đ Curated Intelligence
June 7, 2026 LATEST
Forensic Analysis
12 items
- How To Investigate Video Evidence: Workflows, Pitfalls and Best Practices
- That still only counts as one! â iLEAPP Sticker Animation
- DFIR+AI Primer: When Not To Use GenAI
- Forensic Implications of Apple Stolen Device Protection
- Memory Suspicious Processes
- Memory Services
- Revisiting the APFS Series
- Space Manager
- The Reaper
- EFI Jumpstart
- Hard Links and Siblings
- Canonical Multipass Forensics 101
Threat Intelligence/Hunting
104 items
- Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
- Why EDR and proxy wonât save you from supply chain malware
- Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis
- Auditing GitLab: The CI/CD Kill Chain
- The State of Ransomware: May 2026
- Hackers Used Metaâs AI Support Bot to Seize Instagram Accounts
- Intelligence Insights: May 2026
- UK Cybercrime Journal: British Universities Struck by ShinyHunters Before Exam Season
- How a Dangling DNS Entry Can Lead to a Subdomain Takeover
- Sintesi riepilogativa delle campagne malevole nella settimana del 30 maggio â 5 giugno
- The Server Seizure That Affects Also Iranâs Cyber Operations
- 1st June â Threat Intelligence Report
- Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem
- Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026
- Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting
- How an Unauthenticated MCP Server Led to SSRF, LFI, and AWS Credential Theft
- Embedded Threats: How Attackers Weaponize Legitimate Emails
- æä»Źç»èżäș GarudaDefender æŽć„ Frida æŁæ”ïŒäœèżć·Čç»äžæŻéçčäș
- APT-C-26ïŒLazarusïŒç»ç»ć©çšCVE-2025-55182äžCopperhedgeç»ä»¶çæ»ć»èĄćšćæ
- C-Suite Impersonation in the Gulf: How Threat Actors Are Targeting UAE & Saudi Executives in 2026
- Weekly Intelligence Report â 05 Jun 2026
- The Interesting Case of WSL for Payload Staging
- Inside Modern Supply Chain Intrusions: From CI/CD Abuse to Ecosystem-Wide Compromise
- Deep KQL Analysis with Kustology
- The Interesting Case of WSL for Payload Staging
- Weekly Threat Infrastructure Investigation(Week23)
- Dragos Industrial Ransomware Analysis for the First Quarter of 2026
- Device Code Phishing Forensics: What We Learned Investigating BEC in the Wild
- FIFA World Cup 2026: Mapping the Global Cyber Scam Ecosystem Targeting Fans
- FalkonC2 is Getting Ridiculously Stealthy
- KeyCat Stealer Uncovered:Â Inside a $40 Multi-Platform Infostealer with Telegram C2 and Active Staging Infrastructure
- Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground
- Cybercriminals Are Targeting the FIFA World Cup 2026
- Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
- Cryptocurrency Scams: The 10 Most Common Types and How They Work
- Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
- The Anatomy of a Destructive Attack
- PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network
- Gentlemen Ransomware
- Threat Hunting Case Study: FileFix
- How attackers are gaining access to LLM inference
- Analyste CTI et LLM: exemple dâune collaboration fructueuse
- How to respond to an incident in Kubernetes | AKS | Invictus Incident Response
- Living Off The Land â Built-In Pwning
- Outlook 365 for the PWN
- The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
- macOS ClickFix Social Engineering Campaigns
- ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery
- Game Over: WeedHack â The Rise of Minecraft Malware-as-a-Service Campaigns
- Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
- Securing CI/CD in an agentic world: Claude Code Github action case
- New Mac stealer SHub Reaper is spoofing Apple, Google, and Microsoft
- Fake ChatGPT site unleashes the dangerous Odyssey Stealer
- How Chinaâs Cyber Operations â and the Contractors Behind Them â Target Critics Abroad
- Detecting Nimbus Manticore and their sideloading infection chains
- The Detection & Response Chronicles: Covert Operations Through QEMU
- The Software Supply Chain Malware Landscape: January â May 2026
- The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds
- The Evolution of Malware
- The Gentlemen Ransomware: Threat Profile
- New npm Supply Chain Attack: @redhat-cloud-services Compromised
- Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated
- IronWorm Supply Chain Malware Hits npm
- 600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm
- Malware-Slop 2: Malicious npm Package Leaks Its Own Botâs Telegram Private Token
- Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
- We Added a Detection Rule. We Were Not Expecting This.
