| If your organisation is interested in sponsoring an upcoming post then reach out via the contact form! |
| No sponsor this week |
As always, thanks to those who give a little back for their support!
Forensic Analysis
-
Brian Carrier at Cyber Triage
DFIR+AI Primer: How to Combat Hallucinations -
Django Faiola at ‘Appunti di Informatica Forense’
iOS Foursquare Swarm – Digging Deeper: New Artifacts Unearthed -
Oleg Afonin at Elcomsoft
Downloading iPhone and iPad backups from Apple iCloud -
Bas van den Berg at Eye Research
Breaking encryption schemes the lazy way -
North Loop Consulting
NLC Spectator
Threat hunting/threat intelligence
-
ASEC
-
Brian Krebs at ‘Krebs on Security’
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks -
Censys
MCP Servers on the Internet -
CERT-AGID
-
Check Point
-
CISA
Supply Chain Compromises Impact Nx Console and GitHub Repositories -
David J. Bianco at Cisco’s Talos
Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake -
Emanuel Duss at Compass Security
SSH Labs -
CrowdStrike
Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet -
Crowdstrike
Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet -
CTF导航
-
Cybersec Sentinel
TrapDoor Targets 34 Packages Across npm, PyPI and Crates.io to Steal Crypto Keys and Poison AI Assistants -
Andrea Draghetti at D3Lab
B1ack’s Stash Releases 4.6 Million Payment Cards: Web Skimming Leak Analysis -
Ryan Simon at Datadog Security Labs
From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents -
Detect FYI
-
Disconinja
Weekly Threat Infrastructure Investigation(Week22) -
Elastic Security Labs
Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace -
Esentire
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT -
FalconFeeds
- THE GENTLEMEN: Inside the Russia-Linked Ransomware Operation Rapidly Reshaping the RaaS Ecosystem
- Shai-Hulud: From npm Worm to Cross-Ecosystem Supply Chain Threat
- SideWinder: The India-Linked APT Expanding from South Asia to Global Strategic Infrastructure
- Semiconductor Sanctions & the Cyber Espionage Nexus: How Export Controls Are Reshaping Global Cyber Conflict
-
Flashpoint
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” -
Luis Corrons and Martin Chlumecký at Gen
When Hotel Scams Know Your Booking: 350 Compromised Accommodations Across 50 Countries -
Dwayne McDaniel at GitGuardian
Initial Access Changed, The Attack Path Did Not: Findings From The Verizon 2026 DBIR -
Google Cloud Threat Intelligence
-
Yuan Huang and Kuvonchbek Yorkulov at Group-IB
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament -
Kenneth Yeung at Hidden Layer
Inside the Prompt: How LLMs Learn Roles, Follow Instructions, and Get Exploited -
Reegun Jayapaul and Sheik Mohamed at Howler Cell
Bad Ads, Worse Binaries: Fake Claude Code Installer Drops Infostealer -
Huntress
-
IC3
Silent Ransom Group Impersonating IT Personnel through Social Engineering -
InfoSec Write-ups
-
David Sardinha at Intrinsec
Pivoting on a malspam infrastructure delivering JS malware backed by bulletproof networks -
Bert-Jan Pals at KQL Query
EDR Incident Response Playbook: Containing Local Account Incidents -
Maor Gabay at LevelBlue SpiderLabs
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign -
Matt Suiche
-
Microsoft Security
- From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
- Typosquatted npm packages used to steal cloud and CI/CD secrets
- The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
- Malicious npm packages abuse dependency confusion to profile developer environments
-
Oleg Skulkin at ‘Know Your Adversary’
-
Moshe Siman Tov Bustan and Nir Zadok at OX Security
Malware-Slop: New Malicious npm Package Leaks Its Own GitHub Private Token -
Matt Brady and Justin Moore at Palo Alto Networks
Out of the Crypt: The Evolving Cyber Extortion Economy -
Andi Ahmeti at Permiso
ChatGPhish: The Page Is the Payload -
Proofpoint
More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild -
Keanu Maharaj at Push Security
LLMShare: using shared chatbot pages to distribute malware -
Red Canary
-
Robin Dost at Synaptic Systems
IIM Feed: Attack Pattern Mapping for Adversary Infrastructure (5/7) -
SANS Internet Storm Center
- TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
- TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
- Wireshark 4.6.6 Released, (Sun, May 24th)
- Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)
- Microsoft Access VBA, (Mon, May 25th)
- Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th)
- Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)
-
Silent Push
-
Socket
-
SOCRadar
Dark Web Profile: CoinbaseCartel -
Marco A. De Felice aka amvinfe at SuspectFile
Universitat de València Targeted by Nova Group: 300GB Data Exfiltration Claimed, Initial $500,000 Ransom Demand Revealed -
Michael Clark at Sysdig
AI agent at the wheel: How an attacker used LLMs to move from a CVE to an internal database in 4 pivots -
Ron Popov at Tenable
Download pumping: New npm deception technique for supply chain attacks -
Josh Rykowski at Todyl
Kali365 PhaaS: Inside the Attack Infrastructure -
Trend Micro
-
Jean-Francois Gobin at Truesec
Installation of a Syslog Log Collector -
WeLiveSecurity
-
Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read at Wiz
Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry’s Software Development Infrastructure
