Forensic Analysis

• Andrea Fortuna
  PowerShell DFIR 2026: from MemProcFS-Analyzer to KAPE-style mini-timeline

• Andrew Garrett
  What Do You Do If the Prosecution Uploads Child P*rnography to Your Cloud Storage?

• Elcomsoft

  • YellowKey: An Unexpected Backdoor into BitLocker, and Why You Should Be Paying Attention
  • A Decade of BitLocker Vulnerabilities: What’s Patched, What’s Not, and What Still Works

• Forensafe
  Memory Network

• James McGee at The Metadata Perspective
  Empirical Assessment of Apple Health Activity Data: Accuracy, Granularity, and Database Artifacts

Threat hunting/threat intelligence

• Abdul Mhanni
  The Gold Mine Red Teamers Never Touch

• Abdulrehman Ali
  Static Kitten APT Adversary Simulation

• Larry Cashdollar at Akamai
  Decentralized Threat: Stealthy P2P Cryptominer Targeting Ollama Endpoints

• ASEC

  • April 2026 Threat Trend Report on APT Groups
  • April 2026 Infostealer Trend Report

• Brad Duncan at Malware Traffic Analysis
  2026-05-22: SmartApeSG ClickFix –> Unidentified RAT –> NetSupport RAT

• Brian Krebs at ‘Krebs on Security’

  • CISA Admin Leaked AWS GovCloud Keys on Github
  • Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
  • Lawmakers Demand Answers as CISA Tries to Contain Data Leak

• CERT Ukraine
  Оновлений інструментарій UAC-0057: OYSTERFRESH, OYSTERSHUCK та OYSTERBLUES

• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 16 – 22 maggio

• Check Point

  • Hacktivists, Ransomware, and a 124% Surge Across DACH
  • 18th May – Threat Intelligence Report
  • AI Attacks Are No Longer Experimental: Key Findings from the March-April 2026 AI Threat Landscape
  • Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

• Cofense

  • Click, Install, Compromised: The New Wave of Zoom-Themed Attacks
  • Steganography Secrets: Malware Hidden in Plain Sight

• Cyber Triage
  How to Use EDR Telemetry in DFIR: 3 Investigation Methods Compared

• Cybersec Sentinel
  China APT Webworm Hides European Government Espionage Traffic Inside Discord and Microsoft Cloud

• Cyble
  JOMANGY: INJ3CTOR3’s Self-Healing FreePBX Toll Fraud Campaign

• Cyfirma
  Weekly Intelligence Report – 22 May 2026

• Detect FYI

  • Microsoft Defender XDR Custom Detection Rules: A Complete Guide & Best Practices
  • Detection Ratio Metrics
  • Detection Logic Bugs, Developing Context to Bypass MiniPlasma Rules

• Disconinja
  Weekly Threat Infrastructure Investigation(Week21)

• EclecticIQ
  SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

• Adam Metcalfe-Pearce at F5 Labs
  Microsoft Exchange ProxyShell Scanning Doubles in April 2026 as Two Distinct Campaign Clusters Emerge

• Flare
  The World Cup Fraud Infrastructure is Nearly Three Times Larger Than We First Reported

• Flashpoint
  AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

• Akshat Pradhan at Fortinet
  Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

• Florian Kuckelkorn at G Data Software
  An AI-generated phishing attack on myself: How Cybercriminals Use ChatGPT and Similar Tools

• Alexis Wales at GitHub
  Investigating unauthorized access to GitHub-owned repositories

• GreyNoise

  • A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400
  • The Coverage Gap: Why Your Blocklist Is Missing 119,000 Malicious IPs Today

• Group-IB
  Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time

• Kenneth Yeung at Hidden Layer
  Tokenization Attacks on LLMs: How Adversaries Exploit AI Language Processing

• Hudson Rock
  Infostealers Just Spawned a 5,000+ Repo GitHub Supply Chain Attack

• Hunt IO
  Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

• Huntress

  • Threat Actor Defense Evasion: How Attackers Disable AV & EDR
  • Panic at the Distro
  • Exposed RDP: The Misconfiguration Attackers Keep Exploiting
  • Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress
  • The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress

• IC3
  “First VPN Service” Used by Ransomware Actors to Compromise Systems

• Dario Weiss, Manuel Feifel, and Olivier Becker at InfoGuard Labs
  SeppMail Secure E-Mail Gateway: Critical RCE and LFI Vulnerabilities

• InfoSec Write-ups

  • How to Detect Lateral Movement with Elastic SIEM: SOC Analyst Hands-On Lab | Hunt Forward Lab #006
  • How Malware Hides Inside ZIP Files & Why Most Defenses Still Miss It

