One of the most influential inventions of the 20th century was Big Mouth Billy Bass. A celebrity bigger than the biggest politicians or richest movie stars, there’s almost nothing that could beat Billy. That is, until [Kiara] from Kiara’s Workshop built a Magikarp version of Big Mouth Billy Bass.
Sizing in at over 2 entire feet, the orange k-carp is able to dance, it is able to sing, and it is able to stun the crowd. Magikarp functions the same way as its predecessor; a small button underneath allows the show to commence. Of course, this did not come without its challenges.
Starting the project was easy, just a model found online and some Blender fun to create a basic mold. Dissecting Big Mouth Billy Bass gave direct inspiration for how to construct the new idol in terms of servos and joints. Programming wasn’t even all that much with the use of Bottango for animations. Filling the mold with the silicone filling proved to be a bit more of a challenge.
After multiple attempts with some minor variations in procedure, [Kirara] got the fish star’s skin just right. All it took was a paint job and some foam filling to get the final touches. While this wasn’t the most mechanically challenging animatronic project, we have seen our fair share of more advanced mechanics. For example, check out this animatronic that sees through its own eyes!
The Layer 1 blockchain Monad has grabbed the headlines in the past few days following its successful launch earlier last week. MON, its native token, enjoyed a significant 80% surge on the back of the launch, hitting an all-time high of 0.048 on Wednesday, November 26.
While the Monad protocol has enjoyed significant attention since going live, it appears that not everyone is confident in its potential adoption. Most notably, BitMEX co-founder Arthur Hayes has put forward a pessimistic outlook for the project, saying its token value could fall as much as 99%.
Monad Has No Real Use Case: Hayes
In a YouTube interview with Altcoin Daily, Hayes stated that any other Layer 1 blockchain besides Ethereum and Solana is “zero” and is not going to do very well. Using Monad as an example, the former BitMEX CEO described the protocol’s coin as another “high FDV, low-float” token.
Hayes said that Monad is going to be the new “Berachain” and expects its native token’s value to fall by 99% after the initial jump. Berachain, which launched in February 2025, has its native token BERA trading beneath $1, nearly 94% beneath its all-time high of $14.83.
As of this writing, the Monad token is valued at around $0.0285, reflecting an over 40% decline since hitting its all-time high on Wednesday.
Hayes highlighted that every new project’s token often enjoys an early price spike before facing a deep correction, as there is usually no real use case to back up the initial growth. The crypto founder noted that it is a classic case of FOMO (fear of missing out), especially after the massive success of Ethereum.
Hayes said in the interview:
Every coin gets their first pump and people want to believe in the new L1. Everybody wants to invest in the new Ethereum like they would have in 2014 when everyone missed it. Me included. But again, that doesn’t mean it [Monad] is going to actually have any real use case.
Moving forward, Hayes went on to pick a “magnificent five” of protocols currently in the cryptocurrency space, including Bitcoin, Ethereum, Solana, ZCash, and Ethena.
If Not Layer 1s, What Next?
It is little surprise that ZCash made it to the BitMEX co-founder’s list of top blockchain protocols. According to Hayes, ZCash and other privacy-focused coins—like Monero—will dominate the crypto narrative even more in the coming year.
Additionally, Hayes mentioned that Zero Knowledge (ZK) proofs and quantum resistance are other crypto narratives to watch out for in 2026. Specifically, the crypto founder noted that the next winner in the crypto market over the next one to two years would come from the ZK space.
Welcome back, aspiring digital forensic investigators!
The world of cybercrime continues to grow every year, and attackers constantly discover new opportunities and techniques to break into systems. One of the most dangerous and well-organized ransomware groups in recent years was Conti. Conti operated almost like a real company, with dedicated teams for developing malware, gaining network access, negotiating with victims, and even providing “customer support” for payments. The group targeted governments, hospitals, corporations, and many other high-value organizations. Their attacks included encrypting systems, stealing data, and demanding extremely high ransom payments.
For investigators, Conti became an important case study because their operations left behind a wide range of forensic evidence from custom malware samples to fast lateral movement and large-scale data theft. Even though the group officially shut down after their internal chats were leaked, many of their operators, tools, and techniques continued to appear in later attacks. This means Conti’s methods still influence modern ransomware operations which makes it a valid topic for forensic investigators.
Today, we are going to look at a ransomware incident involving Conti malware and analyze it with Splunk to understand how an Exchange server was compromised and what actions the attackers performed once inside.
