π Curated Intelligence
April 26, 2026 LATEST
Forensic Analysis
14 items
- Examining Tailscale Artifacts
- Examining Tailscale Artifacts β Part 2
- Examining Tailscale Artifacts β Part 3
- Examining Tailscale Artifacts β Part 4
- AI + DFIR: How To Share Your "SKILLS" With the LLM
- Low-Level Extraction for M-Series iPads
- Recovering Windows Credentials with Elcomsoft System Recovery
- Memory Certificates
- Fun With volshell
- From Memory Dump to Attack Story: Building DeepProbe v2
- Running Claude Skills Inside OpenRelik: An AI Worker for your DFIR Tools
- AI can help in DFIR, but it cannot replace investigator judgement
- Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting
- Trust but Verify: Amcache's OriginalFilename Field Isn't Always Accurate
Threat Intelligence/Hunting
112 items
- 2026 Attack Landscape Report: BEC Tactics Adapt to Your Operations
- Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics
- GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
- Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm
- CVE-2025-29635: Mirai Campaign Targets D-Link Devices
- A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202
- March 2026 APT Attack Trends Report (Domestic)
- March 2026 Phishing Email Trends Report
- Defending against China-nexus covert networks of compromised devices
- Pulling the Thread β Invite Only
- CTI Report: ShadowByt3$ Retaliation Package Targeting Eric J. Taylor
- Taking Maestro in Stride: AI Threat Modeling Frameworks
- The Marks & Spencer Cyberattack One Year On
- 10 Data Exfiltration Risks That Emerge With Agentic AI
- Agentic AI: The Data Exfiltration Risk Hiding Inside Your AI Agent
- 2026-04-23: SmartApeSG activity
- 'Scattered Spider' Member 'Tylerb' Pleads Guilty
- Oluomo: Microsoft OAuth AiTM Phishing Using a Naturalization-Form Lure
- Sintesi riepilogativa delle campagne malevole nella settimana del 18 β 24 aprile
- DFIR Report β The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
- 20th April β Threat Intelligence Report
- Supply Chain Compromise Impacts Axios Node Package Manager
- Phishing and MFA exploitation: Targeting the keys to the kingdom
- Bad Apples: Weaponizing native macOS primitives for movement and execution
- IR Trends Q1 2026: Phishing reemerges as top initial access vector
- UAT-4356's Targeting of Cisco Firepower Devices
- Weaponizing Apathy: How Threat Actors Exploit Vulnerabilities and Legitimate Software
- 5 Key Takeaways from Inside the Shape-Shifting Inbox
- Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis
- KongTuke on compromised WordPress sites, DDOS Botnets and Cybercriminal Feuds
- Android NFC Stealer NGate Targets Brazil via Fake Lottery and Counterfeit Google Play Page
- Threat Landscape March 2026: Ransomware Dominance, Access Brokers, Data Leaks
- Why Indian Enterprises Are a Prime Target for Dark Web Credential Markets
- Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign
- Weekly Intelligence Report β 24 April 2026
- How a Compromised eScan Update Enabled Multi-Stage Malware and Blockchain C2
- Threat Hunting via InternetMessageId (+ KQL Queries)
- Detection Visibility Metrics
- Inside An AWS Cloud Threat Detection SOC Lab
- Analyzing GLOBAL GROUP (BlackLock) Artifacts
- Weekly Threat Infrastructure Investigation (Week 17)
- From QR to Threat Identification in one Click
- ZionSiphon: Why This Malware Isn't A Credible ICS Threat
- The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation
- Commercial Satellite Intelligence as a Geopolitical Weapon
- Dark Storm Team: Hacktivism at Scale in the Iran-Israel Cyber Conflict
- Malicious Packages Don't Fit the Vulnerability Intelligence Model
- The Infrastructure Nobody Owns: Residential Proxy Networks and the Case for Collective Visibility
- Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
- The Internet Changes Before the Advisory Drops
- Anatomy of a Fraud Operation: Mule Account Creation on B2B Fintech Platforms in France
- Breaking: Vercel Breach Linked to Infostealer Infection at Context.ai
- Uptick in Bomgar RMM Exploitation
- Attackers Love Your VPN To-Do List
- Untangling a Linux Incident With an OpenAI Twist
- Nightmare-Eclipse Tooling Seen in Real-World Intrusion
- Defending Against China-nexus Covert Networks of Compromised Devices
- Fortinet FSSO is lying to you
