Forensic Analysis

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  TrustMark’s False Positive Problem

• Oleg Afonin at Elcomsoft

  • Downloading iOS 26 iCloud Backups
  • “Get Verification Code” Is Missing in iOS 18 and iOS 26; Here’s Where It Went

• Forensafe
  Memory Web

• Seth Enoka
  Shimcache and Amcache Forensics: Execution Evidence Without Certainty

• Nathanael Ndong at Synacktiv
  AWS Forensics : What you need to know

Threat hunting/threat intelligence

• Darrel Virtusio at Acronis
  From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

• Ilyas Makari at Aikido
  Over 140 popular Mastra npm Packages Hit by Supply Chain Attack

• Prajwal Pandey at Altered Security
  Abusing Global ARM API – Publishing User Compromise

• Andrea Fortuna
  iCloud Private Relay and the shrinking horizon of network forensics

• ASEC

  • May 2026 Threat Trend Report on APT Groups
  • May 2026 Infostealer Trend Report
  • May 2026 Threat Trend Report on Ransomware

• Vinnie Liu at Bishop Fox
  The Smash-and-Grab Era

• Gabriel Macovei at Bitdefender
  Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags

• Darren Williams at BlackFog
  Lazarus Group Cyber Attacks: What Businesses Need To Know

• Brad Duncan at Malware Traffic Analysis
  2026-05-31: Seven days of scans and probes and web traffic hitting my web server

• Brian Krebs at ‘Krebs on Security’
  ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

• Joshua Penny at Bridewell
  The Booking.com Phishing Campaign Targeting Hotels and Customers

• BushidoToken

  • Ransomware Tool Matrix Project Updates: Three Groups To Track
  • UK Cybercrime Journal: Sustained DragonForce Campaign

• Censys

  • REDCap on the Internet: An Exposure Analysis
  • AdaptixC2: Fingerprinting an Open-Source C2 Framework at Scale

• CERT-AGID

  • Uso di LLM e automazione nelle operazioni ransomware del gruppo “The Gentlemen”
  • Phishing e spam via PEC: oltre 650 gli eventi gestiti nel 2026
  • FortiBleed: credenziali Fortinet esposte, interessata anche la PA italiana
  • Campagne di phishing a tema criptovalute abusano del nome dell’Agenzia delle Entrate
  • Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 giugno

• Chamindu Pushpika at ChamX
  Uncovering an APT28-Inspired Attack on Global Freight UA – XINTRA

• Check Point

  • 15th June – Threat Intelligence Report
  • From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker

• CloudSEK

  • Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions
  • Bluekit Phishing as a Service (PhaaS)
  • Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind

• Cofense

  • Elon Musk, the IRS, and Your Bank Account: Anatomy of a Multi-Stage Financial Scam
  • World Cup-Themed Phishing Campaign Delivers Voidrift Malware with Highly Personalized Lures

• Cyble
  Operation FanTrap: Inside the FIFA 2026 Fraud Ecosystem

• Cyfirma
  Weekly Intelligence Report – 19 Jun 2026

• Andrea Draghetti at D3Lab
  Italian Invoice-Themed Phishing Campaign Delivers UpCrypter and NeptuneRAT

• Datadog Security Labs

  • Holding blobs for ransom: Four methods for Azure Storage ransomware
  • Mapping out your unknown: A threat hunter’s guide to Salesforce
  • Entra Agent ID: Inside a cross-tenant agent compromise

• Zshan Hyder at Detect FYI
  DCOM Explained: How Attackers Turn a Windows Feature into a Lateral Movement Tool

• Paul Asadoorian at Eclypsium
  FortiBleed: You Can’t Patch Your Way Out of This

• Elastic Security Labs

  • Lost in relocation: analysis of a new loader distributing CASTLESTEALER
  • Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap

• FalconFeeds

  • Threat Actors Without Borders: The Rise of Transnational Cybercrime Alliances
  • From Breach to Influence: The Convergence of Cyber Espionage, Ransomware, and Strategic Narrative Warfare
  • The New Reconnaissance Era: How Threat Actors Profile Organizations Before the First Phish
  • The Next Billion Devices: How Connected Infrastructure Is Reshaping Threat Intelligence