Splunk
Splunk is a platform that collects and analyzes large amounts of machine data, such as logs from servers, applications, and security tools. It turns this raw information into searchable events, graphs, and alerts that help teams understand what is happening across their systems in real time. Companies mainly use Splunk for monitoring, security operations, and troubleshooting issues. Digital forensics teams also use Splunk because it can quickly pull together evidence from many sources and show patterns that would take much longer to find manually.
Time Filter
Splunk’s default time range is the last 24 hours. However, when investigating incidents, especially ransomware, you often need a much wider view. Changing the filter to “All time” helps reveal older activity that may be connected to the attack. Many ransomware operations begin weeks or even months before the final encryption stage. Keep in mind that searching all logs can be heavy on large environments, but in our case this wider view is necessary.
Index
An index in Splunk is like a storage folder where logs of a particular type are placed. For example, Windows Event Logs may go into one index, firewall logs into another, and antivirus logs into a third. When you specify an index in your search, you tell Splunk exactly where to look. But since we are investigating a ransomware incident, we want to search through every available index:
index=*
This ensures that nothing is missed and all logs across the environment are visible to us.
Fields
Fields are pieces of information extracted from each log entry, such as usernames, IP addresses, timestamps, file paths, and event IDs. They make your searches much more precise, allowing you to filter events with expressions like src_ip=10.0.0.5 or user=Administrator. In our case, we want to focus on executable files and that is the “Image”. If you don’t see it in the left pane, click “More fields” and add it.
Once you’ve added it, click Image in the left pane to see the top 10 results.
These results are definitely not enough to begin our analysis. We can expand the list using top:
index=* | top limit=100 Image
Here the cmd.exe process running in the Administrator’s user folder looks very suspicious. This is unusual, so we should check it closely. We also see commands like net1, net, whoami, and rundll32.
In one of our articles, we learned that net1 works like net and can be used to avoid detection in PowerShell if the security rules only look for net.exe. The rundll32 command is often used to run DLL files and is commonly misused by attackers. It seems the attacker is using normal system tools to explore the system. It also might be that the hackers used rundll32 to stay in the system longer.
At this point, we can already say the attacker performed reconnaissance and could have used rundll32 for persistence or further execution.
Hashes
Next, let’s investigate the suspicious cmd.exe more closely. Its location alone is a red flag, but checking its hashes will confirm whether it is malicious.
Copy one of the hashes and search for it on VirusTotal.
The results confirm that this file belongs to a Conti ransomware sample. VirusTotal provides helpful behavior analysis and detection labels that support our findings. When investigating, give it a closer look to understand exactly what happened to your system.
Net1
Now let’s see what the attacker did using the net1 command:
index=* Image=*net1.exe
The logs show that a new user was added to the Remote Desktop Users local group. This allows the attacker to log in through RDP on that specific machine. Since this is a local group modification, it affects only that workstation.
In MITRE ATT&CK, this action falls under Persistence. The hackers made sure they could connect to the host even if other credentials were lost. Also, they may have wanted to log in via GUI to explore the system more comfortably.
TargetFilename
This field usually appears in file-related logs, especially Windows Security Logs, Sysmon events, or EDR data. It tells you the exact file path and file name that a process interacted with. This can include files being created, modified, deleted, or accessed. That means we can find files that malware interacted with. If you can’t find the TargetFilename field in the left pane, just add it.
We see that the ransomware created many “readme” files with a ransom note. This is common behavior for ransomware to spread notes everywhere. Encrypting data is the last step in attacks like this. We need to figure out how the attacker got into the system and gained high privileges.
Before we do that, let’s see how the ransomware was propagated across the domain:
index=* TargetFileName=*cmd.exe
While unsecapp.exe is a legitimate Microsoft binary. When it appears, it usually means something triggered WMI activity, because Windows launches unsecapp.exe only when a program needs to receive asynchronous WMI callbacks. In our case the ransomware was spread using WMI and infected other hosts where the port was open. This is a very common approach.
Sysmon Events
Sysmon Event ID 8 indicates a CreateRemoteThread event, meaning one process created a thread inside another. This is a strong sign of malicious activity because attackers use it for process injection, privilege escalation, or credential theft.
List these events:
index=* EventCode=8
Expanding the log reveals another executable interacting with lsass.exe. This is extremely suspicious because lsass.exe stores credentials. Attacking LSASS is a common step for harvesting passwords or hashes.
