Forensic Analysis

• F-Response
  F-Response Collect, X-Ways, and You

• Forensafe
  Memory Users

• Joe T. Sylve, Ph.D.

  • Transparent Compression (DECMPFS)
  • Clonegroups
  • Encryption Rolling
  • Volume Grafting
  • Speculative Telemetry

• Kevin Pagano at Stark 4N6
  LEAPPing with LAVA

• Marco Neumann at ‘Be-binary 4n6’
  Reading the Wire — Protobuf Without a Map

• Chip Riley at Palo Alto Networks
  Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered

Threat hunting/threat intelligence

• Abnormal Security

  • 2026 Attack Landscape Report: Vendor Email Compromise
  • Ghost-Sender: Why Email Spoofing Still Works When Authentication Fails

• Apophis
  The Admiralty System in CTI

• ASEC

  • May 2026 Dark Web Breach Incident Trend Report
  • Dark Web Threat Actor Trend Report May 2026
  • May 2026 Dark Web Issue Trend Report

• BI.Zone
  Fluffy Wolf tests new toolkit on Russian companies

• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | June 2026

• Darren Williams at BlackFog
  Inside OnyxC2: The New Stealer Targeting 210 Apps

• Caden Toellner and Nevan Beal at Blackpoint Cyber
  Seeing Through the Tunnel: Leveraging SIEM Detections to Expose Malicious SSL VPN Authentications

• Brad Duncan at Malware Traffic Analysis
  2026-06-09: Atomic macOS (AMOS) Stealer infection

• Brian Krebs at ‘Krebs on Security’

  • A Record-Breaking Patch Tuesday for June 2026
  • Who Runs the Ransomware Group ‘The Gentlemen?’

• BushidoToken
  UK Cybercrime Journal: Arup Group Breached by FulcrumSec

• Censys
  The Package That Never Shipped: Following a USPS Smishing Kit Through Censys DNS Data

• CERT Polska
  UNC1151/Ghostwriter phishing campaign targeting Gmail accounts

• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 6 – 12 giugno

• Check Point

  • 8th June – Threat Intelligence Report
  • Global Cyber Attacks Ease in May 2026, But Ransomware Surges 48% As Threats Reorganize
  • From SQLi to RCE – Exploiting LangGraph’s Checkpointer

• CloudSEK

  • Inside a WooCommerce Payment Skimmer: How Carders Moved From Phishing Pages to Checkout Backdoors
  • Chinese Origin Threat Actors Target FIFA World Cup 2026

• Dylan Main at Cofense
  From Fake Amazon Security Alert to HarborWatch Agent: ClickFix Delivery of a Custom Monitoring RAT

• Roshan at Confiant
  Red Card: The 2026 FIFA World Cup Scam Landscape

• Tim Chiu at Corelight
  The North Korean IT worker threat: A modern insider risk | Corelight

• CrowdStrike
  CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks

• CTF导航

  • APT-C-08（蔓灵花）近期钓鱼网站攻击活动分析
  • Hades 活动：针对PyPI的大规模供应链攻击分析

• Cyble

  • FIFA World Cup 2026 Scams Are Already Active: Fake Domains, Phishing Sites, and How to Stay Safe
  • Borrowed Trust – Systematic Exploitation of Abandoned Cloud DNS Delegations to serve Thai Gambling SEO Content

• Cyfirma
  Weekly Intelligence Report – 12 Jun 2026

• D3Lab

  • NFCShare evolves: from a banking phishing APK to a GitHub-hosted Android NFC fraud campaign
  • Dentro la truffa: la falsa campagna a tema Polizia Postale che esfiltra dati in tempo reale

• Dark Atlas
  How a Go Binary Locks Down Enterprise Networks in Minutes: The Story Behind Gentlemen Ransomware

• Katie Knowles at Datadog Security Labs
  Entra Agent ID: The blueprint blast radius

• Daylight Security

  • How to Detect Lateral Movement Before Attackers Reach Critical Assets
  • From Help Desk to Backdoor: Microsoft Teams Social Engineering Delivers the DinDoor Deno RAT

• Detect FYI

  • Hidden in Plain Sight: PowerShell Visibility Most Defender XDR Analysts Miss
  • Identify shebang files via Threat Hunting (+ KQL Queries)

• Disconinja
  Weekly Threat Infrastructure Investigation(Week24)

• Jamie Hynds and Sumana Mannem at Elastic
  Monitor Claude activity in Elastic Security

• Erik Hjelmvik at Netresec
  Maximizing IOC Impact

• Flare

  • Ransomware-as-a-Service: LockBit Alumni Launch Competing Programs as Ecosystem Consolidates in Q1 2026
  • Supply chain ransomware: TeamPCP weaponizes worms to fuel partnerships and $95K data sales

