Download Permiso’s CISO Guide to Detecting & Preventing Identity Attacks.   The guide breaks down: – The top identity-based attack vectors across SaaS, PaaS, IaaS, and IdPs – Real-world breach examples from Okta, Snowflake, Cloudflare, and others – How adversaries exploit non-human identities and abuse MFA gaps – What CISOs must do to align identity with their broader security strategy And More

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Belkasoft CTF 7: Write-up
  
  
• Christopher Eng at Ogmini
  • BelkaCTF 7 – Volatility 3 vs MemProcFS
  • BelkaCTF 7 – Whoami
  • BelkaCTF 7 – AAR Locker
  • Velociraptor – Artifact Windows Notepad
  • Conference talk and other updates
  • BelkaCTF 7 – AAR Sample
  • BelkaCTF 7 – AAR Infection
    
    
• Aviv Yaniv at Courisity is a Drug
  Walk Through Guide for Kusto Detective Agency Season 3, Call of the Cyber Duty, Case #10 Solution
  
  
• Daniel Jeremiah
  • Investigating Suspicious Memory Activity: Tracing a SIEM Alert to a Cobalt Strike C2
  • Memory Forensics Attack Simulation Dataset
    
    
• Forensafe
  iOS Google Chat
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  A deeper dive into Spotlight indexes
  
  
• ThinkDFIR
  Sometimes Windows and PE Version information don’t get along
  

THREAT INTELLIGENCE/HUNTING

• Abdulrehman Ali
  Famous Chollima APT Adversary Simulation
  
  
• Tricia Howard & Maria Vlasak at Akamai
  Surviving the Ransomware Gauntlet: A Test of Resilience
  
  
• Akash Patel
  • Carbon Black (P1:Overview): A Practical Guide/An Practical Training
  • Rethinking Incident Response — From PICERL to DAIR (Expanded Edition)
  • Carbon Black (P2:Dashboard/Alerts): A Practical Guide/An Practical Training
    
    
• Julian Tuin at Arctic Wolf
  Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN
  
  
• Francis Guibernau at AttackIQ
  Ransom Tales: Volume II – Emulating Gunra, Anubis and DevMan Ransomware
  
  
• Tim Kingdon at AWS Security
  How to automatically disable users in AWS Managed Microsoft AD based on GuardDuty findings
  
  
• Bank Security
  Investigating X Profiles and Posts Using Grok AI
  
  
• Lawrence Abrams at BleepingComputer
  ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH
  
  
• Mehmet Ergene at Blu Raven Academy
  The Hidden Gaps in Entra ID Linkable Token Identifier
  
  
• Brian Krebs at ‘Krebs on Security’
  Scammers Unleash Flood of Slick Online Gaming Sites
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 26 luglio – 1 agosto
  
  
• Check Point
  • 28th July – Threat Intelligence Report
  • Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal
  • The State of Ransomware – Q2 2025
  • Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations
  • Ransomware in Q2 2025: AI Joins the Crew, Cartels Rise, and Payment Rates Collapse
    
    
• CISA
  • CISA and Partners Release Updated Advisory on Scattered Spider Group
  • Eviction Strategies Tool Released
  • CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization
  • Thorium Platform Public Availability
    
    
• Cisco’s Talos
  • Insights from Talos IR: Navigating NIS2 technical implementation
  • IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy
  • Using LLMs as a reverse engineering sidekick
    
    
• Cleafy
  PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT
  
  
• Clint Ilagan at Cofense
  Google Redirect Abuse in 2024: Key Trends & Tactics
  
  
• Cyble
  • Maritime Sector Faces Surge in APT and Hacktivist Cyber Threats
  • RedHook: A New Android Banking Trojan Targeting Users in Vietnam
    
    
• Cyfirma
  Weekly Intelligence Report – 01 August 2025
  
  
• Damien Lewke
  Introducing Nebulock
  
  
• Darktrace
  AI Analyst in Action: 4 Real-World Investigations using AI Investigations
  
  
• dekx_headroom
  TRIFORCE-Threat_Model
  
  
• Sergio Albea at Detect FYI
  Protecting the Evidence in Real-Time with KQL Queries
  
  
• Dirk-jan Mollema
  Extending AD CS attack surface to the cloud with Intune certificates
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week30)
  
  
• DomainTools Investigations
  • Cybersecurity Reading List – Week of 2025-07-28
  • From Laptops to Laundromats: How DPRK IT Workers Infiltrated the Global Remote Economy
    