Another instance of unsecapp.exe being used. It’s not normal to see it accessing lsass.exe. Our best guess here would be that something used WMI, and that WMI activity triggered code running inside unsecapp.exe that ended up touching LSASS. The goal behind it could be to dump LSASS every now and then until the domain admin credentials are found. If the domain admins are not in the Protected Users group, their credentials are stored in the memory of the machine they access. If that machine is compromised, the whole domain is compromised as well.
Exchange Server Compromise
Exchange servers are a popular target for attackers. Over the years, they have suffered from multiple critical vulnerabilities. They also hold high privileges in the domain, making them valuable entry points. In this case, the hackers used the ProxyShell vulnerability chain. The exploit abused the mailbox export function to write a malicious .aspx file (a web shell) to any folder that Exchange can access. Instead of a harmless mailbox export, Exchange unknowingly writes a web shell directly into the FrontEnd web directory. From there, the attacker can execute system commands, upload tools, and create accounts with high privileges.
To find the malicious .aspx file in our logs we should query this:
index=* source=*sysmon* *aspx
We can clearly see that the web shell was placed where Exchange has web-accessible permissions. This webshell was the access point.
Timeline
The attack began when the intruder exploited the ProxyShell vulnerabilities on the Exchange server. By abusing the mailbox export feature, they forced Exchange to write a malicious .aspx web shell into a web-accessible directory. This web shell became their entry point and allowed them to run commands directly on the server with high privileges. After gaining access, the attacker carried out quiet reconnaissance using built-in tools such as cmd.exe, net1, whoami and rundll32. Using net1, the attacker added a new user to the Remote Desktop Users group to maintain persistence and guarantee a backup login method. The attacker then spread the ransomware across the network using WMI. The appearance of unsecapp.exe showed that WMI activity was being used to launch the malware on other hosts. Sysmon Event ID 8 logged remote thread creation where the system binary attempts to access lsass.exe. This suggests the attacker tried to dump credentials from memory. This activity points to a mix of WMI abuse and process injection aimed at obtaining higher privileges, especially domain-level credentials.
Finally, once the attacker had moved laterally and prepared the environment, the ransomware (cmd.exe) encrypted systems and began creating ransom note files throughout these systems. This marked the last stage of the operation.
Summary
Ransomware is more than just a virus, it’s a carefully planned attack where attackers move through a network quietly before causing damage. In digital forensics we often face these attacks and investigating them means piecing together how it entered the system, what tools it used, which accounts it compromised, and how it spread. Logs, processes, file changes tell part of the story. By following these traces, we understand the attacker’s methods, see where defenses failed, and learn how to prevent future attacks. It’s like reconstructing a crime scene. Sometimes, we might be lucky enough to shut down their entire infrastructure before they can cause more damage.
If you need forensic assistance, you can hire our team to investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.
On Tuesday, Alphabet CEO Sundar Pichai warned of “irrationality” in the AI market, telling the BBC in an interview, “I think no company is going to be immune, including us.” His comments arrive as scrutiny over the state of the AI market has reached new heights, with Alphabet shares doubling in value over seven months to reach a $3.5 trillion market capitalization.
Speaking exclusively to the BBC at Google’s California headquarters, Pichai acknowledged that while AI investment growth is at an “extraordinary moment,” the industry can “overshoot” in investment cycles, as we’re seeing now. He drew comparisons to the late 1990s Internet boom, which saw early Internet company valuations surge before collapsing in 2000, leading to bankruptcies and job losses.
“We can look back at the Internet right now. There was clearly a lot of excess investment, but none of us would question whether the Internet was profound,” Pichai said. “I expect AI to be the same. So I think it’s both rational and there are elements of irrationality through a moment like this.”
Lemon white bean soup is a creamy, vibrant one pot meal that’s perfect for busy weeknights. It’s hearty, filling, and uses simple, budget-friendly ingredients. (gluten-free with soy-free and nut-free options)
It’s soup season, and I am loving all the creamy, hearty, and budget-friendly soups — and this lemony white bean soup fits exactly into that category. It’s packed with tons of veggies, beans, and protein.
The best part about this lemon white bean soup is that it’s flexible to your flavor profile. You can easily adjust the flavors and ingredients based on what you have on hand. It’s vibrant, lemony, and perfect for the whole family!
The soup gets its protein from beans, cashews or tofu, nutritional yeast, and the veggies. You also blend up some of the beans into a puree to create that creamy texture along with either cashews or tofu. You can even omit the cashews and tofu, if you need to, and use just the beans for the creamy base.
This creamy lemon white bean soup is wholesome, flexible, and easy to make. The perfect go-to for cozy soup season!!