• Google Cloud Threat Intelligence
  ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

• Group-IB

  • SilabRAT, What’s Your Power?
  • Sniper’s Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud

• Rahul Ramesh at Howler Cell
  OnionDrop: Commoditized Loader with Nation-State-Grade Evasion

• HP Wolf Security
  HP Wolf Security Threat Insights Report: June 2026

• Huntress

  • Inside .NET Loader Analysis: From Malspam to In-Memory Loader
  • Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix

• Nick Sundvall and David Brunsdon at Infoblox
  Residential Proxies in the Wild

• Lucas Dodgson, Tobias Oberdörfer, Robin Hilber at InfoGuard Labs
  Ghost-Sender – Universal Email Spoofing against Exchange Online

• InfoSec Write-ups

  • CTI as a Code: Complete Step-by-Step Methodology
  • ThreatMapper: I Built a Self-Hosted AI Threat Intelligence Platform — Here’s How to Use It
  • Operation Desert Hydra — AI-Assisted CTI Pipeline: MuddyWater to Kibana
  • CTI as a Code in Practice: Reactive Investigation — LifeTech Pharma
  • SolarDisruption Lab Writeup (CyberDefenders)
  • Raining Dinosaurs  —  Storm-2603 Lab Writeup [CyberDefenders]
  • GreyCTF 2026  —  Crimewatch Forensics Challenge Writeup
  • Ramnit Blue Team Lab (CyberDefenders)
  • How I Built a SOAR Automation in Microsoft Sentinel That Responds to Attacks Without a Single Click

• John Kevin Adriano at LevelBlue SpiderLabs
  The Device Code Phishing Tsunami: What We’re Seeing in the Wild

• Microsoft Security

  • AI brands as bait: How threat actors are using the AI hype in social engineering
  • Reconstructing AI activity in investigations 

• Sydney Marrone at Nebulock
  Your Newest Insider Is an AI Agent You Authorized

• OpenSourceMalware
  Active Malware Campaigns in January-May 2026

• Palo Alto Networks

  • When “Hi, This Is IT” Comes Through Microsoft Teams
  • Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
  • Trust No Skill: Integrity Verification for AI Agent Supply Chains

• Joseph Williams at Pen Test Partners
  ClickFix, CrashFix and the growing family of copy and paste attacks 

• Proofpoint
  Don’t Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

• Rapid7

  • Automated Threat Hunting: Turning Threat Intelligence into Executable Hunt Plans
  • Criminal AI-as-a-Service in 2026: How the Underground Market Is Operationalizing Cybercrime

• Recorded Future

  • May 2026 CVE Landscape
  • China’s Noncombatant Evacuation Operations: 2005–2025

• Red Canary

  • Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents
  • How threat hunting evolves at scale

• Red Piranha
  The Gentlemen Ransomware: Threat Intelligence Analysis, TTPs & Detection Guide

• Jason Downey at Red Siege Information Security
  Enumerate Domain Data (EDD): Powerview’s .NET Cousin

• Resecurity
  The Anubis Ransomware Attack on the Adriatic Port Authority

• SANS Internet Storm Center

  • TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)
  • Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
  • How has use of framing protection security headers changed in the past 3 years?, (Wed, Jun 10th)

• Sansec
  OptinMonster supply chain attack hits 1.2 million sites

• Security Joes
  Shai-Hulud: Miasma – When a Supply-Chain Worm Learned to Hijack AI Coding Agents

• Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee at Securonix
  Analyzing SHEET#CREEP: SHEETCREEP is up again with different config obfuscation

• Sekoia
  APT28, an evolution of tradecraft

• Silent Push
  What Recent Reporting Gets Right About The Gentlemen RaaS and What Silent Push Learned Months Earlier

• Socket

  • Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave
  • Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels
  • 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic

• SOCRadar

  • Dark Web Profile: Rock
  • Dark Web Profile: Tengu Ransomware (Shisa)

• Spur
  Monetizing the Last Mile: How Proxy Providers Co-Opt Entire Networks

• Evelyne Diaz Araque at Stairwell
  Detecting Remus Infostealer

• Step Security

  • The Hades Campaign: Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers, AI Analyst Misdirection, and a Wiper Deterrent
  • Pythagora-io/gpt-pilot Compromised on GitHub – Shai-Hulud Credential Stealer Blocked by Python Linter
  • Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files

• Marco A. De Felice aka amvinfe at SuspectFile
  Everest: Six Years of Evolution from Data Leak to Double Extortion – the interview

• Sygnia
  Velvet Ant’s Operation Highland: How a China-Nexus Actor Infiltrated an Internal Network Undetected

• The Hunter’s Ledger
  Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host

• The Shadowserver Foundation
  Shadowserver Report Provides Cybersecurity Insights and Recommendations for ECOWAS Member States in West Africa

