Forensic Analysis

• Emi Polito at Amped
  How To Investigate Video Evidence: Workflows, Pitfalls and Best Practices

• Christian Peter
  That still only counts as one! – iLEAPP Sticker Animation

• Brian Carrier at Cyber Triage
  DFIR+AI Primer: When Not To Use GenAI

• Oleg Afonin at Elcomsoft
  Forensic Implications of Apple Stolen Device Protection

• Forensafe

  • Memory Suspicious Processes
  • Memory Services

• Joe T. Sylve, Ph.D.

  • Revisiting the APFS Series
  • Space Manager
  • The Reaper
  • EFI Jumpstart
  • Hard Links and Siblings

• Matthew Plascencia
  Canonical Multipass Forensics 101

Threat hunting/threat intelligence

• Aikido

  • Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
  • Why EDR and proxy won’t save you from supply chain malware

• Jon Williams at Bishop Fox
  Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis

• Phil Miller at Black Hills Information Security, Inc.
  Auditing GitLab: The CI/CD Kill Chain

• Wendy McCague at BlackFog
  The State of Ransomware: May 2026

• Brian Krebs at ‘Krebs on Security’
  Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

• Daniel Whitcombe, Alex Jones, James Smee and Nathan Richards at Bridewell
  Intelligence Insights: May 2026

• BushidoToken
  UK Cybercrime Journal: British Universities Struck by ShinyHunters Before Exam Season

• Censys
  How a Dangling DNS Entry Can Lead to a Subdomain Takeover

• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 30 maggio – 5 giugno

• Check Point

  • The Server Seizure That Affects Also Iran’s Cyber Operations
  • 1st June – Threat Intelligence Report
  • Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem
  • Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026

• Ron Scott-Adams at Cisco’s Talos
  Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting

• CloudSEK
  How an Unauthenticated MCP Server Led to SSRF, LFI, and AWS Credential Theft

• Kahng An at Cofense
  Embedded Threats: How Attackers Weaponize Legitimate Emails

• CTF导航

  • 我们绕过了 GarudaDefender 整套 Frida 检测，但这已经不是重点了
  • APT-C-26（Lazarus）组织利用CVE-2025-55182与Copperhedge组件的攻击行动分析

• Cyble
  C-Suite Impersonation in the Gulf: How Threat Actors Are Targeting UAE & Saudi Executives in 2026

• Cyfirma
  Weekly Intelligence Report – 05 Jun 2026

• Daniel Koifman
  The Interesting Case of WSL for Payload Staging

• Dark Atlas
  Inside Modern Supply Chain Intrusions: From CI/CD Abuse to Ecosystem-Wide Compromise

• Detect FYI

  • Deep KQL Analysis with Kustology
  • The Interesting Case of WSL for Payload Staging

• Disconinja
  Weekly Threat Infrastructure Investigation(Week23)

• Dragos
  Dragos Industrial Ransomware Analysis for the First Quarter of 2026

• Martin Warmer, Davy Boekhout and Jorn Pieterse at Eye Research
  Device Code Phishing Forensics: What We Learned Investigating BEC in the Wild

• FalconFeeds
  FIFA World Cup 2026: Mapping the Global Cyber Scam Ecosystem Targeting Fans

• Flare

  • FalkonC2 is Getting Ridiculously Stealthy
  • KeyCat Stealer Uncovered: Inside a $40 Multi-Platform Infostealer with Telegram C2 and Active Staging Infrastructure

• Flashpoint
  Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

• Fortinet
  Cybercriminals Are Targeting the FIFA World Cup 2026

• Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan at Google Cloud Threat Intelligence
  Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms

• Group-IB

  • Cryptocurrency Scams: The 10 Most Common Types and How They Work
  • Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages

• Alex Holland at HP Wolf Security
  The Anatomy of a Destructive Attack

• Hunt IO
  PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network

• Intel 471

  • Gentlemen Ransomware
  • Threat Hunting Case Study: FileFix

• Nicole Fishbein at Intezer
  How attackers are gaining access to LLM inference

• Gilbert Kallenborn at Intrinsec
  Analyste CTI et LLM: exemple d’une collaboration fructueuse

• Invictus Incident Response
  How to respond to an incident in Kubernetes | AKS | Invictus Incident Response

• Lares

  • Living Off The Land – Built-In Pwning
  • Outlook 365 for the PWN

• LevelBlue SpiderLabs

  • The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
  • macOS ClickFix Social Engineering Campaigns
  • ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

• Aayush Tyagi at McAfee Labs
  Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns

• Microsoft Security

  • Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
  • Securing CI/CD in an agentic world: Claude Code Github action case