• Olivier Bilodeau and Estelle Ruellan at Flare
  StealerLens: Turn Hours of Stealer Log Analysis Into a Coffee Break

• Patrick Whitsell and John McGuiness at Google Cloud Threat Intelligence
  Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research

• Group-IB

  • GitBait: Phishing the Mexican Financial Sector
  • GitBait: Phishing dirigido al sector financiero mexicano

• David Lu at Hidden Layer
  Updating HiddenLayer’s APE Taxonomy: A New Objective Model for AI Attacks

• Hudson Rock

  • FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure
  • Inside the FortiBleed Response: Hudson Rock’s Insights into the Global Disclosure Effort

• Hunt IO

  • Chinese-speaking Operators Clone FIFA’s World Cup 2026 Ticketing Site To Steal Fan Logins and Card Data
  • Ababil of Minab Exposed: LA Metro SCADA Backups and Israeli Victim Data Left Open on an Iranian Staging Server

• Stephan Berger at InfoGuard Labs
  Anatomy of a Deno-Based Proxy & RAT

• Andrey Pautov at InfoSec Write-ups
  The Intelligent Shield. OpenCTI

• Intrinsec
  Understanding AitM attacks in Entra ID: Attack mechanics, and defensive measures

• Jacob Larsen
  Constellation: Clustering Nihilistic Violent Extremist Telegram Networks

• Kevin Beaumont at DoublePulsar

  • FortiBleed — 75k Fortinet firewalls have admin passwords cracked
  • An update on FortiBleed — what’s happening with victim orgs

• Adam Goss at Kraven Security
  Volt Typhoon: Hunting the Ghost Already Living in Your Network

• Raúl Redondo at Lares
  The Phantom Menace: Exposing hidden risks through ACLs in Active Directory

• LevelBlue SpiderLabs

  • Reversing NVIDIA’s CVE-2026-24190: How a Kernel Flaw Put Enterprise AI Clusters and Workstations at Risk
  • RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse
  • Operation FlutterBridge: The FlutterShell macOS Backdoor

• Mathilde Venault at CrowdStrike

  • New Abuse of the ClickOnce Technology, Part 1: The Inner Workings of ClickOnce Application Deployment
  • New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever

• Microsoft Security

  • From package to postinstall payload: Inside the Mastra npm supply chain compromise
  • Crypto Clipper uses Tor and worm-like propagation for persistence and control
  • Beyond the benchmark: Advancing security at AI speed 
  • AutoJack: How a single page can RCE the host running your AI agent 

• Idan Cohen at Mitiga
  AI Agent Supply-Chain Malware in Instruction Files

• Natto Thoughts
  The Inevitability of Reunification: China’s View of Strategic Drivers for A Potential Taiwan Conflict

• Robert Derby at Netscout
  Understanding Network Traffic for Threat Hunting

• Marius Benthin at Nextron Systems
  OSS Artifact Scanning at Scale Without Burning Your Token Budget

• Christos Giampoulakis, Theodoros Polyzos, and Dimitrios Patounis at NVISO Labs
  Reducing Microsoft Sentinel Costs Without Compromising Detection – Part 1: The Summary Rules Quest

• OALABS Research
  Captured Logs Reveal Hackers Using Claude and Codex to Breach Companies

• Obsidian Security

  • How Obsidian Security Found What 700 Companies Couldn’t: A SaaS Supply Chain Investigation
  • The Trusted Integration That Wasn’t: Inside the Klue SaaS Supply Chain Attack on Salesforce

• Oleg Skulkin at ‘Know Your Adversary’

  • 396. Another Cloud Storage Abused by Akira Affiliates for Exfiltration
  • 397. Using Adversaries’ Stealth Against Them

• Orange Cyberdefense
  A deep dive into a prolific initial access threat

• Rizqi Setyo Kusprihantanto at OSINT Team
  Case Study Review: Silver Fox APT’s Tax-Phishing Campaign Impersonating Indonesia’s Tax Authority…

