Forensic Analysis

• Christopher Eng at Ogmini

  • Examining Tailscale Artifacts – Part 6
  • Examining Tailscale Artifacts – Part 5

• Django Faiola at ‘Appunti di Informatica Forense’
  Comprehensive Waze Forensic Parsing for iOS

• Elcomsoft

  • Sideloading the extraction agent: a Stolen Device Protection workaround
  • Bypassing Stolen Device Protection: Alternative Ways of Installing the Extraction Agent

• Matthew Plascencia
  Linux Forensics Lab Part 1: How to Create and Mount Images

• Ovie Carroll
  AI Did It: Why Digital Investigative Analysts Must Not Outsource

Threat hunting/threat intelligence

• Abdul Mhanni
  When EPA isn’t EPA’ing: What Tools Like Certify, Certipy and checkMSSQLStatus.py miss

• Callie Baron and Piotr Wojtyla at Abnormal Security
  Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg

• Hunter Schwartz at Aikido
  Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets

• Andrea Fortuna
  Building a CI/CD pipeline for Sigma rules

• Arctic Wolf
  Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory

• Meriem Smache and Maxim Raya at AWS Security
  Prevent data exfiltration: AWS egress controls for cloud workloads

• Axel Z at Victory Road
  Pulling the Thread: Two Unreported Infrastructure Clusters Linked to Chinese Espionage Tooling

• Christine Barry at Barracuda
  A closer look at Africa’s evolving cyberthreat landscape

• David Fletcher at Black Hills Information Security, Inc.
  Insufficient Egress Filtering: How Weak Outbound Controls Enable Attacks

• Brad Duncan at Malware Traffic Analysis

  • 2026-06-01: SmartApeSG ClickFix –> Unidentified RAT
  • 2026-06-18: SHub Stealer infection (macOS)
  • 2026-06-22: SHub Stealer infection (macOS)

• Brian Krebs at ‘Krebs on Security’
  Scattered Spider Hackers Plead Guilty on Day 1 of Trial

• BushidoToken
  UK Cybercrime Journal: Hargreaves Landsdown Extortion Attempt by Bashe

• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 20 – 26 giugno

• Check Point

  • 22nd June – Threat Intelligence Report
  • ClickFix: The Attack That Turns Users Into Their Own Attackers

• Vanja Svajcer at Cisco’s Talos
  Introduction to COM usage by Windows threats

• CTF导航

  • INC勒索软件Rust双平台加密器技术演进与攻击链解构
  • APT-C-36近期针对哥伦比亚境内的活动分析

• Ctrl-Alt-Intel

  • Chinese actor compromises thousands of WordPress sites
  • WordPress Exploitation Exposure Checker

• Mike at Cyber and Ramen
  INC Ransomware Targets Mainframes: Exposed Servers Reveal Cross-Platform Payloads and APAC Campaign

• CyberBoo
  No More Pivoting: Microsoft Defender Now Enriches Every IP, Domain, URL & File

• Cyberdom

  • From ESTS Cookie Replay to Inbox Persistence
  • Weaponizing Exchange Online Inbox Rules

• Cyfirma
  Weekly Intelligence Report – 26 Jun 2026

• Denis D3Lab at D3Lab
  Gang criminali all’assalto dei corrieri: il boom del phishing contro GLS

• Datadog Security Labs

  • Detecting the Klue supply chain attack in Salesforce instances
  • Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond

• Defused
  Same-Day Shells: A Full-Chain RCE Sweep Against Cisco CUCM (CVE-2026-20230)

• Detect FYI

  • Your SOC Has a Secret Weapon. Almost Nobody Uses It.
  • Testing AI Threat Hunting against Real-World KQL: A Side-by-Side Test
  • Your Endpoints Are Running Local AI Agents — Can You See Them?

