanagerd – iOS

• Marco Neumann at ‘Be-binary 4n6’

  • Object by Object — RealmDB Forensics with crush
  • Reading the CURRENT — LevelDB Forensics with crush

• Mohit Dhabuwala
  Did someone wipe this device? A complete step-by-step investigation guide.

• North Loop Consulting
  Bloomin’ Biomes – Meet Sedgwick

Threat hunting/threat intelligence

• Abdul Mhanni
  Dissecting Impacket for Good and Bad

• Ryan Devendorf at Abnormal Security
  Tycoon2FA Rebounds Post-Takedown with 6 Layers of Obfuscation

• Assaf Morag at Flare

  • Downloading Danger: How World Cup Hype Fuels a Global Mobile Malware Ecosystem
  • PamDOORa: Analyzing a New Linux PAM-Based Backdoor for Sale on the Dark Web

• Australian Cyber Security Centre
  ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure

• Sean Nikkel at Bitdefender
  Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS

• BlackFog

  • BlackFog Q1 2026 Ransomware Report: Only 1 in 9 Ransomware Attacks Made Public as Data Exfiltration Hits 96%
  • The State of Ransomware: April 2026
  • Ransomware in Energy and Utilities: The Real Story Behind the Attacks

• Lawrence Abrams at BleepingComputer
  JDownloader site hacked to replace installers with Python RAT malware

• Brad Duncan at Malware Traffic Analysis
  2026-05-08: macOS Shub Stealer infection

• Brian Krebs at ‘Krebs on Security’
  Canvas Breach Disrupts Schools & Colleges Nationwide

• Bridewell
  Intelligence Insights: April 2026

• Censys
  Microsoft: DigiCert Root Certificates Are Malware? Censys in SOC Triage

• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 2 – 8 maggio

• Check Point
  4th May – Threat Intelligence Report

• Cisco’s Talos

  • UAT-8302 and its box full of malware
  • CloudZ RAT potentially steals OTP messages using Pheno plugin
  • Insights into the clustering and reuse of phone numbers in scam emails

• Micah DeHarty at Cofense
  Steal Smarter, Not Harder: Malicious use of Vercel for Credential Phishing

• Cyfirma
  Weekly Intelligence Report – 08 May 2026

• Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
  AWS Bedrock Threat Hunting: A CloudTrail Log Analysis Playbook

• Detect FYI

  • Evaluating our Threat Hunting Detection Rules (+ KQL Query Evaluation)
  • Hunting ClickFix Win + X Variants
  • Unmanaged PowerShell Execution: Hunting Beyond powershell.exe

• Disconinja
  Weekly Threat Infrastructure Investigation(Week19)

• Elastic Security Labs

  • TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
  • Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response
  • Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild

• Erik Hjelmvik at Netresec
  Remcos Alerts from FlowCarp in EveBox

• FalconFeeds
  Inside the LiveDNS Phishing Campaign: How Typosquatted Domains Are Targeting Israeli Users

• Flashpoint
  Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

• Genians
  AI 딥페이크 사칭 캠페인 후속 Python 백도어 위협 분석

• Yuan Huang, Afiq Sasman, and Alexander Sychev at Group-IB
  The Architecture of Deception: How a $187 Million Fraud Ecosystem Exploits Trust Across Australia and the United States

• Laura Babbili at GuidePoint Security
  The Top 5 Industries Most Impacted by Ransomware in Q1 2026

• Hudson Rock
  The Missing Link: How Infostealers Fuel Ransomware Attacks (and Our New Partnership with Ransomware.live)

• Hunt IO
  Iranian-Nexus Operation Against Oman’s Government: 12 Ministries Hit and 26,000 Citizen Records Exposed

• Noufal Radhitya at Intellibron
  Uncovering New Indicator in RagaSerpent’s ‘Tax Audit’ Malware Campaign

• Invictus Incident Response
  AADGraphActivityLogs: How to Detect Legacy Azure AD Graph Attacks | Invictus Incident Response

• Jay Deen at Dragos
  AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility’s OT

