法证分析

Brian Maloney
OneDrive. Let’s take this offline

Chainalysis
DPRK IT Workers: Inside North Korea’s Crypto Laundering Network

Christopher Eng at Ogmini
Lifecycle of a Digital Photo on a Android Pixel 7 – Part 2
Android Forensics – Filesystem Timestamps ADB Script

Elcomsoft
iPhone 17: the End of PWM Flickering?
Breaking into Password Managers: from Bitwarden to Zoho Vault
AI in Digital Forensics: a Tool, not an Oracle

Forensafe
iOS AllTrails
Iram Jack

Memory Analysis Introduction
Memory Acquisition

Magnet Forensics
Making media authentication easier to understand with automated analysis
Magnet Forensics support for iOS 26
That One Artifact: The search history that spoke volumes

Maltego
Exposing Pig Butchering Operations with Maltego

Matthew Plascencia
iOS 26 is On Location With More AI Goodness iOS 26 New Artifacts II

Mattia Epifani at Zena Forensics
Exploring Data Extraction from iOS Devices: What Data You Can Access and How

OSINT Team
Volatility3: Navigating the SAM registry hive from memory image

The DFIR Report
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

威胁情报/狩猎

Faan Rossouw at Active Countermeasures
Malware of the Day – Agent-to-Agent Communication via SMB (AdaptixC2)

Adam at Hexacorn
Using .LNK files as lolbins

ASEC
XiebroC2 Identified in MS-SQL Server Attack Cases

Ayelen Torello at AttackIQ
Ransom Tales: Volume IV – Emulating Rhysida, Charon and Dire Wolf Ransomware

Chi Tran, Charlie Bacon, and Nirali Desai at AWS Security
Defending against supply chain attacks like Chalk/Debug and the Shai-Hulud worm

BI.Zone
Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks

c-APT-ure
Using NetBIOS names for pivoting and threat clustering

CERT Ukraine
Бекдор CABINETRAT використовується UAC-0245 для цільових кібератак у відношенні СОУ (CERT-UA#17479)

CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 27 settembre – 3 ottobre

Check Point
29th September – Threat Intelligence Report

Joey Chen at Cisco’s Talos
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud

codetodeploy
Inside the VMware CVE Cluster: Enumeration, Escalation, and Exposure

Ben Reardon at Corelight
Hunting GTPDOOR at Black Hat USA 2025 | Corelight

CyberBoo
Microsoft Defender for Identity Deep Dive: Part 1

Cyberdom
Unlocking Microsoft Sentinel MCP

Cyfirma
Weekly Intelligence Report – 3 October 2025

Dark Atlas
Threat Profile: Conti Ransomware Group

Darktrace
Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace

Detect FYI
The missing link in MDR. Spoiler, it starts with a Detection Engineering framework.
Threat Hunting sessions via AuthenticationProcessingDetails on AADSignInEventsBeta
Use KQL to Surface Non-Recommended TLS Parameters (IANA-based)

Disconinja
Weekly Threat Infrastructure Investigation(Week39)

DomainTools Investigations
SecuritySnack: 18+E-Crime

Paul Asadoorian at Eclypsium
The Hunt for RedNovember: A Depth Charge Against Network Edge Devices

Elastic Security Labs
FlipSwitch: a Novel Syscall Hooking Technique
WARMCOOKIE One Year Later: New Features and Fresh Insights

FalconFeeds
Digital Fault Lines: The Weaponization of Ethnic and Religious Tensions in Regional Cyber Conflicts
Proxy Wars in Cyberspace: Tracking Nation-State Influence Through Threat Actor Alliances

Guillaume Valadon and Carole Winqwist at GitGuardian
Red Hat GitLab Breach: The Crimson Collective’s Attack

Omar ElAhdan, Matthew McWhirt, Michael Rudden, Aswad Robinson, Bhavesh Dhake, and Laith Al at Google Cloud Threat Intelligence
Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

GreyNoise
Coordinated Grafana Exploitation Attempts on 28 September
Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High

HackTheBox
Sandworm unleashed: Inside APT44’s Dune-inspired cyber destruction

Hunt IO
Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

Huntress
Don’t Sweat the ClickFix Techniques: Variants & Detection Evolution
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits

Infoblox
Detour Dog: DNS Malware Powers Strela Stealer Campaigns

Kijo Ninja at Kijo Ninja
Rclone C2 data exfiltration technique

Adam Goss at Kraven Security
Stop Drowning in Data: Build Your Own CTI Aggregator for Free

Doug Olenick at LevelBlue
SpiderLabs Ransomware Tracker Update September 2025: Qilin, Akira Top Ransomware Attackers