• Dirk-jan Mollema
  Bypassing Conditional Access policies that have a resource exclusion

• Elastic Security Labs
  From vulnerability report to CVE draft in minutes: how Elastic automated security advisories with AI

• Erik Hjelmvik at Netresec
  Ping32 RMM and ValleyRAT

• FalconFeeds
  The First 72 Hours: An Intelligence-Led Analysis of Post-Compromise Behavior and Attacker Velocity

• Luis Corrons and Jakub Vavra at Gen
  Fake invoices are moving from inboxes to shopping apps

• Guillaume Valadon at GitGuardian
  Hunting Leaked PyPI Tokens: 62 Live, 125 Packages Exposed

• Google Cloud Threat Intelligence

  • Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager
  • STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus

• Howler Cell
  Forgotten Template, Machine-Account TGTs & TLS Dismantled Zero Trust

• Hunt IO
  Inside Eastern Europe’s C2 Sprawl: 3,900+ Servers and 302 Providers Mapped (Updated)

• Huntress

  • Akira, LimeWire, and the Sour Taste of Data Exfiltration
  • From Code to Coverage (Part 6): What netlogon.log Sees That Event 1644 Never Will

• Infoblox
  From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy

• Intel 471
  ShinyHunters’ 0-day attacks: After patching, find out if you were breached

• Ruben Madar at Intrinsec
  Coinbase Cartel: behind the noise of a prolific leak operation

• Invictus Incident Response
  Incident Response Playbook: Malicious OAuth Apps in Entra | Invictus Incident Response

• LevelBlue SpiderLabs

  • LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign
  • Novel Java-Based QuimaRAT Targets Windows, macOS, and Linux

• Mehmet Ergene at Blu Raven Academy
  Defender AV Real-Time Protection Impact on EDR Telemetry

• Microsoft Security

  • One intrusion, two cyberattackers: Uncovering parallel threat activity
  • StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
  • Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

• NCC Group

  • Dissecting Android Malware – Post 2: Mamont Variant – Advanced Dropper Logic and Encrypted Payload
  • Time as an Attack Surface

• Obsidian Security
  Technical Analysis of the Klue Attack: OAuth Abuse, Stale Integrations, and Salesforce Exfiltration

• Oleg Skulkin at ‘Know Your Adversary’

  • 398. SmartRAT – Smart Folders?
  • 399. Threat Actors Abuse Storj to Deliver OXLOADER

• OSINT Team
  The Anatomy of a Phishing Email — and What Happens After You Click

• Palo Alto Networks

  • The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration
  • OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat
  • CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

• Proofpoint
  StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions

• Luke Jennings at Push Security
  Investigating a novel OpenAI poisoned tenant attack

• Ridgeline Cyber
  When the Breach-Notification Clock Actually Starts (And Why Teams Miss the Deadline)

• Robin Dost at Synaptic Systems

  • GhostShell (MB-0009): Targeting Ukraine’s UAV Operations and Defense Supply Chain
  • Tracking UAC-0226 Tooling Evolution: From WinRAR ADS to Reflective GIFTEDCROOK Loading
  • UAC-0184 Tooling Evolution: OneDrive Sideload to Remcos

• Dejaun Barker at S-RM
  A burst bubble: How threat actors are using Bubble.io to deliver a new phishing campaign

• Sandfly Security
  Linux Scales eBPF Rootkit Detection and Analysis

• SANS Internet Storm Center

  • CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration., (Tue, Jun 23rd)
  • Webshells Remain Popular, (Mon, Jun 22nd)
  • Linux Process Name Masquerading, (Wed, Jun 24th)
  • What do Ports Hear When Nobody’s Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)

• Securelist

  • A VBScript campaign distributed through WhatsApp deploying RMM software
  • StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader

• Dixit Panchal & Soumen Burma at Seqrite
  Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment

• Socket

  • The Code You Didn’t Write Is Still Yours to Defend
  • Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

• Spur
  The Hidden Economy of Your Internet Connection

• Squiblydoo.blog
  Using the Cert Graveyard

• Stephan Berger
  Fantastic clear-text passwords and where to collect them (Part 1 – Linux)

• Alexander Goedeke at SVA Security Log
  Scalable Forensics for Business Email Compromise in Microsoft 365 with MAGIC, Timesketch and Jupyter

• Sygnia
  83% of Crypto Security Leaders Report Cyberattack Exposure as Sygnia Releases Bybit Investigation Findings

• Symantec Enterprise
  Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker

• Crystal Morin at Sysdig
  The FulcrumSec playbook: How to detect and stop the group behind the Novo Nordisk breach

• The Shadowserver Foundation
  StealC Historical Bot Infection Special Report

• Jacob Torrey at Thinkst Thoughts
  One for all the models out there!