- REDSUN β Practical Detection Artifacts Under Real-World Constraints
- Three lessons from DarkSword: inside a government-grade iPhone exploit kit
- Microsoft Vibing β capturing screenshots and voice samples without governance
- MCP Servers for CTI in 2026: The Tools, the Risks, and What Comes Next
- No Zero-Days Needed: How Five Hygiene Failures Handed Ransomware Operators the Keys
- StealTok: 130k Users Compromised by Data Stealing TikTok Video Downloaders
- Go With the Flow: Abusing OAuth Device Code Flow
- A Closer Look at the Novel and Stealthy KarstoRAT Malware
- Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
- Your AI Detections Are Rotting: Model Drift as a Hidden Risk in Security Operations
- Detection strategies across cloud and identities against infiltrating IT workers
- AI-powered defense for an AI-accelerated threat landscape
- The Vercel Breach and the Growing SaaS Supply Chain Challenge
- 388. Ransomware Gang Abuses FTK Imager for Defense Evasion
- Email Analysis & Investigation
- Handala Hack Team: Threat Actor Profile
- Shai-Hulud: The Third Coming β Bitwarden CLI Backdoored in Latest Supply Chain Campaign
- The npm Threat Landscape: Attack Surface and Mitigations
- An alarm you can't snooze: how CapFix targets Russian organizations
- Investigating a new criminal toolkit for ConsentFix
- Unpacking the Vercel breach: Shadow AI and OAuth sprawl
- Microsoft Entra ID: Understanding OAuth App Consent and Permissions
- Intelligence Insights: April 2026
- Inside the Sinobi Ransomware Playbook: Risks, Tactics, and Defence Strategies
- Handling the CVE Flood With EPSS, (Mon, Apr 20th)
- A .WAV With A Payload, (Tue, Apr 21st)
- Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector
- Apple Patches Exploited Notification Flaw, (Thu, Apr 23rd)
- FakeWallet crypto stealer spreading through iOS apps in the App Store
- PhantomRPC: A new privilege escalation technique in Windows RPC
- Malicious Google Ads Targeting Crypto
- Hypersonic Supply Chain Attacks: One Solution That Didn't Need to Know the Payload
- No Place to Hide: Following a Serial Ransomware Affiliate from LockBit, Black Basta, and Qilin to The Gentlemen
- Amcache-ProgramID β The Orphan Dll Attribution
- Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
- Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
- Malware Analysis Chronicles: Inside Remcos RAT
- My First Sigma Detection Rule: LSASS Access
- Wazuh | Detecting ESC3 and ESC8 Attacks
- Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure & Post-Exposure Analysis
- ShinyHunters Data Leak Site at 91.215.85.22 β Infrastructure, Victims, and Attribution
- Chaos Ransomware Multi-Stage Batch Loader at 94.103.1.13
- The November 2026 Cliff Is Real. The Small Shops Are Going Over It First.
- Pull the Power Cord: FIRESTARTER, AR26-113A, and a Backdoor That Survives Your Patches
- From Stealers to Systems: The New Model of Credential Theft
- Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
- Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
- Edge Under Siege: How State-Sponsored Actors Exploit Your Perimeter
- Kerberos with Titanis
- Azure Logging just Changed β Your Detections May be Missing it
- New NGate variant hides in a trojanized NFC payment app
- What the ransom note won't say
- GopherWhisper: A burrow full of malware
- The calm before the ransom: What you see is not all there is
Upcoming Events
8 items
- ADF Weekly Mobile Training Sessions
- ADF Weekly Computer Training Sessions
- BHIS β Talkin' Bout [infosec] News 2026-04-27
- The Intersection of Mobile Investigations and Mobile Security
- WhatsApp Evidence Beyond Standard Support
- Mobile Unpacked S4:E4 // Demystifying translation features of iOS & Android
- Inside Magnet Nexus for scalable remote endpoint investigations
- Responding to a cyber incident as a federal employee
Presentations/Podcasts
35 items
- The Vuln-pocalypse Looms: Are We Cooked?
- SecTor 2025 | How Adversaries Beat User-Mode Protection Engines for Over a Decade
- SecTor 2025 | Unmasking a North Korean IT Farm
- SecTor 2025 | Tracing Adversary Steps through Cyber-Physical Attack Lifecycle
- SecTor 2025 | EDR Bypass Testing: A Systematic Approach to Validating Endpoint Defenses
- SecTor 2025 | What If We Caught SUNBURST in CI/CD?