Idan Cohen at Mitiga
ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches

Netscout
Keymous+ Threat Actor Profile

NVISO Labs
You name it, VMware elevates it (CVE-2025-41244)
Lunar Spider Expands their Web via FakeCaptcha
What Did the Attacker Read? MailItemAccessed Tells You

Oleg Skulkin at ‘Know Your Adversary’
271. Does an Adversary Need to Install an RMM?
272. Here’s Another Interesting Staging Folder You Can Use for Hunting
273. That’s How PDB Paths Help to Uncover Malicious Files
274. That’s How Phantom Taurus Abuses Exchange Management Shell
275. Hunting for Suspicious URLs
276. Hunting for Suspicious IIS Modules
277. Adversaries Abuse a Free Request Logging Service as C2
278. Hunting for Suspicious XLL Files

Palo Alto Networks
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
The Case for Multidomain Visibility

Art Ukshini at Permiso
P0LR Espresso – Pulling Shots of Cloud Live Response & Advanced Analysis

Picus Security
Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact
Blue Report 2025: How to Act on 16M Attack Simulation Findings
RomCom Threat Actor Evolution (2023–2025)

Resecurity
ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

Ashlee Benge at ReversingLabs
Hunting SharpHounds with Spectra Analyze

Sandfly Security
Sandfly 5.5.4 – Chinese Rootkit Decloaking

SANS
Hunting SaaS Threats: Insights from the FOR589 Course on Cybercriminal Campaigns
Log for Normal to Find Evil: Lessons from Real Crimes and Cyberattacks

SANS Internet Storm Center
Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400), (Mon, Sep 29th)
[Guest Diary] Comparing Honeypot Passwords with HIBP, (Wed, Oct 1st)
“user=admin”. Sometimes you don’t even need to log in., (Tue, Sep 30th)
More .well-known Scans, (Thu, Oct 2nd)

Cristian Souza at Securelist
Forensic journey: hunting evil within AmCache

Ayush Anand at Securityinbits
Discovery using nltest, net and whoami

Jeremy Scion and Marc N. at Sekoia
Silent Smishing : The Hidden Abuse of Cellular Router APIs

Seqrite
Exploiting Legitimate Remote Access Tools in Ransomware Campaigns

Shantaciak
Investigating Email Threats: Why the Inbox Is Still the Front Door

Siddhant Mishra
Kimsuky/APT43 Phishing Infrastructure: A Technical Evolution

SOCRadar
Dark Web Profile: Scattered Lapsus$ Hunters

Claudia Preciado at Stairwell
Building on CISA’s Salt Typhoon YARA Rules: Stairwell finds 637 New Variants

Brandon Webster and Bryan Campbell at Sublime Security
Impersonated Evite and Punchbowl invitations used for credential phishing and malware distribution

Kyle Knight at Sucuri
Enhancing File Transfer Security with SSH Key Authentication

System Weakness
Windows Credential Theft Detection
Logs Fundamentals | TryHackMe Write-Up
Introduction to SIEM | TryHackMe Write-Up
Reverse Engineering Session 2 by KK TAN ~ Real-world study CVE-2025–8088 [Experience Sharing]
HTB Holmes CTF Writeup: The Card
SOC127 — SQL Injection Detected — LetsDefend — Solution

THOR Collective Dispatch
Ask-a-Thrunt3r: September 2025 Recap
Agentic Threat Hunting, Part 2: Starting a Hunt Repo

Niranjan Hegde and Sijo Jacob at Trellix
XWorm V6: Exploring Pivotal Plugins

Richard Grainger at Triskele Labs
Qilin on the rise: what Australian organisations need to know

Jean-Francois Gobin at Truesec
She Sells Web Shells by the Seashore (Part I)

Elliot Roe at Valdin
Introducing YARA Rules: Search and Monitor the Internet’s Infrastructure with YARA

Joseliyo Sánchez at VirusTotal
Advanced Threat Hunting: Automating Large-Scale Operations with LLMs

Vishal Thakur
Introducing TLP:Black — A New Layer of Confidentiality

即将举行的活动

Cellebrite
Exploited Online, Trapped Offline: Scam Compounds and Human Trafficking in APAC

Cyber Social Hub
What is Changing at Cyber Social Hub

Magnet Forensics
Learn tips and best practices for reviewing and analyzing media evidence from leading media forensics experts
Cyber Unpacked S2:E4 // Voices from the field: Trends, challenges, and what’s next in DFIR

Simply Defensive
Hands-On Defense: Markus Schober on DFIR, Labs, and Building Better Blue Teamers | S5 E1

演示/播客

Alexis Brignoni
DIgital Forensics Now Podcast S3 – E0

Behind the Binary by Google Cloud Security
EP16 The Machine Learning Revolution in Reverse Engineering with Hahna Kane Latonick