• Kasada
  Q1 2026 Threat Intelligence Report

• Kroll
  The Brief: GARUDA C2 Malware

• LayerX

  • What Does Agent 365 Miss About Shadow AI in Your Microsoft 365 Environment?
  • ClaudeBleed: A Flaw In Claude’s Browser Extension Allows Any Extension to Hijack It

• LevelBlue SpiderLabs

  • LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses
  • Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
  • Threat Analysis: Backdoored Electron Apps Evading Defenses

• Microsoft Security

  • Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
  • ClickFix campaign uses fake macOS utilities lures to deliver infostealers
  • When prompts become shells: RCE vulnerabilities in AI agent frameworks
  • Active attack: Dirty Frag Linux vulnerability expands post-compromise risk

• Natto Thoughts
  Chasing Palantir: Inside China’s Obsession and the Rise of Its Next-Generation AI-enabled Defense Firms

• Oleg Skulkin at ‘Know Your Adversary’
  391. Hunting for TeamPCP’s Stealer

• OpenSourceMalware

  • CNCF Project Antrea Compromised in Daring GitHub Pwn Request
  • Lazarus Group Uses Git Hooks To Hide Malware
  • Contagious Interview Pivots to Git Pre-Commit Hooks for Stage-2 Delivery
  • #3 – git hook persistence, Antrea compromise, Dirty Frag, cPanel exploitation, interpreted language malware

• Palo Alto Networks

  • The Dangerous Momentum of Autodownload Phishing
  • Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
  • Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

• Pulsedive
  Analyzing Iranian Tradecraft: Leveraging Loader Scripts and Telegram for C2

• Push Security

  • Inside a phishing panel used by ShinyHunters and BlackFile
  • How three techniques are behind ShinyHunters’ 2026 campaigns
  • Introducing the Browser & Identity Attacks Matrix

• Andrew Cook at Recon Infosec
  What’s Actually Hitting Organizations Right Now: ClickFix, Identity Compromise, and AI-Powered Risk

• Recorded Future
  Threat Activity Enablers: The Backbone of Today’s Threat Landscape

• Resecurity

  • Iranian Proxy Networks in Latin America Post-Maduro: IRGC
  • Mini Shai-Hulud: A Cross-Ecosystem Supply Chain Attack on PyTorch Lightning & Intercom Client

• Rob T. Lee
  AI Isn’t a Tool Anymore. It’s an Operator. Notes from the SANS AI Cybersecurity Summit

• Robin Dost at Synaptic Systems

  • IIM – The Grammar of Adversary Infrastructure (3/7)
  • IIMQL – The Query Language for Adversary Infrastructure (4/7)

• Aditya Ganjam Mahesh at S-RM
  Ransomware in focus: The Gentlemen

• Sandfly Security
  Detecting Copy Fail Linux Vulnerability Agentlessly with Sandfly

• SANS Internet Storm Center

  • Wireshark 4.6.5 Released, (Sun, May 3rd)
  • Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th)
  • SSL.com rotates their root certificate today, (Tue, May 5th)
  • TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)
  • DShield Honeypot Update, (Mon, May 4th)
  • An Adaptive Cyber Analytics UI for Web Honeypot Logs [Guest Diary], (Wed, May 6th)
  • Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)

• Securelist

  • “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security
  • Websites with an undefined trust level: avoiding the trap
  • OceanLotus suspected of using PyPI to deliver ZiChatBot malware
  • Exploits and vulnerabilities in Q1 2026

• Security Joes
  The Defender Domino: How a DigiCert Breach Turned Microsoft into an Unwitting Proxy for APT-Q-27

• Seqrite

  • Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit
  • Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare

• Simone Kraus

  • Modus Operandi and Semantics of Structured Organized Crime in the Immediate Social Environment
  • Unmasking MuddyWater ConnectWise ScreenConnect Installer

• Kush Pandya at Socket
  5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer

• Joe at Stranded on Pylos
  A Brief Critique of Practical Threat Intelligence

• Dr. Anna Bertiger and Luke Wescott at Sublime Security
  Prompt injection attacks don’t look like what you’re seeing in social media and headlines · Blog · Sublime Security

• Michael Clark at Sysdig
  Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Detecting unpatched local privilege escalation via Linux Kernel ESP and RxRPC