- TA4922: The Suspected Chinese Crime Group is Going Global
- Using the Pyramid of Pain for threat detection in the AI era
- Iran Expands Handala Brand to Physical Threats
- Investigating suspicious AI workflows in Microsoft Entra Agent ID: Agentâs user account
- ReliaQuestâs Agentic AI Uncovers New China-Linked Cluster OP-512
- YARA-X 1.17.0 Release, (Sun, May 31st)
- Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st)
- New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)
- Continuing Scans for swagger.json, (Wed, Jun 3rd)
- Microsoftâs Coreutils for Windows, (Thu, Jun 4th)
- The Evil MSI Background is Back!, (Fri, Jun 5th)
- GorgonAgora: 4,800+ fake storefronts skim cards across hundreds of impersonated brands
- Magecart skimmer turns Stripe into a malware command server
- Containers on fire: from container escapes to supply chain attacks
- Wardriving assessment across Mexico: Preparing for the 2026 World Cup
- Argamal: Malware hidden in hentai games
- FSBâs matryoshka #1/3 â Gamaredonâs gifts that keeps unpacking â GammaPhish and GammaWorm
- FSBâs matryoshka #2/3 â Gamaredonâs gifts that keeps unpacking â GammaLoad
- FSBâs matryoshka #3/3 â Gamaredonâs gifts that keeps unpacking â GammaSteel
- Best Incident Response Techniques for Ransomware Attacks to Minimize Damage
- Dark Web Profile: BlindEagle
- Dark Web Profile: Vect Ransomware
- Multiple redhat-cloud-services npm Packages compromised
- Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
- Armenia: Bashe Claims to Have Purchased a Database of More Than 30,000 Voters from a Pro-Turkish Group
- Singing River Health System: Between Ransomware, Legal Disputes, and Recurring Vulnerabilities
- Espionage Campaign Targeted Stock Exchange Executive for Five Months
- Security briefing: May 2026
- Agentic threat actor hits the orchestration plane: AI agent-driven container escape
- Own Goal? Piracy as an Attack Vector to Target Football Fans
- Oil & Gas Sector Cyber Threat Intelligence Report 2026
- The Privileged Roles Nobody Talks About
- From Conti to The Gentlemen: tooling evolved, gaps didnât. by Lucie Cardiet
- YARA Rules: A Complete Guide with Best Practices and Use Cases
- VerdantBamboo: Just Another BRICKSTORM in the Firewall
- Miasma: Supply Chain Attack Targeting RedHat npm Packages
- Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin
Upcoming Events
10 items
- ADF Weekly Mobile Training Sessions
- ADF Weekly Computer Training Sessions
- ClickOnce Commander: Weaponizing Trusted Microsoft Deployment w/ Steve
- BHIS â Talkinâ Bout [infosec] News 2026-06-08
- From Seizure to Intelligence: Practical Digital Evidence Workflows for Drug Investigations
- Legal Unpacked S1:E9 // Digital evidence in criminal prosecutions: Discovery obligations, requests, and practical strategy
- Ask Me Anything: Strengthening eDiscovery with digital forensics
- Drowning in dataâŠPractical cloud storage and data migration strategies
- Poisoned Packages & Stolen Secrets: The Rise of Supply Chain Attacks
- The Anatomy of Cyber Attacks Affecting OT Organizations
Presentations/Podcasts
45 items
- The AI Investigative Framework Interview with Heather Barnhart
- AI in Digital Forensics panel hosted by MSAB at Techno Security East 2026
- EP26 When AI Features Create Zero-Click Exploits: The Pixel 9 Chain with Seth Jenkins
- Domain Search is the CSI Linux Case Management System
- Email Search OSINT within the CSI Linux Case Management System
- Techno Live
- Techno Day 2 â S2 Data
- Live from Techno Security in Myrtle Beach with JJ from ADF Solutions
- Live at Techno Security with Alex from Lumyx!