• Florian Bausch at Insinuator
  Insights into Entra ID’s (Un)Conditional Access

• Invictus Incident Response
  How to respond to an incident in Kubernetes | GKE | Invictus Incident Response

• Adam Goss at Kraven Security
  Detection Engineering in 2026: The Complete Lifecycle (Sigma, YARA, DaC & AI)

• Lenny Zeltser
  Six Signals for Threat Attribution

• LevelBlue SpiderLabs

  • A Closer Look at The Gentlemen’s Alleged Leak
  • YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled
  • From WinRE to SYSTEM: Hunting the YellowKey and MiniPlasma Attack Chain

• Microsoft Security

  • How Storm-2949 turned a compromised identity into a cloud-wide breach
  • Exposing Fox Tempest: A malware-signing service operation
  • Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
  • From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

• Mitiga
  From Cloud Events to Attack Chains: Cloud Threat Hunting that Actually Works

• Natto Thoughts
  Is This Chinese Company Watching the World to Train its AI?

• Hussein Bahmad at NVISO Labs
  Securing AI systems without overconfidence or fear – Part 2: Attack surfaces and the checkpoint flow

• Oleg Skulkin at ‘Know Your Adversary’
  393. Hunting for Recent Gamaredon Tactics, Techniques, and Procedures

• OpenSourceMalware

  • Axios attacker strikes again with three NPM packages that have been hiding in plain sight for two months
  • TeamPCP compromises NPM maintainer with over 540 packages

• OSINT Team
  The Detection Engineering Lifecycle in 2026 (Sigma, YARA, DaC & AI)

• OX Security

  • New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here
  • Top 5 Runtime Security Tools for Application Runtime Protection in 2026
  • The @antv Ecosystem Was Compromised with Shai-Hulud Malware, 300+ Packages Affected
  • North Korean Threat Actor Targets Developers with New npm Infostealer RAT
  • TeamPCP Strikes (again): How a Trojan VS Code Extension Brought Down GitHub
  • Megalodon: New CI/CD Malware Spreads Across GitHub, Infecting ~5,000+ Repositories

• Palo Alto Networks

  • Tracking TamperedChef Clusters via Certificate and Code Reuse
  • Paved With Intent: ROADtools and Nation-State Tactics in the Cloud
  • Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

• Eric Iswara at Promon
  Coretax RAT malware: A rising threat to banking security in Southeast Asia

• Push Security

  • 7 things we learned from our conversation with Troy Hunt
  • What the Verizon DBIR tells us about breaches in 2026
  • 7 things we learned from our conversation with Matt Johansen

• Qi’anxin X Lab

  • 黑客利用 CVE-2026-26980 攻陷 Ghost CMS，大量站点沦为 ClickFix 攻击帮凶
  • Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks

• Rapid7
  Q1 2026 Threat Landscape Report: Zero-clicks, geopolitical tensions, and some wins for law enforcement

• ReliaQuest

  • VPN Exploitation When Patched Doesn’t Mean Protected
  • ClickFix Evolves with PySoxy Proxying
  • Ransomware and Cyber Extortion in Q1 2026

• Robin Dost at Synaptic Systems

  • UAC-0184: From HTA to a Signed Network Stack
  • UAC-0244 / UAC-0247: Malware Targeting FPV operators

• SANS Internet Storm Center

  • TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
  • Selective HTTP Proxying in Linux, (Thu, May 21st)
  • Cross-Platform NPM Stealer, (Fri, May 22nd)
  • An Example of Stack String in High Level Language, (Sat, May 23rd)

• Securelist

  • IT threat evolution in Q1 2026. Non-mobile statistics
  • IT threat evolution in Q1 2026. Mobile statistics
  • Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

• Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee at Securonix
  Analyzing TAX#TRIDENT: Fake Indian Tax Lures Pivot Across ZIP, VBS, Stego and PHP-Wrapped VBS Delivery

• Phil Stokes at SentinelOne
  SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

• Socket

  • Active Supply Chain Attack Compromises @antv Packages on npm
  • Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
  • Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit
  • npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry
  • AI Has Taken Over Open Source
  • Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects
  • Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

• Sophos

  • WantToCry ransomware remotely encrypts files
  • GitHub internal repositories breached

• Splunk
  Detecting Copy Fail (CVE-2026-31431)– Phenominal Power, Ity Bity Script

• Dave Shackleford at Spur
  When Good IPs Go Bad: Why Traditional Reputation-Based Detection Is Failing

• Step Security

  • Nx Console VS Code Extension Compromised
  • actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials
  • Compromised atool npm Account Delivers CI/CD Credential Stealer Across 24 Packages (echarts-for-react package, timeago.js)
  • Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem
  • Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories
  • Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

• Marco A. De Felice aka amvinfe at SuspectFile
  Since When Did Asking for Evidence Become “Defending Criminals”?