• Kassandra Murphy at THOR Collective Dispatch
  AI Has Entered the Villa.

• ThreatFabric
  IPTV campaigns target Football Fans across Multiple Countries

• ThreatMon

  • Ransomware 2026 Report May
  • The Doors Were Already Open May 2026 Ransomware in Review

• Simon Dulude at Trend Micro
  From Langflow to Monero: Inside CVE-2026-33017 Cryptominer

• Umut Bayram at Picus Security

  • Agent Tesla Malware Analysis: How This .NET RAT Steals Your Data
  • Aquatic Panda (Earth Lusca) Analysis: Campaigns, Malware, and TTPs

• WeLiveSecurity

  • Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
  • ESET takes part in Operation Endgame to disrupt Amadey and Stealc

• Wiz

  • Uncovering Hidden Attack Paths in Cloud Environments Using Runtime Signals
  • MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension

• Sergey Belyaev at Блог Solar 4RAYS
  Охота на эксплойты: зачем и как это делать специалистам по ИБ

Upcoming events/webinars

• ADF Solutions

  • ADF Weekly Mobile Training Sessions
  • The First 60 Minutes of Digital Evidence: The Investigator Advantage
  • ADF Weekly Computer Training Sessions

• Black Hills Information Security

  • BHIS – Talkin’ Bout [infosec] News 2026-06-29
  • How to Convert IDEs Into Attack Vectors with Malicious Extensions

• Cellebrite
  Cloud Extraction in Practice: Finding the Evidence Beyond the Device

• Cyber Triage
  The DFIR + AI 2026 Challenge: The Biggest AI Win (and Fail)

• SANS
  Stay Ahead of Ransomware – July 2026

• Silent Push
  Use Case Deep Dive: Phishing Hit Your Inbox. Now Find the Other 40 Domains.

Presentations/podcasts

• ADF Solutions
  Digital Forensic Triage Maturity Model (TMM): A Framework for Modern Investigations

• Adversary Universe Podcast
  Examining the Glassworm Takeover with Tillmann “Bot Slayer” Werner

• Belkasoft
  Where DF meets IR: an incident response case, which turned out to be a criminal one

• Black Hat

  • Black Hat Europe 2025 | SCOMmand And Conquer – Attacking System Center Operations Manager
  • Black Hat Europe 2025 | China’s Nexus APT Exploiting Ivanti Endpoint Manager Mobile

• Cyber Secrets
  Searching the Dark Web in the CSI Linux Case Management System

• Dr Josh Stroschein
  [Workshop] Full Analysis & Recovery with de4dotEx

• InfoSec_Bret
  Challenge – USB Forensics

• Monolith Forensics

  • Item Locations and Offices – Monolith Mondays
  • Admin Dashboard Overview | Monolith Forensics

• MSAB
  #MSABMonday – XRY 11 5 0 Q2 Enrichment

• MyDFIR
  From Kinesiology to Cybersecurity: Shazeb’s MYDFIR Forge Experience

• Off By One Security
  Building the Kill Chain: From Initial Access to Kernel Research

• Open Source Forensics Lab
  DBBrowser for SQLite vs fqlite: SQLite Database Showdown

• Parsing The Truth: One Byte at a Time Podcast
  S2 E5: Michael Jackson Part 2

• Mike at Cyber and Ramen
  From Phishing to Prosecution: How Microsoft Fights Back Against Hackers

• SANS
  The Rise and Fall of Conti with Geoff White

• SANS Cloud Security
  AI-Driven DevSecOps Part 2: Protecting Kubernetes Microservices with the Kong Ingress Controller

• Sumuri
  What’s new in RECON ITR 26.1.0

• THE Security Insights Show
  The Security Insights Show Episode 294 | Andre Keartland | The Microsoft SC-500 exam

Malware analysis

• Andrea Draghetti at D3Lab
  Breaking Out of Chrome’s Sandbox: A Native Messaging Backdoor Observed in Italy