- Techno Day 3
- Techno Day 2 â Martino from Amped
- Techno Day 2 â BlackRainbow
- Techno Day 2 â Matt Danner from Monolith Forensics
- Jennifer from Techno Security Conference â Techno Day 3
- DATAPILOT â Techno Day 3
- Jessica Hyde â Techno Day 3
- [Workshop] Saying Goodbye to the #US Stream â Analyzing String Obfuscation
- CVE | FIRST VulnCon 2026 & Annual CNA Summit
- Episode 58: Cheng-Lin Yang and Lily Chen, CyCraft, FIRSTCON26 Speakers
- _declassified Ep. 2 | Unfriendly Followers: The Black Market For Your Identity
- Session Hijacking Explained in 3 Min
- IR â SOC340 â Apache Tomcat Serialized Payload RCE (CVE-2025-24813)
- A Linux Backdoor is For Sale on the Dark Web
- JHT Course Launch! Windows Maldev 6
- BIG SHOW TODAY & AI vibes
- CTI for SMB: How Small Businesses Can Operationalize Threat Intelligence for Free
- Cyber Unpacked S3:E3 // The burnout equation: Sustaining your SOC and IR teams for the long game
- Supply Chain Attacks: Open Source or Open Door?
- Custom Report Templates â Monolith Mondays
- Metrics Reports in Monolith
- #MSABMonday â XPAA Course
- MYDFIR DFIR Course: Overview (NEW DFIR COURSE)
- TryHackMe AI Security 1 (AI1) Certification | Is It Good? (GIVEAWAY)
- Failure is Not an Option! A Reliable Process to Exploit STM32F2/F4 Microcontrollers, with Joe Grand
- OpenSourceMalware Show Episode #7 â June 3, 2026
- S2 E3: The 12 Invoices
- A Day in the Life of an MDR Analyst: Inside the Modern SOC
- She Convinced the Pentagon to Let Hackers In. Legally. With Katie Moussouris
- SANS Cloud Security: Securing Gen AI RAG Data using Azure AI Search with Eric Johnson
- Disinformation in 2026: How Influence Operations Work and How to Spot Them
- Detection Coverage: Measuring What You Can Actually Detect
- LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine
- The Log Collector | RECON ITR Overview
- How Akira hits thousands of SMBs with $50K-$150K ransoms undetected | Alex Bovicelli
- Fast16, Fanny, and Stuxnet: Cyber Paleontology Redux
Malware
22 items
- From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises
- Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations
- Crypto Guest at Dawn Endpoint (Midnight) ransomware analysis
- Android.MagicAd trojan displays ads despite all restrictions
- PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT
- Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026
- Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
- Browser Spy-Ons: Threat Actorâs Extension Hijack Your AI Conversations
- Inside an Active STX RAT Supply Chain Campaign
- VECT: Ransomware That Canât Decrypt
- Unmasking Quellostanco: How a Git Commit Exposed a Threat Actor Targeting Egyptian Infrastructure (co-authored)
- 31 Red Hat npm packages backdoored in 72 seconds
- How 56 npm packages used binding.gyp to steal CI/CD secrets
- Diamotrix
- Analysis of DirtyFrag (Vulnerability)
- Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages
- Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection
- Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp
- Famous Chollima Targets PHP Developers Through Compromised Packagist Package
- Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
- Pointing a Cursor at evading detection
- You do surprise me.exe: An unexpected executable in Hola Browser
Miscellaneous
27 items
- little secret of msconfig.exe
- LEAPPs.org â Latest changes!