Patterson Cake at Black Hills Information Security
Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2)

Cellebrite
Tip Tuesday: Final Call for Papers for the C2C User Summit

Erik Pistelli at Cerbero
Memory Challenge 1: Reveal

Cyber Social Hub
The FTK Imager Pro Game-Changer

InfoSec_Bret
SA – SOC211-161 – Utilman.exe Winlogon Exploit Attempt

John Hammond
reverse engineering for beginners

Magnet Forensics
Legal Unpacked E1: Search warrants for digital evidence: The data-driven approach

Monolith Forensics
Sharing Files & Reports with Relay Users
Case Details in Monolith

MSAB
XAMN Early Access

MyDFIR
SOC Automation Project 2.0: How To Use AI in Your SOC Workflow

Parsing the Truth: One Byte at a Time
Business Email Compromise

The Cyber Mentor
Intro to PowerShell: Investigating Windows Processes

Three Buddy Problem
Oracle cl0p ransomware crisis, EU drone sightings, Cisco bootkit fallout

恶意软件

Mauro Eldritch at Any.Run
FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware

hasherezade at Check Point
Rhadamanthys 0.9.x – walk through the updates

Cleafy
Klopatra: exposing a new Android banking trojan operation with roots in Turkey

Dr Josh Stroschein
IDA Pro Basics – Collapsing Function Folders, the Easy Way

Dr. Web
Doctor Web’s Q3 2025 virus activity review
Doctor Web’s Q3 2025 review of virus activity on mobile devices

Cara Lin at Fortinet
Confucius Espionage: From Stealer to Backdoor

Nicole Fishbein at Intezer
Beginner’s guide to malware analysis and reverse engineering

Uma Madasamy at K7 Labs
Breakingdown of Patchwork APT

Marc Messer and Dave Truman at Kroll
FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook

OSINT Team
Opened a Can of XWorms

Shubho57
Analysis of a javascript file leads to Koi Loader Stealer

Puja Srivastava at Sucuri
Malvertising Campaign Hides in Plain Sight on WordPress Websites

ThreatFabric
Datzbro: RAT Hiding Behind Senior Travel Scams

Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon at Trend Micro
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

Daniel Kelley at Varonis
MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments

Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
Lamia

其他

CyberCX
A case for expeditious investigations

Belkasoft
[ON-DEMAND COURSE] BelkaGPT: Effective Artificial Intelligence in DFIR

Djordje Lukic at Binalyze
Why Detecting Browser-Stored Passwords Strengthens Cyber Resilience

Cyber Codex
A Deep Dive into the Ransomware Timeline and Its Shadow Empire | Cyber Codex

Dr. Brian Carrier at Cyber Triage
AI Principles for Digital Forensics and Investigations (DFIR)

Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 09/29/25

Elan at DFIR Diva
Techno Security & Digital Forensics Conference: October 27-29, 2025

Forensic Focus
Oxygen Analytic Center v.1.6: Smarter, Faster, More Secure Investigations
Digital Forensics Jobs Round-Up, September 29 2025
Inside The Fight Against Child Exploitation – Leadership And Wellness Lessons From Debbie Garner

Howard Oakley at ‘The Eclectic Light Company’
Inside the Unified Log 3: Log storage and attrition
Explainer: inodes and inode numbers

Kenneth G. Hartman at Lucid Truth Technologies
Defending Criminals: Are Defense Attorneys, Investigators, and Experts Working for the Dark Side?

Magnet Forensics
What does the State of Enterprise DFIR look like today? Share your insights in our survey!

Passware
All About PDF Decryption

Sandfly Security
Sandfly Now Available On Microsoft Azure Marketplace

软件更新

Datadog Security Labs
GuardDog v2.7.0

Digital Sleuth
winfor-salt v2025.11.0

Elcomsoft
Elcomsoft Distributed Password Recovery adds support for 8 password management apps

Google
Timesketch 20250929

MALCAT
0.9.11 is out: ARM and MachO analysis

Metaspike
Forensic Email Collector (FEC) Changelog – 4.2.579.104
Forensic Email Intelligence – 2.2.579

Microsoft
msticpy – OAuth v2.0 fix for Defender

MISP
MISP 2.5.22 released with improvements and bugs fixes

MSAB
Q3 2025 Major Release is now available

OpenCTI
6.8.2

Phil Harvey
ExifTool 13.38

radare2
6.0.4

Sigma
Release r2025-10-01

WithSecure Labs
Chainsaw v2.13.0

以上就是本周的全部内容！如果您认为我遗漏了什么，或者希望我特别报道某些内容，请通过联系页面或社交媒体与我联系！