Why You’ll Love Lemon White Bean Soup
creamy, vibrant soup with tons of veggies and protein
versatile recipe! Adjust seasoning and proteins to your taste.
40-minute, 1-pot meal
naturally gluten-free with easy soy-free and nut-free options
In this chapter, we’re going deeper into the ways defenders can spot you and the traps they set to catch you off guard. We’re talking about defensive mechanisms and key Windows Event IDs that can make your life harder if you’re not careful. Every hacker knows that understanding defenders’ tools and habits is half the battle.
No system is perfect, and no company has unlimited resources. Every growing organization needs analysts constantly tuning alerts and security triggers as new software and users are added to the network. It’s tedious and repetitive work. Too many alerts can exhaust even the sharpest defenders. Eye fatigue, late nights, and false positives all drain attention. That’s where you get a small window to make a move, or a chance to slip through unnoticed.
Assuming nobody is watching is a beginner’s mistake. We’ve seen many beginners lose access to entire networks simply because they underestimated defensive mechanisms. The more professional you become, the less reckless you are, and the sharper your actions become. Always evaluate your environment before acting.
Visibility
Defenders have a few main ways they can detect you, and knowing these is crucial if you want to survive:
Process Monitoring
Process monitoring allows defenders to keep an eye on what programs start, stop, or interact with each other. Every process, PowerShell included, leaves traces of its origin (parent) and its children. Analysts use this lineage to spot unusual activity.
For example, a PowerShell process launched by a Microsoft Word document might be suspicious. Security teams use Endpoint Detection and Response (EDR) tools to gather this data, and some providers, like Red Canary, correlate it with other events to find malicious patterns.
Command Monitoring
Command monitoring focuses on what commands are being run inside the process. For PowerShell, this means watching for specific cmdlets, parameters, or encoded commands. Alone, a command might look innocent, but in combination with process monitoring and network telemetry, it can be a strong indicator of compromise.
Network Monitoring
Attackers often use PowerShell to download tools or exfiltrate data over the network. Monitoring outgoing and incoming connections is a reliable way for defenders to catch malicious activity. A common example is an Invoke-Expression command that pulls content from an external server via HTTP.
What They’re Watching
Let’s break down the logs defenders rely on to catch PowerShell activity:
Windows Security Event ID 1101: AMSI
AMSI stands for Antimalware Scan Interface. Think of it as a security checkpoint inside Windows that watches scripts running in memory, including PowerShell, VBScript, and WMI.
AMSI doesn’t store logs in the standard Event Viewer. Instead, it works with Event Tracing for Windows (ETW), a lower-level logging system. If you bypass AMSI, you can execute code that normally would trigger antivirus scans, like dumping LSASS or running malware, without immediate detection.
But AMSI bypasses are risky. They’re often logged themselves, and Microsoft actively patches them. Publicly available bypasses are a trap for anyone trying to survive quietly.
Windows Security Event ID 4104: ScriptBlock Logging
ScriptBlock logging watches the actual code executed in PowerShell scripts. There are two levels:
Automatic (default): Logs script code that looks suspicious, based on Microsoft’s list of dangerous cmdlets and .NET APIs.
Global: Logs everything with no filters.
Event ID 4104 collects this information. You can bypass this by downgrading PowerShell to version 2, if it exists, but even that downgrade can be logged. Subtle obfuscation is necessary. Here is how you downgrade:
PS > powershell -version 2
Note, that ScriptBlock logging only works with PowerShell 5 and above.
Windows Security Event ID 400: PowerShell Command-Line Logging
Even older PowerShell versions have Event ID 400, which logs when a PowerShell process starts. It doesn’t show full commands, but the fact that a process started is noted.
Windows Security Event IDs 800 & 4103: Module Loading and Add-Type
Module logging (Event ID 800) tracks which PowerShell modules are loaded, including the source code for commands run via Add-Type. This is important because Add-Type is used to compile and run C# code.
In PowerShell 5+, Event ID 4103 also logs this context. If a defender sees unusual or rarely-used modules being loaded, it’s a red flag.
Sysmon Event IDs
Sysmon is a specialized Windows tool that gives defenders extra visibility. Usually defenders monitor tracks:
Event ID 1: Every new process creation.
Event ID 7: Module loads, specifically DLLs.
Event ID 10: Process Access, for instance accessing lsass.exe to dump credentials.