- When digital evidence follows you home in DFIR teams
- Being Cross-Examined by AI
- The difference between âNo one will hire meâ and âI am no longer professionally allowed to do this DFIR workâ
- AI in Digital Forensics: 10 Best Practices for Investigators
- Microsoft Defender for Office 365 Part 10: Attack Simulation Training
- Securus Jail Call Monitoring, Cities Lose Control Over Surveillance, Police IDs Made from Video, Nina Loshkajian Answers 5 Questions & More
- DFIR Jobs Update â 06/01/26
- Belkasoft Releases Belkasoft X v2.11, Expanding AI-Powered Investigations And Evidence Extraction Capabilities
- Burnout, PTSD, Suicidal Thoughts â The DFIR Well-Being Study Results Are In
- Digital Forensics Jobs Round-Up, June 01 2026
- Andreas Antonsen, Founder, STNDRDS AB
- Video Timing In Amped FIVE
- Digital Forensics Round-Up, June 03 2026
- Forensic Focus Digest, June 05 2026
- How Freeland Is Using Detego Technology to Dismantle Wildlife Trafficking Networks
- Welcoming OpenRelik to the OSDFIR Infrastructure family
- How to Use Image Categorization in Oxygen ForensicÂź Detective
- BitLocker Decryption Today: YellowKey Explained and Where Passware Steps In
- Training Philosophy: Law Enforcement vs. Private Sector
- Cross-Org Visibility for LimaCharlie
- A Buffer Is Not a Cure
- Sentinel-As-Code: Wave 4, the docs nobody wanted to write
- Incident Response Metrics That Actually Matter to Boards (And the Ones That Donât)
- Splunk 101: Hands-On Introduction to SIEM, Log Ingestion, and Basic Threat Hunting
- Youâve Got This: Just Hit Submit on That Brilliant Idea
Software Updates
16 items
- Malwoverview 8.0.2
- Jumplist-Browser LNK & Jumplist Browser v.1.0.25
- winfor-salt v2026.9.6
- PolarProxy 2.0.1 Released
- PE-Bear v0.7.2
- SpiceCrypt 3.0: QSPICE Support
- Microsoft-Analyzer-Suite v1.8.0
- MISP 2.5.39 â New Dashboard Experience, Stronger STIX, Sharper Analyst Workflows
- Tool Release â Ghidra MediaTek Modem Image Loader
- New THOR Cloud Log Inspection View
- Sedgwick v1.3 Release!
- 7.260604.0
- open-investigator Open Investigator v1.26.0
- 6.1.6
- Velociraptor Release 0.76.6
- YARA v4.5.7
⥠Recent Tech & Security Feed
- Infosec News Nuggets â June 8, 2026
- Infosec News Nuggets â June 5, 2026
- Infosec News Nuggets â June 4, 2026
- Infosec News Nuggets â June 2, 2026
- Leicaâs Marcus Rowe On Investigating The Worldâs Largest Crash Test, Plus What To Expect At FEE 2026
- Forensic Focus Digest, June 05 2026
- How Freeland Is Using Detego Technology to Dismantle Wildlife Trafficking Networks
- Video Timing In Amped FIVE
- Digital Forensics Round-Up, June 03 2026
- Andreas Antonsen, Founder, STNDRDS AB
- Burnout, PTSD, Suicidal Thoughts â The DFIR Well-Being Study Results Are In
- Forensics StartMe Updates (June 2026)
- DFIR+AI Primer: When Not To Use GenAI
- In memoriam Mary Cassatt: 2, 1880-81
- Solutions to Saturday Mac riddles 363
- How does Lockdown Mode affect location data?
- Elihu Vedderâs symbolism and stories: 1885-1913
- Last Week on My Mac: Whatâs in a name?
- Elihu Vedderâs symbolism and stories: 1863-1884
- Saturday Mac riddles 363
- Explainer: Getting a location
- In the shadow: Introduction
- Get more from Get Info and the Finderâs contextual menu
- The Duopoly in Digital Forensics
- Crow-Eye Release v0.11.0 â Eye AI Compliance & Correlation Engine Upgrade
- Autopsy keyword ingest
- Research Notes from Building a Windows Event Log Hunting Workflow
- EDRChoker: Choking The Telemetry Stream to Bypass Defenses
- CVE-2026-46640: Developing payloads for Twig sandbox bypass
- Keeping Secrets Out of Logs
- Unauthenticated RCE as QSECOFR via IBM i Management Central â port 5555, client-controlled verify flag, no credentials required (V7R4 and earlier)
- System Over Model, Tested: Reproducing Mythosâs FreeBSD Find on Local Open-Weight Models
- Enter the WasmForge: Compiling Sliver into WebAssembly
- Re:CACHE - Excessive reflection, type confusion, and 0-click SXSS on Next.js
- Hacking your PC using your speaker without ever touching it
- Interesting- What LLM vuln research looks like
- Golang code review notes II - elttam
- 1-Click GitHub Token Stealing via a VSCode Bug
- CTO at NCSC Summary: week ending June 7th
- Security Notice: Former Helm APT Mirror Domain `baltocdn.com` Statement
- HTTP/2 HPACK amplification: detection signatures + the nginx/Apache directives that actually stop it (lab- & vps verified)
- Z-Jail: A lightweight, multi-layer Linux sandbox combining namespaces, pivot_root, seccomp-bpf, capability dropping, and an evidence-based verdict engine (Truthimatics Public Version) for secure, auditable code execution.
- BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection
- EDRChoker: A tool uses the QoS Policy (Pacer.sys) to throttle Endpoint Detection and Response (EDR) agents from connecting to the server.
- Query-Hub: CQL Hub is an open repository of detection and hunting queries for CrowdStrike NextGen SIEM and Falcon LogScale.
- Security Review Request â TID Linux Kernel Module
- Building a safe, effective sandbox to enable Codex on Windows
- About PCIe DMA Cheats: Protocol, IOMMU, Hardware, and Detection
- CrowdStrike LogScale queries I use to detect LOLBin- built from 10 years of production SOC work
- UPnPHostFileRead: Arbitrary file read exploit for the Windows UPnP Device Host service.
- The Privileged Roles Nobody Talks About
- Sysmon RegistryEvent exclude not overriding include rule for Event ID 13
- Pwnd Blaster: Hacking your PC using your speaker without ever touching it
- Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis
- Inside an Active STX RAT Supply Chain Campaign - A threat actor spent one month building a trojanized software supply chain aimed at a specific type of victim
- Unmasking Quellostanco: How a Git Commit Exposed a Threat Actor Targeting Egyptian Infrastructure (co-authored)
- Auditing GitLab: The CI/CD Kill Chain - GoGatoZ â a purpose-built Go tool for GitLab CI/CD security auditing that can perform and automate the entire CI/CD kill chain...
- cygor: An modular asset discovery framework written in python to automate the repeating manual work
- 21 Zero-Days in FFmpeg
- On May 31, 2026, Meta discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram ("High Touch Support" or "HTS") that was exploited byun authorized third parties to perform password resets on Instagram user accounts.
- The Detection & Response Chronicles: Covert Operations Through QEMU
- Chinese-Cybercrime-Research: Resources to learn more about Chinese-language cybercrime actors.
- Fake Interview deploys stealthy cross platform (macOS/Windows) through npm package install in take home assessment
- 73 Microsoft GitHub repositories impacted by Miasma malware
- Detecting npm Native Addon Malware: node-gyp Abuse
- Microsoft Warns of GPU Cryptojacking Campaign Spread Through AI Chatbot Links
- Recommendation
- ChatGPT Malvertising Campaign
- đš PCPJack's SMTP Toolkit Dissected: 3 Deployer Generations, Multi-Arch Chisel, and a Full EHLO/STARTTLS Verification Loop
- LLMShare: using shared chatbot pages to distribute malware
- We Think the SpaceX IPO Is Overvalued
- Federal judge blocks H1B visa $100K fee
- Remembering the USS Liberty â and why it still matters
- Show HN: Mach â A compiled systems language looking for contributions
- Show HN: Command Center, the AI coding env for people who care about quality
- OpenAI Submits S-1 Draft to SEC
- Apple bets cheaper AI will woo small developers
- FrontierCode
- I'm building a parallel internet, and it's called The Thinnernet
- Surveillance Is Not Safety: A statement on the UK's latest threat to privacy [pdf]
- Andrew Tate's Empire of Abuse
- Apple reveals new AI architecture built around Google Gemini models
- Why are cells small?
- Switzerland wil have a referendum to cap population at 10M
- Apple Core AI Framework
- Sam Bankman-Fried applies for a pardon from Trump
- github.com/bryan-ambrose/DFIR_Tools
đĄïž Community Channels
Community Channels
r/computerforensics
60k+ members
Case discussions, tool Q&A, and career advice for digital forensics practitioners.
r/blueteamsec
45k+ members
High-signal defensive security: threat intel, detection engineering, and incident response links.
r/netsec
500k+ members
Technical information security content â research papers, exploits, tooling, and write-ups.
r/Malware
85k+ members
Malware analysis, reverse engineering samples, and threat actor discussions.
r/cybersecurity
1M+ members
Broad security community: news, certifications, career paths, and industry happenings.
r/ReverseEngineering
200k+ members
Reversing tools, CTF write-ups, binary analysis, and low-level debugging techniques.