| If your organisation is interested in sponsoring an upcoming post then reach out via the contact form! |
| No sponsor this week |
As always, thanks to those who give a little back for their support!
Forensic Analysis
-
Brian Carrier at Cyber Triage
3 AI Prompts for More Confident DFIR Investigations -
Django Faiola at ‘Appunti di Informatica Forense’
Comprehensive Waze Forensic Parsing for Android -
Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Meta’s Un-Stable Signature -
Forensafe
-
Heather Chapentier
Life360 -
LEAPPs Blog
-
Matthew Plascencia
The Ultimate Guide to DB Browser for SQLite vs. fqlite for Digital Forensics -
The DFIR Report
From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
Threat hunting/threat intelligence
-
Santiago Pontiroli and Subhajeet Singha at Acronis
Mustang Panda targets India’s government and energy sectors with ZOHOMURK and MINIRECON -
Arctic Wolf
-
ASEC
-
Eric J. Taylor at Barricade Cyber Solutions
CTI Report: Ninite Pro Remote Agent Leveraged for Persistence -
Aaron Ringo at Bishop Fox
On Favicons: From Browser Icons to Attack Surface Intelligence -
Alina Bîzgă at Bitdefender
Fake Interpol Investigation Emails Spread Ransomware -
Rebecca Harpur at BlackFog
The State of Ransomware: June 2026 -
Nevan Beal and Sam Decker at Blackpoint Cyber
Vibe Coded Extortion: Avalon’s Path from Legal Lure to CrownX Ransom Capabilities -
Bloo
-
Brian Krebs at ‘Krebs on Security’
FBI Seizes NetNut Proxy Platform, Popa Botnet -
BushidoToken
UK Cybercrime Journal: Argos Account Takeover Fraud -
Censys
Roblox, Minecraft, and the Insidious Internet for Children -
CERT-AGID
-
Check Point
-
Michael Kelley at Cisco’s Talos
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 -
Max Gannon at Cofense
The Platform You Trust Is the Platform They Target -
Cyb3rhawk
Fork This: A Developer-Targeting Supply Chain Campaign Built Around Trading Bot Repositories -
Cyberdom
Harvest Now Decrypt Later -
Andrea Draghetti at D3Lab
Nuova campagna di smishing sfrutta APCOA Flow per sottrarre dati delle carte di pagamento -
Detect FYI
The Blind Spot in the Watchtower: Detections for When Someone Attacks Your Sentinel -
EclecticIQ
The AI Arms Race: How Adversaries are Weaponizing AI for Speed and Scale -
Esentire
-
FalconFeeds
- Threat Actors Are Training AI Too: What CTI Teams Need to Know
- Threat Actors vs. Critical Infrastructure: The Strategic Shift from Data Theft to Operational Disruption
- The Rise of Cyber Mercenaries: How Private Threat Actors Are Reshaping Global Conflict
- Threat Actors in 2026: The Emerging Groups Every CISO Should Watch
-
Flashpoint
Remus Stealer: A New, Not-So-New Infostealer -
Google Cloud Threat Intelligence
-
Azizbek Khakimov at Group-IB
Phishing in the Balkans: Fake Traffic Fines, Real Losses -
Sophie at HackTheBox
How Sophisticated Phishing Bypasses SEGs (And How to Trace It) -
Stephan Meza at Hunt & Hackett
Investigating AI-assisted credential access -
Huntress
-
Craig Sanderson at Infoblox
Residential Proxies: Why DNS Is the Stronger Play -
InfoSec Write-ups
-
Ann-Marie Belz at Insinuator
TROOPERS26: Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection -
Hugo Chia, Moses Tay, Benjamin Tan, and Tan Zheng Xin at INTfinity Consulting
Analyzing SessionReaper (CVE-2025–54236): An Offensive-Informed DFIR Analysis -
Gilbert Kallenborn at Intrinsec
Comment l’IA facilite la vie des acteurs de la menace -
Jeffrey Bellny at CatchingPhish
B{r}owser’s Castle -
Bert-Jan Pals at KQL Query
ClickFix: The Gift That Keeps On Giving -
Adam Goss at Kraven Security
Why Your CTI Analyst Career Is Stuck (It’s Not a Skills Problem) -
Kudelski Security
How DPRK’s Contagious Interview Campaign Targets Developers – Kudelski Security Research Center -