• The Hunter’s Ledger
  CVE-2026-41940 cPanel Harvester Toolkit — 216.126.227.49

• The Raven File

  • GITHUB LEAK: YOUR CODE @ RISK!
  • GENTLEMEN RANSOMWARE LEAKS

• ThreatMon
  One Month. Hundreds of Victims. A Growing Ransomware Crisis

• Trend Micro

  • Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud
  • TrendAI™ and CleanDNS: From Blocking Attacker Infrastructure to Removing It From the Internet
  • One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign
  • Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

• Nick Thanos at Triskele Labs
  The Group That Didn’t Need to Break In: How KillSec3 Exploited What Was Already Exposed

• Umut Bayram at Picus Security

  • UNC2891 Bank Heist Explained: CAKETAP Rootkit and Raspberry Pi Attack
  • DeepLoad Malware Explained: ClickFix Delivery and Password Stealing

• Verizon
  2026 Data Breach Investigations Report

• We Investigate Anything

  • graph-hunt: detección automatizada de movimiento lateral en Memgraph y Neo4j GDS
  • graph-hunt: automated lateral movement detection on Memgraph and Neo4j GDS

• WeLiveSecurity

  • Webworm: New burrowing techniques
  • Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise

• Wiz

  • The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
  • durabletask: TeamPCP’s Latest PyPi Compromise

• Taoufik El Adel at Wordfence
  How a Webmail Log File Became a Root-Level Backdoor

• Matt McCabe at ZScaler
  Data Leakage Through AI Prompts: 12 Realistic Examples (and Controls That Stop Them)

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Black Hills Information Security

  • BHIS – Talkin’ Bout [infosec] News 2026-05-26 – Tuesday Memorial Day Edition
  • The Paranoid Prompter – Prompt Engineering for Infosec with Bronwen Aker

• Magnet Forensics
  Mobile Unpacked S4:E5 // Millings on Modes – Exploring the other Modes of iOS and Android

• Security Onion
  Security Onion Conference 2026 Save the Date and CFP

• Silent Push
  Webinar – Beyond GeoIP: Stop Sanctioned-Region Logins, AML Fraud and Fake Hires.

• Simply Cyber
  Cyber Threat Intel Skills

Presentations/podcasts

• Adversary Universe Podcast
  Adversaries Follow the Money: The CrowdStrike 2026 Financial Services Threat Landscape Report

• Black Hat
  Black Hat Stories | Yaara Shriki, Threat Researcher at Wiz

• Cellebrite
  Tip Tuesday: Digital Forensics + AI Framework

• Cloud Security Podcast by Google
  EP278 The Agentic SOC: Are We Measuring Time Saved or Risk Reduced?

• Cyber Secrets

  • Knowledge Base in the CSI Linux Case Management System
  • Using ClamAV Scanning a Volatility Dumpfiles Export

• FIRST
  Episode 56: Mor Weinberger and Lior Kaplan, FIRSTCON26 Speakers

• Huntress

  • The Phishing Attack That Makes MFA Useless
  • CMMC Requirement 3.3.3: How to Review and Update Logged Events

• InfoSec_Bret
  Challenge – Phantom Validation

• Magnet Forensics

  • Legal Unpacked S1:E8 // Search warrants for cloud data: Building legal process around how online data is actually stored
  • The future is now…Introducing Intelligent Insights and Intelligent Search, powered by Magnet AI

• Microsoft Threat Intelligence Podcast
  Eviltokens: A Conversation with Huntress on an AI‑Enabled Device Code Phishing Campaign

• Monolith Forensics

  • Monolith Monday – Custom Fields
  • Using AI to Help Us Plan Our Forensic Examinations
  • Monolith UI: Query Filters

• MSAB
  #MSABMonday – XAMN Pro Gallery View Sort

• MyDFIR

  • I Broke Down a Real SOC Analyst Job Posting (Here Is How You Learn Every Skill)
  • CloutHaus (KC7 Cyber) | MYDFIR KQL Series | Part 2

• Off By One Security
  Confused Deputies and Stolen Tokens: Breaking and Rebuilding MCP Auth with Brooks McMillin

• Parsing The Truth: One Byte at a Time Podcast
  S2 E1: Season Two – Here we come!