• Dark Atlas
  LoaderClient Malware Analysis: How WeedHack Uses Ethereum Smart Contracts for Resilient C2 Infrastructure

• Bakhtiyor Yokubov and Volen Kayo at Group-IB
  Millenium: A RAT Rewritten, A Threat Multiplied

• Harihara Sudhan at K7 Labs
  A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally

• Pierre-Henri Pezier at Nextron Systems
  Anatomy of a WHQL-Signed Windows Filtering Platform (WFP) Kernel-Resident Network Backdoor

• Zhassulan Zhussupov
  macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox

• Zhassulan Zhussupov
  Analysis of Drun Backdoor

• MD Mehedi Hasan at System Weakness
  PHP Malware Analysis: Obfuscated Remote Loader Using GitHub

• Threatray
  KuinaExtractor: Six Months of a Rust Infostealer’s Evolution

• Zhassulan Zhussupov

  • Malware analysis: part 9. AI-assisted deobfuscation: control flow flattening. Simple C example.
  • MacOS malware persistence 12: Folder Actions. Simple AppleScript and C example
  • Anti-DDoS research: detecting short traffic anomalies with Haar wavelets. Simple C example.

Miscellaneous

• Brett Shavers
  Forbidden DFIR

• Cellebrite
  How Cloud-Based Evidence Management Cuts the Digital Forensics Backlog

• Forensic Focus
  SOC Forensics: How to Set Up Automatic DFIR Analysis in the Cloud

• Maya Rotenberg at Daylight Security
  Incident Response Frameworks: Choosing Between NIST, SANS, and Reality

• Forensic Focus
  DFIR Jobs Update – 06/22/26

• Forensic Focus
  Automating forensic image collection with F-Response Collect

• Forensic Focus

  • Detego Global Announces Webinar Series For Investigators Across North America, India, And Africa
  • Magnet Forensics Invites You To Take Part In The Digital Investigations In Public Safety Survey!
  • The New Age Of Investigations: Cellebrite’s Journey To Genesis 
  • Atola Insight Forensic 5.8 Has Been Released. What’s New?
  • RAID Forensics: Handling Unknown Configurations In DFIR Investigations
  • Deepfake Forensics: How To Analyze Suspected AI-Generated Images
  • Cellebrite Genesis: Get Case Insights In Minutes
  • Digital Forensics Round-Up, June 24 2026
  • David Shipley: Investigating The Darkest Corners Of Digital Evidence

• Magnet Forensics

  • The new era of vehicle forensics: Why agencies need a modern approach
  • The case against the go-bag

Software releases/updates

• Alexandre Borges
  Malwoverview 8.0.5

• Amped
  Authenticate Update 40960: Introducing Video Deepfake Detection, a New Filter for Detecting the Adobe Watermark, Faster Image Deepfake Detection, and more!

• ANSSI
  DFIR-ORC v10.3.2

• C.Peter
  UFADE 1.0.4

• Crowdstrike
  Falconpy Version 1.6.3

• Datadog Security Labs
  GuardDog Release v3.0.2

• DFIRe
  1.5.1 — June 23, 2026

• Digital Sleuth
  winfor-salt v2026.9.11

• Doug Burks

  • ohmypcap v1.1.0
  • so-crates v1.1.0

• Elcomsoft
  iOS Forensic Toolkit 10.10 adds pairing-free sideloading of the extraction agent

• Foxton Forensics
  Browser History Examiner — Version History – Version 1.23.3

• Kevin Pagano at Stark 4N6
  SQLiteWalker v1.0.0 – A New Hope

• MemNixFS
  v1.1

• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.5.848.87

• MISP
  MISP 2.5.42 – MISP 2.5.42: Major Codebase Hardening Release, Scheduled TAXII Push and Many Updates

• OpenCTI
  7.260626.0

• Passmark Software
  OSForensics V11.1 build 1016 26th June 2026

• radare2
  6.1.8

• Sandfly Security
  Velociraptor Release 0.77.1

• Rizin Organization
  cutter v2.5.0-rc2

• Xways

  • X-Ways Forensics 21.7 SR-5
  • X-Ways Forensics 21.8 SR-3

• Yaniv Radunsky
  DFIR Companion v0.27.0