Upcoming events/webinars
-
ADF Solutions
-
Black Hills Information Security
-
Cellebrite
Meet Cellebrite Genesis: From Digital Overload to Investigative Clarity -
Magnet Forensics
Presentations/podcasts
-
Hexordia
Truth in Data: S2E9: Beyond the Button: Writing Forensic Reports That Hold Up in Court -
Richard Frawley at ADF Solutions
Triage Smarter, Not Harder: Leveraging the Uniqueness in Your Case for Optimal Results -
Alexis Brignoni
Build chat conversations in LAVA -
Cellebrite
Tip Tuesday: Using Cellebrite Genesis -
Cloud Security Podcast by Google
EP279 Native Cloud Security: Is ‘Good Enough’ Actually Winning? -
Cyber Secrets
-
Dr Josh Stroschein
[Workshop] Symbol Renaming & Namespace Flattening -
Endace
Secure Networks, Ep 66 with IR practioner Cody Spooner, Principal Sales Engineer, Corelight -
Gerald Auger at Simply Cyber
What Separates Good SOC Analysts From Great Ones -
InfoSec_Bret
IR -SOC281 – System Network Configuration Discovery Detected -
John Hammond
-
Magnet Forensics
Mobile Unpacked S4:E5 // Millings on Modes – Exploring the other Modes of iOS and Android -
Matthew Plascencia
How to Find and Access Linux Logs | Linux Forensics -
Monolith Forensics
-
MSAB
-
MyDFIR
-
Off By One Security
AI Agents as Confused Deputies with Niki Aimable Niyikiza -
OpenSourceMalware
OpenSourceMalware Show Episode #4 – May 5, 2026 -
Parsing The Truth: One Byte at a Time Podcast
S2 E2: Digital Forensics Now Cross Over Event -
Proofpoint
“Always Intentional”: A CISO’s Pragmatic Take on the Agentic Era -
SANS
Still Getting Cloud Wrong. Here’s what to Fix. With Simon Vernon -
SANS Cyber Defense
-
THE Security Insights Show
The Security Insights Show Episode 292 – Sentinel Graph and data lake -
The Weekly Purple Team
Herding Katz to Steal Creds -
Three Buddy Problem
- Federico Kirschbaum on XBOW, AI Hackers, and the Future of Pen Testing
- Jordan Wiens on AI, Offense vs. Defense, and the Dying CTF Pipeline
- Perri Adams on Proof Engines, LLMs, and the New Era of Verifiable Code
- Find 50,000 Bugs, Fix Zero: Gabriel Bernadett-Shapiro on the AI Vuln Trap
- Aaron Portnoy on Pwn2Own, the End of Easy Bugs, and AI-Fueled Offense
- Microsoft Threatens Vuln Researchers; Shadow Brokers Revisited
Malware analysis
-
Cyble
OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight -
Dark Atlas
Behind .payload: In-Depth Technical Analysis of Payload Ransomware -
Darktrace
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor -
Xiaopeng Zhang at Fortinet
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data -
John Dador & Mathew Dela Cruz at G Data Software
Deceptively Sweet: DonutLoader Reloaded in a modern Remcos RAT Infection -
Harsh Gupta at K7 Labs
RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT -
Manasi Joshi at Paraben Corporation
Behind the Scenes of ClickFix: Blockchain-Based Dead Drop C2 Resolver -
Pulsedive
SolyxImmortal – Analysis of a Python-based Information Stealer -
Robert Simmons at ReversingLabs
Researcher’s Notebook: Hunting Megalodon Fossils -
Diyar Saadi at Secjuice
Malware Analysis: Is It About Tools or Mindset? -
Konstantin Krasilnikov, Valery Akulenko, and Artem Snegirev at Securelist
Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years -
Seqrite
-
Shubho57
Analysis of Pay2Key Ransomware -
Zhassulan Zhussupov
- Malware shellcode delivery via signal – part 1. FSK Basics. Simple python script
- Malware shellcode delivery via signal – part 2. The Linux receiver (Goertzel Algorithm). Simple C example
- Malware shellcode delivery via signal – part 3. Fix straddling, ALSA buffer overrun, and sub-bit alignment. Simple python and C examples
Miscellaneous
-
Abdul Mhanni
Implementing Impacket’s Newest Protocol: MS-RAA -
Brett Shavers
Don’t Marry the Suspect -
BushidoToken
UK Cybercrime Journal: £102 million Lost to Scams in 2025 -
Cellebrite
The Access Gap Is Closed: What Cellebrite Can Unlock in 2026 -
Dr. Neal Krawetz at ‘The Hacker Factor Blog’
SEAL Unbundled -
Florian Roth
Why I Built My Own LLM Benchmark for THOR Finding Triage -
Forensic Focus
-
Kevin Beaumont at DoublePulsar
Microsoft’s stance on zero day exploits is a dumpster fire of their own making -
Magnet Forensics
-
OSINT Team
I Built an AI SOC Analyst in n8n That Triages Wazuh Alerts For Me — Here’s Every Node, Explained -
Rob T. Lee
The Glasswing numbers should change what you do this week, not how well you sleep. -
Salvation DATA
SSD Data Recovery: Why SSD Recovery Is Harder Than HDD -
Security Onion
Security Onion Documentation Printed Book Now Updated for Security Onion 3.1! -
Steve Whalen at Sumuri
Apple Never Published the Full APFS Spec -
Ryan G. Cox at The Cybersec Café
The Skill Stack of a Detection & Response Engineer
Software releases/updates
-
Alexis Brignoni
-
Canadian Centre for Cyber Security
Assemblyline v4.7.4.stable3 -
Datadog Security Labs
GuardDog Release v3.0.0a1 -
Digital Sleuth
winfor-salt v2026.9.4 -
Doug Burks
ohmypcap v4.0.0 -
Elcomsoft
Elcomsoft Phone Breaker 11.1: reliable iCloud backup extraction -
Erik Hjelmvik at Netresec
CapLoader 2.1.0 Released -
Hasherezade
tiny_tracer 4.0 -
LEAPPs Org
LAVA v0.13.0 -
OpenCTI
7.260529.0 -
Phil Harvey
ExifTool 13.59 -
Security Onion
Security Onion 3.1.0 Hotfix 20260528 Now Available!
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.