• SANS Cyber Defense
  Agentic AI Explained: How It Really Works, When It Fails, and What to Watch For

• SUMURI Forensics at Sumuri
  How to update your RECON ITR | RECON ITR Deep Dive

• Team Cymru
  The CVSS problem: why severity scores don’t predict what gets exploited

Malware analysis

• Aikido

  • Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
  • Microsoft’s durabletask package on PyPi Compromised. Mini Shai Hulud attacks again… again!
  • Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer

• Joey Chen at Cisco’s Talos
  From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

• Cleafy Labs
  NFC Relay Goes Local: How AI Is Accelerating a New Wave of Independent Malware Developers

• Dark Atlas
  PlugX DLL Sideloading via MSI Installer: Complete Malware Analysis of a KorPlug Campaign

• Yun Zheng Hu and Mick Koomen at Fox-IT
  RemotePE: The Lazarus RAT that lives in memory

• Noufal Radhitya at Intellibron
  Betting on Risk: An Analysis of Spyware Disguised as Online Gambling App

• Srinivasan E at K7 Labs
  Fake Microsoft Teams Campaign Delivers ValleyRAT via NSIS Installer and DLL Sideloading

• Renaud Tabary at MALCAT
  Benchmarking LLMs for malware triage and static unpacking with Malcat

• Dixit Panchal at Seqrite
  Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

• Shubho57
  Analysis of Vile Ransomware

• Snyk

  • Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account
  • The AntV Supply Chain Campaign Expands: Microsoft’s durabletask PyPI Package Compromised
  • Laravel Lang Supply Chain Advisory

• Carlos Perez at TrustedSec
  Shai-Hulud Is Back, and This Time It Ate the Whole Ecosystem

Miscellaneous

• Lee Sult at Binalyze
  Handala’s Kill List: Tracking the Victims of Iran’s Most Destructive Cyber Unit

• Brett Shavers

  • Forensics First. AI Second.
  • AI in DFIR Did Not Start When You Noticed It

• BushidoToken
  UK Cybercrime Journal: Inside the Cl0p attack on South Staffs Water

• Cellebrite

  • Can You Use ChatGPT or Claude to Analyze UFDR Data?
  • Mobile Compliance is Broken on iOS. Here’s the Fix No One’s Talking About.
  • Cellebrite Inseyets: Advancing Device Access, Automation and Analysis at Scale

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 05/18/26

• FIRST

  • Peak Incident Response 2026
  • FIRSTCTI26 Recap: Threat Intel & Pretzels Sold Out!

• Forensic Focus

  • Finding Previous Locations Without Geolocation Data
  • Digital Forensics Jobs Round-Up, May 18 2026
  • How The City Of Johannesburg In South Africa Accelerated Investigations With Detego Technology
  • The Cloud Attachment Problem: Why Modern Email Investigations Are Missing Critical Evidence
  • On-Scene Digital Forensics: Winning Investigations Before The Lab
  • Inside The Cellebrite Spring 2026 Release
  • GMDSOFT Tech Letter Vol21.ChatGPT Q&A: 10 Key Questions
  • Digital Forensics Round-Up, May 20 2026
  • Detego Global Partners With National Foundation For Retired Service Animals To Support “Protect Our Protectors” Mission
  • When The Job Comes Home: The Impact On Families
  • Forensic Focus Digest, May 22 2026

• Howard Oakley at ‘The Eclectic Light Company’
  How QuickLook provides thumbnails and previews

• Kenneth G. Hartman at Lucid Truth Technologies
  FaceTime Evidence Apple Subpoena: What Apple Actually Hands Over

• Magnet Forensics

  • Evidence sharing is the next inflection point for enterprise DFIR teams
  • From alert to root cause: Strengthening federal cyber investigations

• Блог Solar 4RAYS
  Боль реагирования: как процессы информационной безопасности влияют на расследование инцидента

Software releases/updates

• Alexis Brignoni

  • ALEAPP v3.5.0
  • iLEAPP v2.4.0
  • RLEAPP v2.2.0

• Amped
  Amped FIVE Update 40623: New Formats, Assistant Automation, New Motion Detection, and updates to Change Frame Rate, Timeline, and Much More

• Arkime
  v6.4.0

• Belkasoft
  Belkasoft X 2.11: A Sneak Peak

• Canadian Centre for Cyber Security
  Assemblyline 4.7.3.3

• Daniel Benzano
  RDPuzzle v0.1.2

• Didier Stevens
  Update: search-for-compression.py Version 0.0.7

• Digital Sleuth
  winfor-salt v2026.9.3

• Doug Burks
  ohmypcap v3.0.0

• Erik Hjelmvik at Netresec
  PolarProxy 2.0 Released

• Nextron Systems
  Announcing the Release of ASGARD Management Center v4.0

• OpenCTI
  7.260522.0

• Security Onion
  Security Onion 3.1.0 Now Available with Elastic 9.3.3, Suricata 8.0.5, Zeek 8.0.8, and much more!

• Xways
  X-Ways Forensics 21.8 Beta 8