• The Hunter’s Ledger
  HijackLoader / Penguish / Rugmi to AsyncRAT Multi-Vector Phishing Campaign

• Numaan Huq and Andre Alves at at Trend Micro
  A Hidden Vulnerability in Healthcare: Exposed DICOM Servers and the Risk to Patient Data

• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – April Update

• Meagan Huebner at Varonis
  Abuse of Microsoft Dynamics Redirects Delivers Phishing Payloads at Scale

• Merav Bar at Wiz
  The Jenkins Threat Landscape

• YLabs
  The Secret Scriptorium: A Medieval Tale of the Shadow Shop that Forged Identities

• Блог Solar 4RAYS
  Ландшафт киберугроз: аналитика по сенсорам в 1-м квартале 2026 года

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-05-11

• Cellebrite
  The Next Shift in Investigations: Preparing for an AI-Powered Reality

• Huntress
  Tradecraft Tuesday | How Ransomware-as-a-Service Fits in the Ransomware Economy

• Magnet Forensics
  AI Unpacked S2:E3 // A tale of two outputs – man vs. the machine

Presentations/podcasts

• Adversary Universe Podcast
  The Partnerships Taking on AI Security: Daniel Bernard, CrowdStrike Chief Business Officer

• Alexis Brignoni
  Digital Forensics Now with Parsing the Truth One Byte at a TIme

• Behind the Binary by Google Cloud Security
  EP25 The Future of Debugging: A Paradigm Shift with Xusheng Li

• Black Hat
  SecTor 2025 | Detecting Forbidden White Labeled and Counterfeit Devices

• Cloud Security Podcast by Google
  EP275 Google Cloud Next 2026: The AI Earthquake, “SOC-home” Syndrome, and the Ragged Edge of Reality

• Cyber Secrets

  • CSI Linux in 2026 – The future of Cyberforensics and Case Management
  • Downloading and installing the CSI Linux VirtualBox 7z version
  • RAM Analysis using CSI Linux CMS with a Volatility Backend
  • Updating CSI Linux With Powerup

• CYBERWARCON

  • Forecasting Typhoons: Volt Typhoon Next Steps in OT Disruption
  • From Automated Scans to Hands On Keyboard: China Nexus APTs Exploited SAP NetWeaver to Breach Critic

• Dr Josh Stroschein
  [Workshop] Anatomy of a .NET Loader – Reflection & Assembly Loading

• Eclypsium
  BTS #73 – Uncovering Firmware Risks: From Y2K to Modern Malware

• FBI
  Ahead of the Threat Podcast: Season 2, Episode 6 — Deneen DeFiore

• InfoSec_Bret
  Challenge – Android Infostealer

• Magnet Forensics

  • Cyber Unpacked S3:E2 // IR Beyond Malware: Investigating Business Email Compromise and Fraud
  • Magnet Axiom: Faster time to evidence with smarter, more flexible investigations

• Microsoft Threat Intelligence Podcast
  Russia’s Forest Blizzard Is Abusing Home + Small Office Routers for Cred Theft

• Monolith Forensics

  • Forensic Protocols: A Structured Approach to Conducting Digital Forensics
  • Creating a Contact in Monolith

• MSAB
  #MSABMonday – XAMN Blob data

• MyDFIR

  • 6 Reasons You Can’t Investigate Alerts (And How to Fix It)
  • Aspiring SOC Analyst Shares His MYDFIR Forge Experience

• Parsing The Truth: One Byte at a Time Podcast

  • S1 E50: Karen Read 1-9: Richard Green Testimony P1
  • S1 E51: Karen Read 1-10: Richard Green Testimony P2

• SANS

  • SANS AI Cybersecurity Summit 2026
  • Threat Hunting with Taz Wake

• SentinelOne
  LABScon25 Replay | Please Connect to the Foreign Entity to Enhance Your User Experience

• Sumuri
  Collecting iOS Backups with Recon ITR 1

• Team Cymru

  • AI Supply Chain Exploits, Cyber-Kinetic Threats, and the FUD-X
  • Unit 42’s Andrew Rathbun on the Sysmon Configuration Mistake Enterprises Are Making