• Moonlock

  • New Mac stealer SHub Reaper is spoofing Apple, Google, and Microsoft
  • Fake ChatGPT site unleashes the dangerous Odyssey Stealer

• Eugenio Benincasa at Natto Thoughts
  How China’s Cyber Operations – and the Contractors Behind Them – Target Critics Abroad

• Jonathan Peters at Nextron Systems
  Detecting Nimbus Manticore and their sideloading infection chains

• Stamatis Chatzimangou at NVISO Labs
  The Detection & Response Chronicles: Covert Operations Through QEMU

• OpenSourceMalware

  • The Software Supply Chain Malware Landscape: January – May 2026
  • The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds

• OSINT Team

  • The Evolution of Malware
  • The Gentlemen Ransomware: Threat Profile

• OX Security

  • New npm Supply Chain Attack: @redhat-cloud-services Compromised
  • Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated
  • IronWorm Supply Chain Malware Hits npm
  • 600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm
  • Malware-Slop 2: Malicious npm Package Leaks Its Own Bot’s Telegram Private Token

• Ido Asher, Noa Dekel and Tom Fakterman at Palo Alto Networks
  Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

• Guy Barnhart-Magen at Profero
  We Added a Detection Rule. We Were Not Expecting This.

• Proofpoint
  TA4922: The Suspected Chinese Crime Group is Going Global

• Dan Green at Push Security
  Using the Pyramid of Pain for threat detection in the AI era

• Recorded Future
  Iran Expands Handala Brand to Physical Threats

• Matt Graeber at Red Canary
  Investigating suspicious AI workflows in Microsoft Entra Agent ID: Agent’s user account

• Alexa Feminella at ReliaQuest
  ReliaQuest’s Agentic AI Uncovers New China-Linked Cluster OP-512

• SANS Internet Storm Center

  • YARA-X 1.17.0 Release, (Sun, May 31st)
  • Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st)
  • New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)
  • Continuing Scans for swagger.json, (Wed, Jun 3rd)
  • Microsoft’s Coreutils for Windows, (Thu, Jun 4th)
  • The Evil MSI Background is Back!, (Fri, Jun 5th)

• Sansec

  • GorgonAgora: 4,800+ fake storefronts skim cards across hundreds of impersonated brands
  • Magecart skimmer turns Stripe into a malware command server

• Securelist

  • Containers on fire: from container escapes to supply chain attacks
  • Wardriving assessment across Mexico: Preparing for the 2026 World Cup
  • Argamal: Malware hidden in hentai games

• Sekoia

  • FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm
  • FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad
  • FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel

• Bineesh P at Seqrite
  Best Incident Response Techniques for Ransomware Attacks to Minimize Damage

• SOCRadar

  • Dark Web Profile: BlindEagle
  • Dark Web Profile: Vect Ransomware

• Step Security

  • Multiple redhat-cloud-services npm Packages compromised
  • Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

• SuspectFile

  • Armenia: Bashe Claims to Have Purchased a Database of More Than 30,000 Voters from a Pro-Turkish Group
  • Singing River Health System: Between Ransomware, Legal Disputes, and Recurring Vulnerabilities

• Symantec Enterprise
  Espionage Campaign Targeted Stock Exchange Executive for Five Months

• Sysdig

  • Security briefing: May 2026
  • Agentic threat actor hits the orchestration plane: AI agent-driven container escape

• ThreatFabric
  Own Goal? Piracy as an Attack Vector to Target Football Fans

• ThreatMon
  Oil & Gas Sector Cyber Threat Intelligence Report 2026

• Carlos Perez at TrustedSec
  The Privileged Roles Nobody Talks About

• Lucie Cardiet at Vectra AI
  From Conti to The Gentlemen: tooling evolved, gaps didn’t. by Lucie Cardiet

• VMRay
  YARA Rules: A Complete Guide with Best Practices and Use Cases

• Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster at Volexity
  VerdantBamboo: Just Another BRICKSTORM in the Firewall

• Merav Bar and Rami McCarthy at Wiz
  Miasma: Supply Chain Attack Targeting RedHat npm Packages

• István Márton at Wordfence
  Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Black Hills Information Security

  • ClickOnce Commander: Weaponizing Trusted Microsoft Deployment w/ Steve
  • BHIS – Talkin’ Bout [infosec] News 2026-06-08

• Cellebrite
  From Seizure to Intelligence: Practical Digital Evidence Workflows for Drug Investigations 

• Magnet Forensics

  • Legal Unpacked S1:E9 // Digital evidence in criminal prosecutions: Discovery obligations, requests, and practical strategy
  • Ask Me Anything: Strengthening eDiscovery with digital forensics
  • Drowning in data…Practical cloud storage and data migration strategies