- BHIS β Talkin' Bout [infosec] News 2026-04-20
- Seeking Truth Through Data: Honoring the Idaho Four
- [Podcast] It's not you, it's your printer: State-sponsored and phishing threats in 2025
- EP273 From CISA to Cloud: AI Assurance, Concentration Risk, and the New Regulatory Frontier
- CQURE Hacks #79: Azure Storage Misconfiguration in Practice
- 04 β Wrapping Shellcode into PE Files and Debugging with IDA Pro
- 2026 FIRST CTI Conference β Day 1 Plenary Sessions β Live Stream
- 2026 FIRST CTI Conference β Day 2 Plenary Sessions β Live Stream
- Device Code Phishing, Primary Refresh Tokens, and STORM-2372
- SocGholish: How a Fake Browser Update Leads to Ransomware
- IR - SOC176 β RDP Brute Force Detected
- The Payload Podcast #005 β Casey Smith
- Magnet User Summit 2026: Powering justice through innovation
- Magnet Autokey: Enabling fast access to encrypted vehicle data
- Magnet AI: Intelligence at every step of the investigation
- Magnet User Summit 2026 Highlights
- The Cybercrime Shift: From Opportunistic Attacks to Marketplace-Driven Ecosystem
- Extracting WhatsApp Chats and Data from Android without Full File System Access
- Monolith Mondays β Forensic Software Tracking
- #MSABMonday β XAMN Pro Wordlist Improvements
- Certifications Won't Get You a SOC Job (Do This Instead)
- Live Malware Unpacking: Debugging AgentTesla with DotDumper
- S1 E49: Karen Read 1-8: Nick Guarino Part 2
- The AI Conversation I've Been Avoiding
- Keynote: Not a Forecast: AI-Enabled Cyber, 12 Months On
- Iran Conflict Special with Tim Conway
- LABScon25 Replay | Are Your Chinese Cameras Spying For You Or On You?
- Trend AI's Robert McArdle on Criminal Business Models Surviving Tech Revolutions
- Mark Dowd on AI hacking, exploit chains, zero-day sales
Malware
23 items
- New Lazarus APT Campaign: Mach-O Man macOS Malware Kit Hits Businesses
- Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials
- [0] Binlex Tutorial β YARA Rule Generation Example
- FIRESTARTER Backdoor
- Inside a Telegram Session Stealer: Pastebin-Hosted PowerShell Script Targets Desktop and Web Sessions
- Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control
- When Malware Authors Study Algebra: The Group Theory Inside Bedep's DGA
- DinDoor's Caddy Problem: How One HTTP Header Exposed 20 Active C2 Servers
- Malware Analysis: payloadfinal.bin (Agent Tesla)
- Don't Run This Game: Inside the Myth Journey Malware Campaign
- Malicious trading website drops malware that hands your browser to attackers
- macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
- Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
- fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet
- Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware
- Malicious Checkmarx Artifacts Found in Official KICS Docker Repository
- 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations
- pgserve Compromised on npm: Malicious Versions Harvest Credentials
- TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
- elementary-data Compromised on PyPI and GHCR
- PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing
- MacOS malware persistence 10: caffeinate LOLBin
- Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener
Miscellaneous
27 items
- Some unintelligent fun with ms-notepad protocol
- Scaling Your DFIR Practice: Choosing the Right Digital Forensic Tools for Small Teams
- Identifying Locations of Interest Using Wi-Fi Events
- How Digital Intelligence Is Transforming Contraband Phone Investigations in Correctional Facilities
- BSides South Jersey 2026
- Microsoft Defender for Office 365 Part 7: Zero-Hour Auto Purge (ZAP) & Post-Delivery Protection
- Context Switching in DFIR
- DFIR Jobs Update β 04/20/26
- Rachael Medhurst, Co-Founder, Positive Cyber Solutions Ltd
- Belkasoft X Brings AI-Powered Speech Recognition To DFIR Investigations
- Magnet Forensics Acquires V2 Forensics, Expanding Leadership In Drone-Related Digital Investigations
- Digital Forensics Round-Up, April 22 2026
- Introducing Magnet Autokey, A New Solution Enabling Fast Access To Encrypted Vehicle Data
- Forensic Focus Digest, April 24 2026
- Playing with the LANL ARCS Data Sets
- Old skool tales on initial access
- Not Another (Incident Response) Framework
- New Lumyx Essentials Course at Hexordia
- The secret life of the xattr
- Ransomware negotiations: What CISOs should know before negotiating
- Innovation meets mission at Magnet User Summit 2026
- Meet the recipients of the 2026 Magnet Forensics Scholarship Award
- Magnet User Summit 2026: Bringing the digital investigations community together
- Why do tools show different results?