Lab52
GRU: military unit 67606 -
LevelBlue SpiderLabs
-
Microsoft Security
-
Natto Thoughts
The UK’s “Special Relationship” with China’s Defense-Linked Universities -
Nick Thanos at Triskele Labs
-
born at nullteilerfrei
CrimeEnjoyor: Hunting EIP-7702 Sweeper Contracts on Ethereum -
Oleg Skulkin at ‘Know Your Adversary’
400. Another Threat Actor Started to Use Malicious Browser Extensions -
Keerthiraj Nagaraj, Diva-Oriane Marty, Beliz Kaleli, and Oleksii Starov at Palo Alto Networks
Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector -
Practical Security Analytics
Dumping LSASS Without Touching Disk: Improvements to ShadowDumper -
Ray Fernandez at Moonlock
-
Recorded Future
Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool -
Ridgeline Cyber
-
Sam Steen at S-RM
Ransomware in focus: Luna Moth -
SANS Internet Storm Center
-
Securelist
- The Gentlemen are knocking: сustom backdoors and evolving tactics
- ToddyCat: your hidden email assistant. Part 2
- OpenClaw: risks for agent users and how to mitigate them
- The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
- Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects
- Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign
-
Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee at Securonix
Veil#Drop: Blogspot-Hosted PowerShell Loader Delivers PureLog Stealer Through XOR-Encoded In-Memory .NET Payloads -
Socket
-
SOCRadar
SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations -
Stephan Berger
Fantastic clear-text passwords and where to collect them (Part 2 – Windows) -
Daniel at SVA Security Log
Escalating from On-prem to Entra through MITM Attacks -
Symantec Enterprise
The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security -
Hugo Vincent at Synacktiv
Caught in the Octopus Trap: Unauthenticated RCE in Argo CD with CodeQL -
System Weakness
-
Tapetum Labs
The Outsider, Part 1: Pulling One Thread on a $1.9 Billion Phishing Machine -
Team Cymru
Cybercrime Doesn’t Reinvent Itself. It Optimizes. -
The Hunter’s Ledger
-
ThreatMon
-
Yuya Sato at Trend Micro
TONResolver RAT Abuses TON Blockchain to Target Japan’s Hotel Industry -
Umut Bayram at Picus Security
-
VMRay
-
Aliz Hammond at watchTowr Labs
CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451) -
Phil Muncaster at WeLiveSecurity
Inside the inbox: Why cybercriminals want to break into your email account -
Zenity Labs
-
Avishai Efrat and Ayush RoyChowdhury at Zenity Labs
-
Kim Zetter at ZERO DAY
Arrest of Iranian Hacker Spotlights Iran’s Movement into Economic Espionage and IP Theft
Upcoming events/webinars
-
ADF Solutions
-
Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2026-07-06 -
Magnet Forensics
Presentations/podcasts
-
Richard T. Frawley at ADF Solutions
How to Perform Targeted Mobile Extraction in ADF Pro -
Belkasoft
-
Black Hat
-
BSidesCharm
BSidesCharm 2026 -
InfoSec_Bret
SA – SOC325 – Unauthorized Cloud Region Access Attempt Detected -
John Hubbard at ‘The Blueprint podcast’
Building Trust Into Agentic SOC Tools with Oren Saban -
Magnet Forensics
-
Monolith Forensics
-
MyDFIR
-
OpenSourceMalware
The OpenSourceMalware Show #11 -
Silent Push
- How Silent Push Mapped DriveSurge’s ClickFix and FakeUpdates Infrastructure
- Investigating a Phishing Campaign: How to Uncover Malicious Domains with Silent Push
- Quick Pivots: SSDEEP and HTML Content Similarity
- Powerful Pivots: Hunting with Infrastructure Fingerprints
- Powerful Pivots: Uncovering Brand Impersonation with Multi-Layered Queries
- Powerful Pivots: From a Single Phish to a Full Campaign
-
Team Cymru
-
The Weekly Purple Team
Vibe Hacking II Building a Purple Team AI Assistant -
Three Buddy Problem
Malware analysis
-
Dr. Web