• SANS
  Poisoned Packages & Stolen Secrets: The Rise of Supply Chain Attacks

• Sygnia
  The Anatomy of Cyber Attacks Affecting OT Organizations

Presentations/podcasts

• Alexis Brignoni

  • The AI Investigative Framework Interview with Heather Barnhart
  • AI in Digital Forensics panel hosted by MSAB at Techno Security East 2026

• Behind the Binary by Google Cloud Security
  EP26 When AI Features Create Zero-Click Exploits: The Pixel 9 Chain with Seth Jenkins

• Cyber Secrets

  • Domain Search is the CSI Linux Case Management System
  • Email Search OSINT within the CSI Linux Case Management System

• Cyber Social Hub

  • Techno Live
  • Techno Day 2 – S2 Data
  • Live from Techno Security in Myrtle Beach with JJ from ADF Solutions
  • Live at Techno Security with Alex from Lumyx!
  • Techno Day 3
  • Techno Day 2 – Martino from Amped
  • Techno Day 2 – BlackRainbow
  • Techno Day 2 – Matt Danner from Monolith Forensics
  • Jennifer from Techno Security Conference – Techno Day 3
  • DATAPILOT – Techno Day 3
  • Jessica Hyde – Techno Day 3

• Dr Josh Stroschein
  [Workshop] Saying Goodbye to the #US Stream – Analyzing String Obfuscation

• FIRST

  • CVE | FIRST VulnCon 2026 & Annual CNA Summit
  • Episode 58: Cheng-Lin Yang and Lily Chen, CyCraft, FIRSTCON26 Speakers

• Huntress

  • _declassified Ep. 2 | Unfriendly Followers: The Black Market For Your Identity
  • Session Hijacking Explained in 3 Min

• InfoSec_Bret
  IR – SOC340 – Apache Tomcat Serialized Payload RCE (CVE-2025-24813)

• John Hammond

  • A Linux Backdoor is For Sale on the Dark Web
  • JHT Course Launch! Windows Maldev 6
  • BIG SHOW TODAY & AI vibes

• Adam Goss at Kraven Security
  CTI for SMB: How Small Businesses Can Operationalize Threat Intelligence for Free

• Magnet Forensics
  Cyber Unpacked S3:E3 // The burnout equation: Sustaining your SOC and IR teams for the long game

• Microsoft Threat Intelligence Podcast
  Supply Chain Attacks: Open Source or Open Door?

• Monolith Forensics

  • Custom Report Templates – Monolith Mondays
  • Metrics Reports in Monolith

• MSAB
  #MSABMonday – XPAA Course

• MyDFIR

  • MYDFIR DFIR Course: Overview (NEW DFIR COURSE)
  • TryHackMe AI Security 1 (AI1) Certification | Is It Good? (GIVEAWAY)

• Off By One Security
  Failure is Not an Option! A Reliable Process to Exploit STM32F2/F4 Microcontrollers, with Joe Grand

• OpenSourceMalware
  OpenSourceMalware Show Episode #7 – June 3, 2026

• Parsing The Truth: One Byte at a Time Podcast
  S2 E3: The 12 Invoices

• Emma Burdett at Rapid7
  A Day in the Life of an MDR Analyst: Inside the Modern SOC

• SANS
  She Convinced the Pentagon to Let Hackers In. Legally. With Katie Moussouris

• SANS Cloud Security
  SANS Cloud Security: Securing Gen AI RAG Data using Azure AI Search with Eric Johnson

• SANS Cyber Defense

  • Disinformation in 2026: How Influence Operations Work and How to Spot Them
  • Detection Coverage: Measuring What You Can Actually Detect

• SentinelOne
  LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine

• Sumuri
  The Log Collector | RECON ITR Overview

• Team Cymru
  How Akira hits thousands of SMBs with $50K-$150K ransoms undetected | Alex Bovicelli

• Three Buddy Problem
  Fast16, Fanny, and Stuxnet: Cyber Paleontology Redux

Malware analysis

• Any.Run

  • From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises
  • Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations 

• ASEC
  Crypto Guest at Dawn Endpoint (Midnight) ransomware analysis

• Dr. Web
  Android.MagicAd trojan displays ads despite all restrictions

• Elastic Security Labs
  PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT

• ExaTrack
  Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026

• Vincent Li at Fortinet
  Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

• Arvin Tan and Sean Cartagena at G Data Software
  Browser Spy-Ons: Threat Actor’s Extension Hijack Your AI Conversations