• ThreatMon

  • Oil & Gas Under Siege: What the 2026 Cyber Threat Landscape Actually Looks Like
  • FIFA World Cup 2026 Threat Assessment Report

• Hiroyuki Kakara and Feike Hacquebord at Trend Micro
  Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open

• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – May Update

• Elliot Roe and Sreekar Madabushi at Valdin
  Offside and Online: GHOST STADIUM Phishing Targeting World Cup Fans

• Vishal Thakur

  • Building a Global Community Around Insider Threat Defense
  • PR3TACK: A Framework for Preemptive Security Operations

• WeLiveSecurity
  OceanLotus: From external espionage to domestic targeting

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Belkasoft
  Effective AI: How to Set Up and Configure Artificial Intelligence in Your Digital Forensics Lab

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-06-15

• CQURE Academy
  WEBINAR – Modern Threat Hunting with AI: 10 Skills for Detecting What Others Miss

• Magnet Forensics

  • Introducing Magnet Autokey: Accelerating your vehicle investigations
  • Digital investigations for data-driven threat hunting
  • Magnet Review: Ensuring secure cloud-based investigations

Presentations/podcasts

• Adversary Universe Podcast
  China Targets Technology to Steal AI Capabilities It Can’t Build

• CQURE Academy
  CQURE Hacks #81: The Ultimate KQL Query Toolkit for Threat Hunters and Security Analysts

• Cyber Secrets

  • Magnet Link BitTorrent in the CSI Linux Case Management System
  • Help Documentation in the CSI Linux Case Management System

• Dr Josh Stroschein
  [Workshop] Identifying Reference Proxies

• FBI
  Ahead of the Threat Podcast: Season 2, Episode 7—Richard Horne

• FIRST

  • Episode 59: Julie Agnes Sparks and Greg Foss, Datadog, FIRSTCON26 Speakers
  • Episode 60: Mars Cheng, TXOne Networks Inc., FIRSTCON26 Speaker

• Huntress
  Tradecraft Tuesday | We Need to Talk About Device Code Phishing

• InfoSec_Bret
  IR – SOC334 – Apache Tomcat RCE Exploitation Detected (CVE-2024-50379)

• John Hammond

  • Payload Podcast 008 – Ryan Hausknecht
  • ContinuumCon 2026 – Day 1
  • ContinuumCon 2026 – Day 2

• Magnet Forensics

  • Legal Unpacked S1:E9 // Digital evidence in criminal prosecutions: Discovery obligations, requests, and practical strategy
  • Ask Me Anything: Strengthening eDiscovery with digital forensics

• Monolith Forensics
  Saving and Exporting Metrics Reports in Monolith

• MSAB
  #MSABMonday – XAMN Pro File Extension

• MyDFIR

  • The Skills Every SOC Analyst Job Actually Wants in 2026
  • JoJo’s Hospital: Ransomware | KC7 Cyber | Part 1

• Off By One Security
  Red Teamer, Content Creator, and Practitioner of Black Magick with Alh4zr3d

• Open Source Forensics Lab
  Install DaVinci Resolve on AlmaLinux With AlmaLinux Creative installer

• OpenSourceMalware
  OpenSourceMalware Show Episode #8 – June 11, 2026

• Proofpoint
  Diving Into the DBIR: Vulnerabilities, AI, and Supply Chain

• Richard Davis at 13Cubed
  The Korvath Incident: A macOS Forensics Challenge

• Sandfly Security
  Linux Rootkits and Malware from Simple to Sophisticated

• SANS

  • SANS Spark CTF 2026: Building the Next Generation of Cyber Talent
  • Defending with the Same AI That’s Coming for You with Chris Cochran

• SANS Cloud Security
  AI-Driven DevSecOps Part 1: Securing Coding Agents with Model Context Protocol (MCP)

• SANS Cyber Defense

  • Wireshark Command Line Tools
  • From OSINT to Digital Forensics — and Back: Turning Data into Actionable Intelligence

• SentinelOne
  LABScon25 Replay | Keynote: Steps to an Ecology of Cyber

• Sumuri
  How to use Network Share (SMB) in RECON Imager | RECON ITR Deep Dive

• Team Cymru
  Inside Group Pink’s Vishing Tactics, Residential Proxy Zero-Trust, and the AI SecOps Arms Race

• THE Security Insights Show
  The Security Insights Show Episode 293- Agent 365

• Three Buddy Problem
  Mythos, Fable, and Anthropic’s Big Trust Problem

• Uriel Kosayev
  Analyzing some itsy bitsy tricks of the WannaCry Ransomware

• Yaniv Hoffman
  The Linux Backdoor Hiding Inside Every SSH Login

Malware analysis

• Subhajeet Singha at Acronis
  Behind Khmer Shadow: Targeted espionage against Cambodian government entities

• Cara Lin at Fortinet
  Threat Actors Weaponize AI Hype to Deliver AsyncRAT

• Gen

  • GoFlateLoader: A Widespread Golang Loader Delivering Multiple Infostealers
  • Fake hiring pages abuse FIFA and other major brands to steal work credentials

• Robert Simmons at ReversingLabs
  Device code phishing bypasses password stealing

• Diyar Saadi at Secjuice
  Malware Analysis: Is It About Tools or Mindset?