-
Marcus Hutchins at Expel
Not very gentlemanly: Analyzing a zero-day exploit used by The Gentlemen ransomware to disable targets’ EDRs -
Rachael Liao at Fortinet
Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula -
Noufal Radhitya at Intellibron
Fake AI Installer Campaign Delivering an In-Memory Stealer via the ClickFix Technique -
Thijs Xhaflaire at Jamf
PamStealer: a Rust-based macOS infostealer that validates credentials through PAM -
K7 Labs
Boss Scam: Don’t Trust Every “Urgent” Message from Your Boss! -
Neil Tyagi at McAfee Labs
Silent Swap: A Crypto Clipper Extension Campaign -
Nikhil “Kaido” Hegde
Malware Analysis – June Week 4, 2026 -
Robin Dost at Synaptic Systems
Inside Kimsuky’s CHM Tradecraft: Multi-Stage Execution and Selective Payload Delivery -
Gabriel Bernadett-Shapiro at SentinelOne
Context Engineering | Compaction & Agent Memory for Automated Malware Analysis -
Shubho57
Analysis of WEES Stealer -
Michael Clark at Sysdig
JADEPUFFER: Agentic ransomware for automated database extortion -
VMRay
The RedLine Thread That Led to a Maritime BEC Infrastructure Cluster -
Wang Hao at Qi’anxin X Lab
-
Zhassulan Zhussupov
-
Блог Solar 4RAYS
На WARP-скорости за твоим Roblox и корпоративными секретами: как Santa Stealer превратил кражу логов в конвейер
Miscellaneous
-
Martino Jerian at Amped
AI-generated CSAM: Artificial Images, Real Harm -
Cellebrite
- A Drone Forensics Operation at Scale: 1,200+ UAVs. Nearly 10 TB of Data. One CFID.
- A Drone Was Seized at Your Facility. Now What?
- The FAA Just Drew the New Line: What New Drone Regulations for Critical Infrastructure Mean for Operators
- ERSOU Secures Multiple UK Convictions Using Cellebrite Drone Forensics
-
John Scott-Railton, Bill Marczak, Hassen Selmi, Maia Scott, Siena Anstis, Kate Pundyk, and Ron Deibert at Citizen Lab
Russia Breaks Into Human Rights Activist’s Phone With Cellebrite -
Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 06/29/26 -
Oleg Afonin at Elcomsoft
How to Buy a Reliable SSD, Continued -
Michael Karsyan at Event Log Explorer blog
Solving Problems When Opening Remote Windows Event Logs -
Forensic Focus
- Digital Forensics Jobs Round-Up, June 29 2026
- UPCOMING WEBINAR – AI Is The Hot Sauce: From Data Overload To Investigative Insight
- Techno Security & Digital Forensics Conference East 2026 Returned To Myrtle Beach
- Passware Kit Mobile 2026v4 Decrypts Qualcomm-Based Samsung S20
- Forensic Focus Digest, July 03 2026
-
Kenneth G. Hartman at Lucid Truth Technologies
Snapchat Evidence Subpoena: What Snap Inc. Actually Produces for the Defense -
Kevin Pagano at Stark 4N6
Forensics StartMe Updates (July 2026) -
Kevin Stokes
Building X-Ways X-Tensions with Claude Skills -
Magnet Forensics
Empowering federal agencies to combat cybercrime and digital fraud -
Maxim Suhanov
Mark-of-the-Web: the rules changed, the tools didn’t -
Sandfly Security
Sandfly’s Agentless Linux EDR + AI Are a Powerful Combo -
Lauren Proehl at THOR Collective Dispatch
Keep the Tension That Builds You
Software releases/updates
-
ANSSI
DFIR-ORC v10.3.3 -
Brian Maloney
OneDriveExplorer v2026.06.29 -
DFIRe
1.5.3 — July 2, 2026 -
Didier Stevens
Update: base64dump.py Version 0.0.30 -
Digital Sleuth
winfor-salt v2026.10.3 -
Ghassan Elsman
Crow-Eye v0.12.0 -
Google
Timesketch 20260630 -
IntelOwl
v6.7.0 -
MemNixFS
MemNixFS v1.2 -
OpenCTI
7.260701.0 -
Profe Malware
CTF Factory -
Rizin Organization
cutter v2.5.0-rc4 -
Sandfly Security
Sandfly 5.8 – Agentless Response and SSH Key Management -
SigmaHQ
pySigma v1.4.0 -
Xways
-
Yaniv Radunsky
DFIR Companion v0.29.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
Discover more from This Week In 4n6
Subscribe to get the latest posts sent to your email.