For PowerShell, Event ID 7 can flag loads of System.Management.Automation.dll or related modules, which is often a clear indicator of PowerShell use. Many other Sysmon IDs might be monitored, make sure you spend some time to learn about some of them.
Not all systems have Sysmon, but where it’s installed, defenders trust it. Essentially, it is like a high-tech security camera that is detailed, persistent, and hard to fool.
Endpoint Detection and Response (EDR) Tools
EDR tools combine all the telemetry above such as processes, commands, modules, network traffic to give defenders a full picture of activity. If you’re working on a system with EDR, every move is being watched in multiple ways.
What’s Likely to Get You Spotted
Attackers are predictable. If you run the same commands repeatedly, defenders notice. Red Canary publishes filters that show suspicious PowerShell activity. Not every system uses these filters, but they’re widely known.
Encoded Commands
Using -encodedcommand or Base64 can trigger alerts. Base64 itself isn’t suspicious, but repeated or unusual use is a warning sign.
Obfuscation & Escape Characters
Adding extra characters (^, +, $, %) can throw off detection, but too much is suspicious.
Suspicious Cmdlets
Some cmdlets are commonly abused. These include ones for downloading files, running scripts, or managing processes. Knowing which ones are flagged helps you avoid careless mistakes.
Suspicious Script Directories
Scripts running from odd locations, like Public folders, are more likely to be flagged. Stick to expected directories or in-memory execution.
Workarounds
Even when your movement is restricted, options exist.
1) Use native binaries. Legitimate Windows programs are less suspicious.
2) Less common commands. Avoid widely abused cmdlets to reduce detection.
3) Living-Off-the-Land. Using built-in tools creatively keeps you under the radar.
We’ll cover these in more depth in the next chapter, how commands meant for one thing can be adapted for another while remaining invisible.
Net Trick
The net command is powerful, but can be monitored. Use net1 to bypass some filters in really strict environments:
PS > net1 user
This lets you run the full suite of net commands quietly.
Logs
Deleting logs can sometimes be a good idea, but you should know that Event ID 1102 flags it immediately. Also, even less experienced defenders can trace lateral movement from log records. Traffic spikes or SMB scans are noticed quickly.
Methods to Evade Detection
Focus on minimizing your footprint and risk. High-risk, complex techniques are not part of this guide.
Avoid Writing Files
Files on disk can betray your tactics. If saving is necessary, use native-looking names, unusual folders, and adjust timestamps. Stick to in-memory execution where possible. Lesser-known commands like odbconf.exe and cmstp.exe are safer and often overlooked. Use them for execution.
PowerShell Version 2
Downgrading can bypass ScriptBlock logging. But you need to obfuscate things carefully. Subtlety is key here.
Change Forwarder Settings
Tweaking log collectors can buy time but is riskier. Always revert these changes after finishing. It’s always good to have a backup of the config files.
Credential Reuse & Blending In
Use known credentials rather than brute-forcing. Work during normal hours to blend in well and dump traffic to understand local activity. Using promiscuous mode can help you get richer network insights. Targeting common ports for file distribution is also a good idea and blends in well with normal traffic patterns.
Summary
In this part we learned more about the enemy and how defenders see your every move. We broke down the main ways attackers get caught, such as process monitoring, command monitoring and network monitoring. From there, we explored Windows Event IDs and logging mechanisms. We emphasized survival strategies that help you minimize footprint by using in-memory execution, sticking to lesser-known or native commands, using version 2 PowerShell or blending in with normal traffic. Practical tips like the net1 trick and log handling process give you an idea how to avoid raising alarms.
When you understand how defenders observe, log, and respond it lets you operate without tripping alerts. By knowing what’s watched and how, you can plan your moves more safely and survive longer. Our goal here was to show you the challenges you’ll face on Windows systems in restricted environments and give you a real sense that you’re never truly alone.
Spice-Rubbed Braised Tofu with Vegetables in a Savory Umami Sauce. A unique delicious holiday entree that all cooks in one pan! (gluten-free and nut-free with soy-free options)
I wanted to make a vegan braised meat-style dish for the holidays, so I came up with this one-skillet meal that’s rich, hearty, and incredibly flavorful. It features an amazing, aromatic spice rub that smells so meaty you’ll be surprised it’s entirely plant-based. The spice rub coats tofu that’s been frozen, thawed, and pressed, giving it a dense, chewy texture perfect for braising.
The base for the braise starts with crisped-up potatoes and carrots. After searing the vegetables, we make a deeply flavorful sauce with caramelized onions, lots of aromatics, and fresh herbs, and flavor boosters.