• Moshe Siman Tov Bustan and Nir Zadok at OX Security
  easy-day-js Supply Chain Attack Hits Mastra AI in npm

• Art Ukshini at Permiso
  Mind the Gap: GCP serviceData in Logs Explorer vs. Exported Logs

• Proofpoint
  Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation

• Daniel Card at PwnDefend
  Bleeding Out

• Alex.Turing, Acey9, and WangZhiCheng at Qi’anxin X Lab
  隐形毒刺：超4000台老旧路由器遭AryStinger入侵，沦为黑客全球攻击跳板

• Recorded Future
  FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems

• Red Canary

  • The dual-use dilemma: Rethinking detection for remote access tool abuse
  • Intelligence Insights: June 2026

• Thassanai McCabe and Alexa Feminella at ReliaQuest
  Klue Integration Abused in Salesforce Data Theft

• Resecurity
  Cybercriminals Are Targeting EdTech: Data Breaches and Ransomware Attacks on the Rise

• SANS Internet Storm Center

  • Evil MSI Background: BASE64 Statistical Analysis, (Mon, Jun 15th)
  • From a VHDX File to a Remcos RAT, (Tue, Jun 16th)
  • The Behavior of Coordinated SSH Brute Force Attacks over the last three months [Guest Diary], (Wed, Jun 17th)
  • The browser blind spot: Why your security tool may not be blocking what you think it is [Guest Diary], (Wed, Jun 17th)
  • eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address, (Fri, Jun 19th)

• Sekoia
  Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework

• Vaibhav Krushna Billade, Dixit Panchal & Rumana Siddiqui at Seqrite
  Threat Actors Weaponizing RAR Archives to Target Thailand’s Healthcare Sector

• Silent Push

  • What Is the Preparation Phase? The Part of the Attack Timeline Most Tools Miss
  • FIFA World Cup: Hunting 227 Phishing Domains With the Silent Push MCP Server

• Socket

  • GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions
  • 140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack
  • npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners

• SOCRadar
  Dark Web Profile: Fox Kitten

• François Labrèche at Sophos
  A needle in a stack of needles: Hunting infostealers with AI

• Ashish Kurmi at Step Security
  15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers

• Stephan Berger
  Anatomy of a Deno-Based Proxy & RAT

• Symantec Enterprise
  Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden

• Sysdig

  • How attackers are jailbreaking LLMs with CTF framing and how to catch them
  • LLMjacking evolved: Attackers are using stolen AI compute to build offensive agentic tools

• The Shadowserver Foundation
  SocGholish Compromised WordPress Sites Special Report

• Théophane Dumas at NobisD
  eBPF rootkits & forensics: from blinding telemetry to memory detection

• ThreatMon

  • Why Would an Adversary Collect 74,000 FortiGate
  • Global FortiGate Access Campaign Report

• Trend Micro

  • Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
  • PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM

• Trevor Hilligoss, Aurora Johnson, Keegan Keplinger, and Peter Anderson at SpyCloud
  More Than a Leak: What SpyCloud Found Inside the FortiBleed Threat Actor Infrastructure

• Heresh Zaremand at Truesec
  FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise

• Umut Bayram at Picus Security

• Umut Bayram at Picus Security

  • Tengu Ransomware: Attack Chain From Initial Access to Encryption
  • UNC1549 TTPs: Iranian APT Targeting Aerospace and Defense
  • SloppyLemming Attack Techniques & BurrowShell Backdoor Explained
  • Showboat Malware: Targeting Middle East Telecom Firms Since 2022
  • OceanLotus (APT32) Explained: Tactics, Malware, and TTPs
  • Defending Against ShinyHunters: Tactics and Breaches
  • What Is Pony Malware? Analysis of the Fareit Credential Stealer

• WeLiveSecurity

  • EvilTokens: A phishing attack that doesn’t steal your password
  • FishMonger’s arsenal upgraded: SprySOCKS for Windows
  • Killing me gently: Inside Gentlemen’s EDR killer framework