- GX-FE Exam Review
- GCFE Exam Review
- Security Onion Documentation Printed Book Now Updated for Security Onion 3.0!
Software Updates
25 items
- iLEAPP v2.3.1
- ALEAPP v6.2.0
- Assemblyline 4.7.3.1
- winfor-salt v2026.7.1
- ohmypcap v1.0.0
- Elcomsoft System Recovery 8.37 expands support for Microsoft Accounts, adds Entra ID
- iOS Forensic Toolkit 10.01 expands agent-based extraction up to iOS 18.7.1 for M-series iPads
- F-Response 8.8.1.13 Now Available
- v6.6.1 (IntelOwl)
- IsoBuster 5.8 beta released
- ida-mcp 2.2: From Tool Calls to Analysis Scripts
- MemProcFS-Analyzer v1.2.1
- Smarter analysis, faster truth: Introducing Intelligent Insights for Magnet Review
- Magnet Axiom 10.0: smarter artifacts, faster insight, and stronger intelligence
- Accelerating your vehicle investigations: Introducing Magnet Autokey
- Media Triage in Magnet Graykey now integrated with Magnet Griffeye
- flare-floss QUANTUMSTRAND beta 3
- Introducing crush: A DFIR Workbench for Surfing Through Data Formats
- fibratus 7.260422.0
- Arsenic v3.0 iOS File Tree View
- OpenCTI 7.260423.0
- ChronosFracture β supertimeline
- pySigma v1.3.3
- masstin v1.0.0
- X-Ways Forensics 21.8 Beta 3
β‘ Recent Tech & Security Feed
- InfoSec News Nuggets 04/17/2026
- InfoSec News Nuggets 04/16/2026
- InfoSec News Nuggets 04/15/2026
- InfoSec News Nuggets 04/14/2026
- InfoSec News Nuggets 04/13/2026
- MalChela 3.2: More Cowbell? More Intel!
- Cyber Triage 3.17: Use AI to Enrich and Report your DFIR Artifacts
- Intro to MCP Servers for DFIR and SOC Investigations using AI
- DFU mode
- Explainer: Recovery
- Last Week on My Mac: Don't be a victim of fraud
- Critical flaw in Protobuf library enables JavaScript code execution
- Vercel Says Internal Systems Hit in Breach
- 543 Hours: What happens when AI runs while you sleep
- Blue Origin's rocket reuse achievement marred by upper stage failure
- The Bromine Chokepoint: How Strife Could Halt Production of World's Memory Chips
- Show HN: Google Gemini Is Scanning Your Photos β and the EU Said No
- I wrote a CHIP-8 emulator in my own programming language
- Europe has 'maybe six weeks of jet fuel left'
- Uber's AI Push Hits a WallβCTO Says Budget Struggles Despite $3.4B Spend
- PM Carney declares U.S. ties now a 'weakness' in address to Canadians
- MAGA Is Winning Its War Against U.S. Science
- Eight Years of Wanting, Three Months of Building with AI
- Forensic Focus: Policing's Well-Being Problem: Stigma, Isolation And The Retention Crisis
- Approaching stealers devs: a brief interview with notnullOSX (ex-0xfff)
- github.com/bryan-ambrose/DFIR_Tools
π‘οΈ Community Channels
Community Channels
r/computerforensics
60k+ members
Case discussions, tool Q&A, and career advice for digital forensics practitioners.
r/blueteamsec
45k+ members
High-signal defensive security: threat intel, detection engineering, and incident response links.
r/netsec
500k+ members
Technical information security content β research papers, exploits, tooling, and write-ups.
r/Malware
85k+ members
Malware analysis, reverse engineering samples, and threat actor discussions.
r/cybersecurity
1M+ members
Broad security community: news, certifications, career paths, and industry happenings.
r/ReverseEngineering
200k+ members
Reversing tools, CTF write-ups, binary analysis, and low-level debugging techniques.