The tofu and vegetables braise together in this sauce, allowing the tofu to absorb all that flavor while developing a slightly crispy top and a tender, chicken-like interior.
We use an oven-safe pan to start the dish on the stovetop and finish it in the oven, where the vegetables become perfectly tender and the tofu gets a gorgeous golden top.
It’s fantastic served with rice, couscous, mashed potatoes or other mashed vegetables, bean purée, some crusty bakery bread, or a side salad.
A simple herb sauce adds a bright, fresh contrast, but you can enjoy it on its own, too. It’s full of amazing flavors with or without. The herb sauce just bumps up the flavor even more.
Why You’ll Love Braised Tofu and Vegetables
1-pan entree that’s perfect for the holiday table
flavorful braised vegetables in caramelized onion sauce
big pieces of crisp, herb-rubbed tofu
naturally gluten-free and nut-free with easy soy-free option
Dal Makhani is one of the most ordered Indian dish in restaurants. You can make authentic, buttery, rich dal makhani at home. It’s just as good as the restaurant version! Black gram and kidney beans are simmered in a creamy spiced sauce and is perfect for special occasions or a great dinner. With Instant Pot and Sauce pan instructions. (gluten-free, soy-free, nut-free, oil-free option).
Love ordering Dal Makhani at restaurants? You’ll love this homemade version even more! This is adapted from my home-style dal makhani that’s on the blog and in my books. The difference is that this version has more spices, including some whole spices, which create more layers of flavor.
This version of dal makhani is a little bit more involved than my home-style version. It has both a base sauce and a spiced oil. This levels up the flavor and adds a smoky, creamy flavor, like restaurants usually serve. There’s also a lot more Kashmiri chili powder in this version compared to the home-style one.
The home-style recipe is quicker and still delicious, but this one takes it up another couple of notches, simmering the beans in a deeply-flavored sauce.
Makhani means both “butter” and “like butter,” and the dish is called dal makhani, both because of the butter content and the creamy, buttery texture of the dal. The goal is to cook the beans long enough that they become soft and almost break down into the sauce, thickening it and creating a smooth consistency. For the right texture, I prefer to use a pressure cooker / instant pot, but you can also cook it in a saucepan. I included both methods in the recipe.
After cooking the beans, we make a delicious sauce with whole spices, aromatics, and ground spices, then add the cooked beans to it. Then, we prepare a spice oil with toasted fenugreek leaves, Kashmiri chili, smoked paprika, and a smoky burnt cinnamon stick. Burning the cinnamon stick for just half a second before adding it to give the dal its smoky restaurant-style flavor.
Traditionally, restaurants achieve this smoky flavor by using food-grade charcoal. They place a piece of hot charcoal in a bowl with oil, which immediately smokes. Then, they nestle the bowl inside the dal pot and cover the pan for 10 to 15 minutes. If you don’t want to use charcoal or burnt cinnamon, liquid smoke can also work.
Why You’ll Love Dal Makhani
creamy, buttery dal with two kinds of beans
deep flavor from the sauce and the spice oil, no dairy needed!
flexible! Cook the beans in the Instant Pot or on the stovetop
naturally gluten-free, soy-free, and nut-free with an oil-free option
These honey garlic salmon bites have become one of my go-to recipes when I need something quick but flavorful. The combination of sweet honey and garlic creates a sticky glaze that coats each piece perfectly. I’ve made these for both weeknight dinners and when having friends over, and they always disappear fast. They work well […]
Grill salmon hot to lock in moisture, then brush on a honey-balsamic glaze that caramelizes into a tangy-sweet crust—restaurant flavor in just 15 minutes.
This honey-balsamic salmon gets seared on a blazing hot grill for a perfect crust, then finished with a tangy-sweet glaze that caramelizes beautifully in just minutes.
Ingredients
4 salmon fillets (6-8oz fillets)
Olive oil
King Craw Seasoning (or your favorite Cajun-style blend)
For the Honey Balsamic Glaze:
2 green onions (separate the whites and the greens), thinly sliced
2 cloves garlic, minced
1/4 cup balsamic vinegar
2 tablespoons honey
Salt & black pepper to taste (I used TX Brisket Rub)
Instructions
Preheat your pellet grill to 400°F.
You want those high temps to help build a crust and lock in the moisture.
Prep the salmon:
Lightly oil each fillet and season generously with King Craw seasoning on tops and sides. Let it sit while the grill heats up.
