All Issues
A weekly briefing on digital forensics news, threat intelligence, historic case studies, and the tools shaping modern investigations. Missed an issue? Read it online or download the PDF below.
Find this useful? Give the project a star on GitHub 👇
Star on GitHubBPFdoor Sleeper Cells & CanisterWorm Goes Ransomware
- China's Red Menshen pre-positioned BPFdoor implants inside global telecom backbone networks
- TeamPCP pivots CanisterWorm to Vect RaaS — 300 GB stolen, ransomware deployments confirmed
- CVE-2025-53521 — F5 BIG-IP APM unauthenticated RCE, CVSS 9.3, CISA KEV
- CVE-2026-21643 — FortiClient EMS pre-auth SQL injection, CVSS 9.8, 2,000+ exposed
- Infiniti Stealer — macOS ClickFix campaign via fake Cloudflare verification prompts
- Historic: Moonlight Maze (first state espionage, 1996) + APT1 / Comment Crew (2013)
36-Day Zero-Day & the Blockchain-C2 Supply Chain Worm
- Interlock ransomware exploited Cisco FMC CVE-2026-20131 for 36 days before patch
- Trivy supply chain compromise spawns CanisterWorm — ICP blockchain C2, 141 npm packages
- CVE-2026-20131 — Cisco Secure FMC unauthenticated RCE, CVSS 10.0, CISA KEV
- CVE-2026-3564 — ConnectWise ScreenConnect machine key exposure, session hijacking
- CanisterWorm: first malware to use Internet Computer blockchain for C2
- Historic: SolarWinds SUNBURST (18,000 orgs) + Colonial Pipeline (VPN = shutdown)
The Trusted Responder & the LoLBins Medical Breach
- IR consultant charged with aiding BlackCat ransomware actors during live engagements
- Stryker breached via Microsoft Intune — no malware, no disk artifacts, no alerts
- CVE-2026-3910 — Chromium V8 type confusion, actively exploited, CISA KEV
- CVE-2026-26110 — Office RCE triggers on preview pane alone, no file open needed
- Avrecon Botnet takedown — 360,000 compromised routers dismantled
- Historic: OPM breach (21.5M fingerprints) + Target POS (40M cards via HVAC vendor)
⚡ Special Edition — Cyber War: The U.S.–Israel–Iran Digital Front
- Seedworm hits US bank, airport & defense supply chain using hacktivists as cover
- APT42's WezRat infostealer resurges under the noise of 60+ active hacktivist groups
- Operation Epic Fury: Iran's internet drops to 1–4% & what it means for the evidence record
- Iran's Electronic Operations Room: MOIS coordinates 60+ groups as one cyber force
- BaqiyatLock wiper: when ransomware is really permanent erasure
- CISA at 38% staffing — America's cyber shield stretched at the worst possible moment
- Historic: Stuxnet origin story + NotPetya — the wiper playbook Iran is following
RESURGE Malware & the Edge Device Blind Spot
- CISA issues fresh IoCs for RESURGE on Ivanti Connect Secure appliances
- 1.15M SSNs exposed in University of Hawai'i Cancer Center ransomware hit
- CVE-2026-20127: Cisco SD-WAN remote root exploitation — NSA joint alert
- "Sandworm_Mode" NPM supply-chain targets CI/CD pipelines and AI coding tools
- Historic: Kevin Mitnick manhunt + Sony Pictures attribution
- Tools: Azul, Magnet AXIOM Cyber v9.10, KAPE, Belkasoft Evidence Center X
Phobos Falls & The Forgotten Attack Surface
- Polish arrest exposes ransomware's credential economy
- China-linked group hides in backup infrastructure for 18 months
- CVE-2026-21519: Windows DWM privilege escalation (actively exploited)
- PromptSpy: First Android malware to use Google Gemini AI at runtime
- Historic: Operation Aurora + Operation Pacifier
Velociraptor Weaponized & Deepfakes vs. the Courts
- Attackers deploy DFIR's own framework as a RAT
- Hany Farid warns of a coming admissibility crisis
- CVE-2026-21510: Windows Shell SmartScreen bypass
- Reynolds Ransomware ships with BYOVD defense-killer
- Historic: Golden State Killer + Colonial Pipeline Bitcoin seizure
The Lynx in the Network: Anatomy of an RDP Attack
- Lynx Ransomware's predatory RDP infiltration tactics
- How Lynx uses LoLBins to blind modern EDR
- CVE-2026-4411: RDS arbitrary file execution (actively exploited)
- Historic: US v. Brown biometric ruling + Encrypted RAM forensics
Compelled Biometrics & the AI Provenance Era
- D.C. Circuit debates forced biometric device unlocking
- New AI media transparency laws take effect in NY & CA
- CVE-2026-20944: Microsoft Office RCE via malformed .docx
- Historic: BTK Metadata Incident + Ross Ulbricht laptop seizure