• Reegun Jayapaul and Rahul Ramesh at Howler Cell
  Inside an Active STX RAT Supply Chain Campaign

• Morphisec
  VECT: Ransomware That Can’t Decrypt

• Mostafa Farghaly
  Unmasking Quellostanco: How a Git Commit Exposed a Threat Actor Targeting Egyptian Infrastructure (co-authored)

• ReversingLabs

  • 31 Red Hat npm packages backdoored in 72 seconds
  • How 56 npm packages used binding.gyp to steal CI/CD secrets

• RexorVc0
  Diamotrix

• Shubho57
  Analysis of DirtyFrag (Vulnerability)

• Snyk

  • Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages
  • Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection
  • Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp

• Socket

  • Famous Chollima Targets PHP Developers Through Compromised Packagist Package
  • Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

• Sophos

  • Pointing a Cursor at evading detection
  • You do surprise me.exe: An unexpected executable in Hola Browser

Miscellaneous

• Adam at Hexacorn
  little secret of msconfig.exe

• Alexis Brignoni at ‘Initialization Vectors’
  LEAPPs.org – Latest changes!

• Andrea Fortuna
  When digital evidence follows you home in DFIR teams

• Andrew Garrett
  Being Cross-Examined by AI

• Brett Shavers
  The difference between “No one will hire me” and “I am no longer professionally allowed to do this DFIR work”

• Cellebrite
  AI in Digital Forensics: 10 Best Practices for Investigators

• CyberBoo
  Microsoft Defender for Office 365 Part 10: Attack Simulation Training

• Decrypting a Defense
  Securus Jail Call Monitoring, Cities Lose Control Over Surveillance, Police IDs Made from Video, Nina Loshkajian Answers 5 Questions & More

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 06/01/26

• Forensic Focus

  • Belkasoft Releases Belkasoft X v2.11, Expanding AI-Powered Investigations And Evidence Extraction Capabilities
  • Burnout, PTSD, Suicidal Thoughts – The DFIR Well-Being Study Results Are In
  • Digital Forensics Jobs Round-Up, June 01 2026
  • Andreas Antonsen, Founder, STNDRDS AB
  • Video Timing In Amped FIVE
  • Digital Forensics Round-Up, June 03 2026
  • Forensic Focus Digest, June 05 2026
  • How Freeland Is Using Detego Technology to Dismantle Wildlife Trafficking Networks

• Johan Berggren and Wajih Yassine at Open Source DFIR
  Welcoming OpenRelik to the OSDFIR Infrastructure family

• Oxygen Forensics
  How to Use Image Categorization in Oxygen Forensic® Detective

• Passware
  BitLocker Decryption Today: YellowKey Explained and Where Passware Steps In

• Patrick Siewert at ‘The Philosophy of DFIR’
  Training Philosophy: Law Enforcement vs. Private Sector

• Ben Webb at Recon Infosec
  Cross-Org Visibility for LimaCharlie

• Rob T. Lee
  A Buffer Is Not a Cure

• TobyG at sentinel.blog
  Sentinel-As-Code: Wave 4, the docs nobody wanted to write

• Sygnia
  Incident Response Metrics That Actually Matter to Boards (And the Ones That Don’t)

• Aditya Bhatt at System Weakness
  Splunk 101: Hands-On Introduction to SIEM, Log Ingestion, and Basic Threat Hunting

• Sydney Marrone at THOR Collective Dispatch
  You’ve Got This: Just Hit Submit on That Brilliant Idea

Software releases/updates

• Alexandre Borges
  Malwoverview 8.0.2

• Costas K
  Jumplist-Browser LNK & Jumplist Browser v.1.0.25

• Digital Sleuth
  winfor-salt v2026.9.6

• Erik Hjelmvik at Netresec
  PolarProxy 2.0.1 Released

• Hasherezade
  PE-Bear v0.7.2

• Joe T. Sylve, Ph.D.
  SpiceCrypt 3.0: QSPICE Support

• Lethal Forensics
  Microsoft-Analyzer-Suite v1.8.0

• MISP
  MISP 2.5.39 – New Dashboard Experience, Stronger STIX, Sharper Analyst Workflows

• James Chambers and Robert Herrera at NCC Group
  Tool Release – Ghidra MediaTek Modem Image Loader

• Tobias Michalski at Nextron Systems
  New THOR Cloud Log Inspection View

• North Loop Consulting
  Sedgwick v1.3 Release!

• OpenCTI
  7.260604.0

• Qimin Zhao
  open-investigator Open Investigator v1.26.0

• radare2
  6.1.6

• Rapid7
  Velociraptor Release 0.76.6

• VirusTotal
  YARA v4.5.7