Make the glaze:
In a small saucepan, sauté the green onion whites and garlic in a little oil until softened (1–2 minutes). Add the balsamic, honey, salt, and pepper. Let it simmer until slightly reduced and syrupy — about 5–7 minutes. Set aside.
Grill the salmon:
Place the fillets directly on the grates. Cook for about 13 minutes, or until the internal temp hits 125°F. The outside should have a nice crust at this point.
Glaze it:
Brush the salmon with the honey balsamic glaze and let it cook another 1–2 minutes until the glaze sets and your salmon reaches 135°F internal.
Serve it up:
Pull it off the grill and let it rest for a few minutes before serving. Pairs great with roasted veggies, rice, or even a fresh salad.
Oil up salmon fillets, season them heavy with King Craw—or your favorite Cajun rub—then throw them on a 400°F pellet or hot grill to build that craveable crust. While the salmon’s cooking, whisk together green onion, garlic, balsamic vinegar, honey, salt & pepper until it reduces into a syrupy glaze. Brush it on during the last couple of minutes so it caramelizes and locks in that sweet-tangy shine. Juicy, quick, and restaurant-worthy in just 15 minutes.
You’ve eaten salmon grilled, roasted, blackened, planked, and pan-fried; perhaps you’ve even chopped it to make burgers.
But have you made salmon candy, also known as Indian candy? (We no longer call it “squaw candy” by reason of political correctness.) British Columbians snack on it and it’s a staple in Pacific Northwest gift shops. Think of it as jerky, only better. Burnished to an Old Master chiaroscuro by hours of exposure to fragrant wood smoke—usually alder. Glazed with pure maple syrup or honey. Salty and sweet at the same time. It has a nice chew, too—but nothing that will threaten your molars.
Salmon candy makes a great snack for a road trip, hike, or long day at the office. It’s addictive as all-get-out. Once you gnaw your last piece, you’ll instantly crave more.
Making a batch is a satisfying project for the waning days of winter. Yes, it requires some time—16 hours or more including brining and smoking—but very little actual work.
Before you get started, here are a few secrets for salmon candy success:
Use wild-caught Pacific salmon if possible. You’ll recognize it by its deeper red-orange color and leaner appearance. If in doubt, verify its origin with your fishmonger. It is illegal to farm salmon from the state of Alaska, so salmon from there is always wild, while salmon from the East Coast, Chile, and Norway is likely to be farmed.
A center-cut fillet will yield more uniform pieces of fish: It tapers and becomes sinewy the closer you get to the tail.
Remove the skin before slicing the salmon into strips. If using a whole fillet, place the salmon skin-side down on a cutting board. Firmly hold the tail with one hand and run a sharp knife between the skin and the flesh, holding it parallel to and against the board. Slide the knife away from the tail the length of the fish, being careful not to cut the flesh or the skin. Remove the skin, but don’t discard it. Make Pac-Rim potato chips by brushing the skin with toasted sesame oil and season it with salt and pepper. Indirect grill at 400 degrees until crisp. Five to ten minutes will do it.
You can cure salmon candy using either a dry or wet brine, but the ingredients are more uniformly distributed in a wet brine.
Do not substitute table salt for kosher salt in the brine. Table salt contains iodine—a metal that “burns” the fish.
To achieve the translucency characteristic of commercially-produced salmon candy and jerky, add curing salt (sometimes sold as pink salt, InstaCure #1, or Prague powder, all available online) to the brine strictly following the manufacturer’s recommended proportions.
For the purest flavors, use spring water, not tap water, when making a wet brine.
Use a charcoal grill or smoker. Gas grills do not work well for smoking.
Store salmon candy in the refrigerator to prolong its shelf life. Refrigerated, it can be kept for at least 5 days—and likely much longer. (Both the salt and smoke act preservatives.)
For lip tingling heat sprinkle the salmon lightly with cayenne before smoking. Coarsely ground black pepper makes a less fiery option.
Salmon candy a traditional dish of the Pacific Northwest—salmon cut into bitesize chunks, cured with salt and brown sugar, smoked, then glazed with maple syrup or honey. It’s sweet, salty, and smoky, playing to virtually every tastebud in your mouth.
What kind of salmon is best for salmon candy?
The richest, fattiest salmon: king.
What’s the secret to getting the perfect glaze?
Use maple syrup or honey and brush it on while the salmon is smoking. Add one final coat at the end.
How do you keep salmon candy from drying out?
Because the salmon pieces are relatively small, keep the smoking time short—20 minutes or so.
Can you make salmon candy without a smoker?