• John Stigerwalt at White Knight Labs
  Harnessing the Power of Cobalt Strike Profiles for EDR Evasion – Part 3

• ZScaler

  • What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector
  • ClickFix Campaign Generated Via AI Delivers SmartRAT

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • ADF Weekly Computer Training Sessions

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-06-22

• Cellebrite
  AI Is the Hot Sauce: From Data Overload to Investigative Insight

• Censys
  Virtual Threat Hunting Workshop

• Magnet Forensics
  Mobile Unpacked S4:E6 // ‘Cruisin’ with CarPlay – Taking a look under the hood at CarPlay artifacts

• MSAB
  What’s New in 9.8? Explore the MOBILedit Summer 2026 Webinar Schedule

Presentations/podcasts

• Hexordia
  Truth in Data: S2E10: The Community: Designing Digital Forensics Ecosystems

• Black Hat

  • Black Hat Europe 2025 | Insights From Phishing-Resistant Authentication
  • Black Hat Europe 2025 | Understanding Trends & Patterns In Insider Threat: Analysis Of 1,000+ Cases

• Compass Security
  SSH (Secure Shell) – Attacks and Best Practices

• Cyber Secrets
  Setting up your Agency-Organization in the CSI Linux Case Management System

• Cyber Social Hub
  Cyber Sleuth Show

• Desi of All Trades
  Insider Threat Awareness Training

• Dr Josh Stroschein
  [Workshop] Analyzing Control Flow Flattening

• FIRST
  FIRSTCON26 Event Recap

• InfoSec_Bret
  IR – SOC329 – CUPS RCE Detection via IPP Injection (CVE-2024-47177)

• Insane Forensics
  OT Threat Hunting: What Actually Works in ICS Environments with Joe Slowik

• John Hammond

  • ContinuumCon 2026 – Day 3
  • ContinuumCon 2026 Redux!

• John Hubbard at ‘The Blueprint podcast’
  Preventing Silent Failures with Nir Loya Dahan

• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – PoisonX rootkit, Kernel driver rootkit markup in Ghidra

• Magnet Forensics

  • Introducing Magnet Autokey: Accelerating your vehicle investigations
  • Digital investigations for data-driven threat hunting
  • Magnet Review: Ensuring secure cloud-based investigations

• Microsoft Threat Intelligence Podcast
  Hot Cybercrime Summer:  Smishing, Supply Chains, and Sleuthcon

• Monolith Forensics

  • Software and Equipment Tracking – Monolith Mondays
  • User Dashboard Overview (My Dashboard) | Monolith
  • Breaking Down Docker for Forensics

• MSAB
  #MSABMonday – Q2 Release Webinars

• MyDFIR

  • Inside the MYDFIR Forge: What You Actually Get
  • JoJo’s Hospital: Ransomware | KC7 Cyber | Part 2

• Off By One Security
  Windows Kernel Driver Code & Exploitation Techniques

• Open Source Forensics Lab
  How to Transfer Files with Netcat and Mount Filesystems | Linux Tutorial

• OpenSourceMalware
  The OpenSourceMalware Show: #9

• Parsing The Truth: One Byte at a Time Podcast
  S2 E4: Michael Jackson Part 1

• Richard Davis at 13Cubed
  How the USN Journal Really Works

• Sandfly Security
  How Linux Malware Works, From Simple to Sophisticated

• SANS Cyber Defense

  • When Time Lies: The Hidden Risk of Time Zones, DST, and Log Analysis
  • Run Python Like a Pro: Concurrent Futures for Security Automation and AI Agents

• Team Cymru
  Coalition’s Daniel Woods on the attorney-client privilege tactic shaping every IR investigation

• The Weekly Purple Team
  Weaponizing Windows QOS with EDRChoker and PowerShell

• THOR Collective Dispatch
  Ask-a-Thrunt3r: May 2026 — Ask Me About the War of 1812 🐏

• Three Buddy Problem
  Katie Moussouris on the Anthropic Export-Control Mess

Malware analysis

• David Zimmer at Cisco’s Talos
  Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model

• Vojtěch Krejsa at Gen
  Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections

• Genians
  MS 사칭 피싱과 Dead-drop C2 기반 APT37 NarwhalRAT 분석

• Kroll
  The Deep Dive: Kroll’s Analysis of the GARUDA C2 Malware

• Lenny Zeltser
  A Report Template for Malware Analysis

• Jan Michael Alcantara at Netskope
  macOS ClickFix Lures Deploy AppleScript Stealer & Persistent RAT

• OpenSourceMalware
  Mastra NPM attack: A deep dive on the malware and what it targets

• Anna Širokova at Rapid7
  Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain

• Maxim Starodubov and Denis Brylev at Securelist
  Dozens of malicious wallpapers found on Steam Workshop: gamers’ accounts at risk

• Shubho57
  Analysis of LARP53RAT (leading to Ransomware type operations)

• Liran Tal and Marian Corneci at Snyk
  A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope

• Puja Srivastava at Sucuri
  WordPress PBN Plugin Drops Dual Webshells via Database Injection

• Threatray
  Leveraging AI and Code Intelligence for Rapid Identification of Trojanized DLLs

• Jason Reaves and Joshua Platt at Walmart
  MetaStealer traffic, new DGAs and analyzing the “tracker” backdoor DGA with AI

• Wordfence

  • PSA: Supply Chain Compromise Targets ShapedPlugin, Backdoored Pro Plugins Distributed via Official Channels
  • Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin

Miscellaneous

• Sergiy Pasyuta at Atola
  Image only files with artifacts in Insight Forensic 5.8

• Maya Rotenberg at Daylight Security
  Incident Response Triage: Turning a Confirmed Threat Into a Response Plan

• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 06/15/26

• Forensic Focus

  • Jason Lesser, Founder, Map and Track
  • Digital Forensics Jobs Round-Up, June 15 2026
  • Cellebrite Launches The New Age Of Investigations With Genesis, Now Generally Available
  • MSAB Closes Key Evidence Gaps With Q2 2026 Suite Release
  • Forensic Focus International Well-Being Study 2026 Report
  • SQLite Forensics: How To Get More Evidence From Your Investigations
  • Digital Forensics Round-Up, June 17 2026
  • Amped Connect UK: The Free Event Every UK Amped User Should Attend
  • Forensic Audio & Video Transcription – Search Hours Of Recordings In Seconds | BelkaGPT
  • AI In Digital Forensics: 10 Best Practices For Investigators
  • Forensic Focus Digest, June 19 2026

• Sandra Bedrossian at Hunt & Hackett
  How to move from ClickOps to fully automated Microsoft Entra ID infrastructure

• Lares

  • Kerberos I – Overview
  • Kerberos II – Credential Access
  • Kerberos III – User Impersonation
  • Kerberos IV – Delegations

• Magnet Forensics
  Video enhancement filters now available in Magnet Witness

• Matthew Plascencia
  DaVinci Resolve, Linux and Forensics

Software releases/updates

• Alexandre Borges
  Malwoverview 8.0.4

• ANSSI
  DFIR-ORC v10.3.1

• Arkime
  v6.5.0

• Atola
  Atola Insight Forensic 5.8

• Datadog Security Labs
  GuardDog Release v3.0.0a2

• Digital Detective
  NetAnalysis v4.3

• Digital Sleuth
  winfor-salt v2026.9.10

• Elcomsoft
  Elcomsoft Phone Breaker 11.2: downloads iOS 26 iCloud backups

• GCHQ
  CyberChef v11.2.0

• Google
  Timesketch 20260617

• Kirtar Oza
  Engram MCP: Deterministic AI Orchestration for Memory Forensics

• MSAB
  Q2 2026 Major Release is now available

• OpenCTI
  7.260619.0

• Stephen Fisher Davies
  Android Intrusion Log Parser to CSV

• SUMURI
  PALADIN 9.4.2 is now available!

• Timothy Vang
  verdict-dfir VERDICT v0.1.5

• Xways
  X-Ways Forensics 21.9 Preview 2

• Yaniv Radunsky
  DFIR Companion v0.25.0