Malware analysis

• CTF导航
  伪装成10086官网流量的Cobalt Strike木马深度分析

• Cyble
  Operation HumanitarianBait: An Infostealer Campaign in Disguise

• Dark Atlas
  Salat Stealer Analysis: Go-Based RAT, C2 Resilience, and Info-Stealing Capabilities

• Dr. Web
  Instead of a job—stolen data and money. Trojan stealer targeting macOS and Windows users conceals itself in fake online interview apps

• Hidden Layer
  Malware Found in Trending Hugging Face Repository “Open-OSS/privacy-filter”

• Joe T. Sylve, Ph.D.
  IDA-MCP Is Now RE-MCP With Full Ghidra Support

• Lab52
  EasterBunny: advanced espionage artifacts attributed to APT29

• Gabriele Orini at Malwarebytes
  Attackers adopt JavaScript runtime Bun to spread NWHStealer

• Vini Egerland at Netskope
  OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer

• Alexandra Blia and Ivan Feigl at Rapid7
  Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware

• Alex Delamotte at SentinelOne
  PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

• Shubho57
  Analysis of Ironchain Ransomware

• Chaitanya Ghorpade, Gabor Szappanos, Rahul Dugar, Rahil Shah, and Matt Wixey at Sophos
  Donuts and Beagles: Fake Claude site spreads backdoor

• Trend Micro

  • Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities
  • InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise

• WeLiveSecurity

  • A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
  • Fake call logs, real payments: How CallPhantom tricks Android users

• Mitesh Wani at ZScaler
  Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Sorry 2026

Miscellaneous

• Adam at Hexacorn
  1 little known secret of forfiles.exe, part 2

• Adam Chester at XPN
  The Accidental C2 – Exploring Dev Tunnels for Remote Access

• Adan Alvarez
  From Leaked AWS Key to Data Exfiltration in 60 Seconds: Are We Ready?

• Andrea Fortuna
  Cloud forensics and the jurisdictional labyrinth of cross-border evidence acquisition

• Andrew Garrett
  Business Email Compromise Victims Kevin and Nicole Noar Fought Back and Won

• Brett Shavers

  • Your Digital Forensics Degree Is Already Outdated. Now What?
  • AI is Eating Itself

• Cellebrite
  The Three Ways Mobile Security Teams Are Flying Blind — And How to Fix It

• Decrypting a Defense
  MSG’s Surveillance Nightmare, Balancing Awareness & Panic, Reports vs. Extractions, Tamar Lerer Answers 5 Questions & More

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 05/04/26

• Dominik at R136a1
  Where Have All the Complex Windows Malware and Their Analyses Gone?

• Forensic Focus

  • AI-Generated CSAM: Staying Ahead Of The Threat
  • DFIR In 2026 – AI ‘Button Pusher’ Forensics, Writing Courtroom Reports, Audio Breakthroughs And The Leica Geosystems Conference
  • Digital Forensics Round-Up, May 06 2026
  • Forensic Focus Digest, May 08 2026

• Keith McCammon
  Exploits and malware are still subject to the laws of physics

• Magnet Forensics

  • Asking the right questions: How to get the most out of Intelligent Insights
  • AI in enterprise DFIR: Moving fast, staying defensible

Software releases/updates

• Akhil Dara
  WAInsight latest-release

• Arkime
  v6.3.1

• Datadog Security Labs
  GuardDog v2.10.0

• Digital Sleuth
  winfor-salt v2026.8.15

• Doug Metz at Baker Street Forensics
  MalChela v4.1: Mac Malware Analysis Arrives

• DougBurks
  ohmypcap v2.0.0

• Erik Hjelmvik at Netresec
  FlowCarp Identifies Protocols

• Ghassan Elsman
  Crow-Eye v0.10.0

• John Brown
  WMI_Forensics Python 3 Update

• LEAPPs Org
  LAVA First public beta release

• OpenCTI
  7.260510.0

• Phil Harvey
  ExifTool 13.58

• PuffyCid
  Artemis v0.19.0 – Released!

• Sleuth Kit Labs
  Autopsy 4.23.1

• VirusTotal
  YARA v4.5.6

• WithSecure Labs
  Chainsaw v2.16.0

• Xways
  X-Ways Forensics 21.8 Beta 5