You can make brined, maple syrup-glazed salmon. Cook it on your grill, on the griddle (there’s a great griddle recipe in Project Griddle, or even in the oven. It won’t be smoked, but it certainly will be delicious!
How long does salmon candy last in the fridge or freezer?
Up to 5 days in the fridge. Several months in freezer, but it will lose some of its pizzaz in the freezer.
High protein and fiber. Mix everything right in the pan meal, this Sheet pan roasted veggies and beans with Creamy Lemon Yogurt sauce, has amazing flavor and texture! Wrap it, bowl it, swipe with bread! So good! Gluten-free, options for soyfree, Nutfree
This is an easy, refreshing, spring and summer meal that you can put together within minutes. You make this amazingly refreshing lemon yogurt sauce and pair it with savory roasted veggies and crispy, crunchy beans that have been tossed in spices like paprika, coriander, black pepper, and garlic. They are crisp on the outside and tender on the inside.
The warm veggies and the cooling yogurt sauce are just fabulous together.
This is a veggie-heavy recipe rich in fiber, with over 14 grams per serving. It contains 15 to 25 grams of protein per serving, depending on the garnishes and non-dairy yogurt used. The protein in these sheet pan roasted vegetables comes from the beans, yogurt, sesame or hemp seeds, and even the vegetables. For an even more filling meal, serve with whole grain flatbread, pita, or naan.
You can pair them with the sauce in any way you like. You can put the sauce on a plate, top it with the roasted veggies, then top with some seeds and sprouts and a good squeeze of lemon juice.
Or make a wrap with pita bread or naan bread. Just warm the bread, add the yogurt sauce, the roasted veggies, some more sauce, sprouts, cucumber, and a squeeze of lemon, then serve.
Sheet pan veggies and beans are absolutely delicious any which way you serve it. You can even make small tacos out of it!
Why You’ll Love Sheet Pan Veggies and Beans
super easy 1-pan meal celebrates delicious spring and summer veggies
tender-crisp roasted vegetables with crunchy roasted white beans
A fully loaded, flavor packed, protein rich summer spinach salad with an umami-packed crisp chickpea hemp seed olive crumble, nutrient dense greens, and creamy, vibrant tahini lemon dressing. A perfect hot weather dinner. (23g protein and 15g fiber per serving, (gluten-free, soy-free, nut-free, high protein)
This is a fantastically hearty summer spinach salad. It has so many textures and flavors, and it has 80 grams of protein for the entire salad. That’s 20 grams of protein per serving. For a salad!
There is protein from the chickpeas, from the hemp seeds, and from the nutritional yeast in the chickpea crumble. There’s also protein from the tahini in the dressing, the non-dairy yogurt (depending on the brand), as well as a little protein from the greens that you use in the salad. You can amp up the protein even more by sprinkling it with some hemp seeds before serving or adding some of my tofu bacon bits, or other high protein toppings.
The salad has this creamy texture from the dressing, the crunch from the fresh veggies, and crispiness from the chickpea crumbles, which we bake until they’re crispy-crunchy. The umami comes from the olives and the sun-dried tomato, and the refreshing, fresh flavor comes from lemon zest, the cucumbers, and any other crunchy veggies and greens.
It’s just a fabulous combination of flavors and textures. The combination of tahini and yogurt helps mellow tahini’s strong flavor and makes for a rich, creamy dressing.
Why You’ll Love this Summer Spinach Salad
incredible combination of flavors and textures! Crunchy veggies, creamy dressing, and savory, crisp chickpea-olive crumble.
No party is complete without food and drink. Lots of people choose to meet up by the beach for a day of fun in the sun but what sorts of food should people be eating? Read More ...
Satisfying & healthy lunch or dinner… This is a viral TikTok recipe. As soon as I saw the video, I knew it it’s my kind of recipe. Healthy, nutritious & satisfying. A salmon rice bowl is a dish that typically consists of cooked rice, salmon, and various toppings, such as vegetables, avocados, or sauces. The […]
Incredibly delicious sushi bake cups… Being a sushi fanatic, as soon as I saw the making video on TikTok, I made these amazing sushi bake cups or muffins. Apparently, it’s a viral recipe & after trying these I know why it went viral. Absolutely delicious & will make a perfect appetizer for any party. Sushi […]
Hope that everyone had a lovely Christmas and New Year. This year we celebrated our first Diwali and Christmas without my husband. As a family, we still wanted to continue the tradition of celebrating these Read More ...
Login
Print Recipe
Pin Recipe