• Shubho57
  Analysis of Locker Malware (TrymeLocker)

• The Raven File
  DECODING GRIXBA — A PLAY RANSOMWARE SCANNER

• ZScaler

  • Technical Analysis of MLTBackdoor
  • Shai-Hulud Campaign Evolution: Miasma, Hades, and AI Scanner Evasion

• Arden Trace at Блог Solar 4RAYS
  Живое ископаемое, или как выжил ботнет ProxyCB

Miscellaneous

• Brett Shavers
  Will Tomorrow Be Your DFIR ‘Mann Gulch’?

• Cellebrite

  • Automate Android and iOS Device Interactions with a Corellium Linux Server 
  • Deterrence through Collective Digital Intelligence
  • Mobile App Security Checklist: A 30-Day Plan to Go From Zero to Secure
  • The New Age of Investigations: Cellebrite’s Journey to Genesis 
  • Cellebrite Launches the New Age of Investigations with Genesis, Now Generally Available
  • Building Embedded Firmware Without Touching Hardware
  • Iceland District Prosecutor’s Office: Using AI Tools to Investigate Financial Crime

• Christian Feuchter at Compass Security
  Entra Agent ID from a Security Perspective

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 06/08/26

• DFIR notes
  4WH

• Forensic Focus

  • Leica’s Marcus Rowe On Investigating The World’s Largest Crash Test, Plus What To Expect At FEE 2026
  • How XRY Pro Helped Recover Critical Evidence From A Non-Responsive Smartphone
  • BitLocker Decryption Today: YellowKey Explained And Where Passware Steps In
  • UPCOMING WEBINAR – Meet Cellebrite Genesis: From Digital Overload To Investigative Clarity
  • Digital Forensics Round-Up, June 10 2026
  • Amped Podcast Episode 1 – CCTV Nightmares: Chain Of Custody Secrets From Scene To Courtroom
  • What’s Really Slowing Your Extractions? (Hint: Not Your Tools)
  • Present At Magnet User Summit & Magnet Virtual Summit 2027!

• Intel 471
  Making the Business Case for Your CTI Budget

• Kenneth G. Hartman at Lucid Truth Technologies
  The California Catch: How to Subpoena a California Tech Company for Criminal Defense Evidence

• Kevin Pagano at Stark 4N6

  • Forensics StartMe Updates (June 2026)
  • Techno Security Conference 2026 Recap

• Magnet Forensics

  • Submissions now open to present at Magnet User Summit & Magnet Virtual Summit 2027!
  • Best cloud investigation tool for enterprise
  • That One Artifact: Mapping the “Where”, proving the “Why”

• Mahmoud Elfawair
  The Azure Lab Diaries – Sentinel For MSSP & Protecting Intellectual Property

• MISP

  • Create a daily threat briefing with zsazsa and MISP
  • Best Practices for MISP API Key Management

• Oxygen Forensics

  • How to run your first case in Oxygen Review Center Lite — and know what “good” looks like
  • Oxygen Review Center Lite vs. Oxygen Review Center: What the Full Version Delivers for Public Sector Investigations

• Eric Law at text/plain
  Participatory Extensible Security

• Ryan G. Cox at The Cybersec Café
  Start for the Passion, Improve for the Money, Stay for the Challenge

• Carlos Perez at TrustedSec
  Hardening Intune: The Implementation Guide

Software releases/updates

• Binary Ninja
  5.3 Release 2

• Cyber Triage
  Cyber Triage 3.18: New AI + Cloud Automation Capabilities

• DFIRe
  1.5.0 — June 14, 2026

• Digital Sleuth
  winfor-salt v2026.9.8

• Doug Burks
  so-crates v1.0.0

• Flip Forensics
  AI Forensic Triage (AIFT) V2.0 – MCP, CLI and API are here and much broader artifact support

• GCHQ
  CyberChef v11.1.0

• Ghassan Elsman
  Crow-Eye 0.11.0

• Google
  Timesketch 20260611

• Adam Hachem at Hexordia
  Checking out Evanole VM v20260603: Introducing EVM!

• OpenCTI
  7.260609.0

• Rapid7
  Velociraptor 0.77 Release

• Timothy Vang
  VERDICT v0.1.3

• Xways

  • X-Ways Forensics 21.8 SR-2
  • X-Ways Forensics 21.9 Preview