    
• Esentire
  • Unmasking Interlock Group’s Evolving Malware Arsenal
  • Unpacking ShadowCoil’s (RansomHub Ex-affiliate) Credential Harvesting Tool
    
    
• FalconFeeds
  The Rise of Malware-less Intrusions: When Threat Intelligence Can’t Rely on Signatures
  
  
• Flashpoint
  • The DPRK Remote Worker Threat: Unmasking North Korea’s Digital Deception
  • Navigating 2025’s Midyear Threats: Insights from Flashpoint’s Intelligence Index
    
    
• Prashant Tilekar at Forescout
  Threat Analysis: Microsoft SharePoint ‘ToolShell’ Exploits
  
  
• Gen
  Gen Q2/2025 Threat Report
  
  
• GreyNoise
  GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities
  
  
• h0wdy & hrbrmstr at GreyNoise Labs
  The PoC Pollution Problem: How AI-Generated Exploits Are Poisoning Detection Engineering
  
  
• Group-IB
  UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion
  
  
• Hunt IO
  APT36 Targets Indian Infrastructure with Desktop Lures and Poseidon Backdoor
  
  
• Huntress
  • Information to Insights: Intrusion Analysis Methodology
  • The Commented Kill Chain: Why Old Ransomware Playbooks Never Die
    
    
• Hussam Shbib at Cyber Dose
  Be a Better Detective #5 – Confusing drive serial numbers
  
  
• Chris Campbell at Inde
  • Community Disservice Part One: Analysing Modern Human-Centric Intrusions
  • Community Disservice Part Two: Mitigating Modern Human-Centric Intrusions
    
    
• Intel 471
  Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level
  
  
• Intrinsec
  Shadow syndicate infrastructure illumination
  
  
• Jason Yung
  • It is a blessing (Confidential data) in disguise
  • It is a blessing (Confidential data) in disguise (Part 2)
    
    
• Adam Goss at Kraven Security
  From Free to Enterprise: Threat Intelligence Platforms Explained
  
  
• Kyaw Pyiyt Htet
  Tracing ToneShell: Mustang Panda’s Evolving Tradecraft and Campaign Infrastructure
  
  
• Nischal Khadgi at Logpoint
  APT28’s New Arsenal: LAMEHUG, the First AI-Powered Malware
  
  
• Michalis Michalos
  Breaking down the Microsoft Defender External Attack Surface Management opportunities for queries in Advanced Hunting & Log Analytics Workspace
  
  
• Microsoft Security
  • Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability
  • Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
    
    
• Natto Thoughts
  When Privileged Access Falls into the Wrong Hands: Chinese Companies in Microsoft’s MAPP Program
  
  
• Nextron Systems
  • Detecting the Most Popular MITRE Persistence Method – Registry Run Keys / Startup Folder
  • AURORA – Leveraging ETW for Advanced Threat Detection
  • Plague: A Newly Discovered PAM-Based Backdoor for Linux
    
    
• Nick Foulon at NVISO Labs
  Refinery raid
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 209. Threat Actors Leverage ClickFix to Deploy Epsilon Red Ransomware
  • 208. Hunting for ClickFix on macOS
  • 211. That’s How Stealers Defeat System Recovery
  • 210. SHUYAL Stealer Disables Windows Task Manager as Part of Defense Evasion
  • 212. A Curious Case of Masquerading
  • 213. That’s How Secret Blizzard Reduces the Difficulty of Lateral Movement
  • 214. That’s How Adversaries Sanitize Logs
    
    
• Outpost24
  Lionishackers: Analyzing a corporate database seller
  
  
• Palo Alto Networks
  • 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
  • The Covert Operator’s Playbook: Infiltration of Global Telecom Networks
  • Introducing Unit 42’s Attribution Framework
  • Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)
    
    
• Aditya Vats at Permiso
  15 Questions Everyone Asks About Identity Threat Detection and Response(ITDR)
  
  
• Seojun Kim at Plainbit
  • A Practical guide for Linux Sysmon : Event and Utilization
  • A Practical guide for Linux Sysmon : Concept and install
    
    
• Proofpoint
  Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing
  
  
• Resecurity
  SharePoint Zero-Day Exploit (ToolShell) – Network Infrastructure Mapping
  
  
• Sandfly Security
  Linux Medusa Rootkit Detection and De-Cloaking
  
  
• SANS Internet Storm Center
  • Triage is Key! Python to the Rescue!, (Tue, Jul 29th)
  • Parasitic Sharepoint Exploits, (Mon, Jul 28th)
  • Securing Firebase: Lessons Re-Learned from the Tea Breach, (Wed, Jul 30th)
  • Scattered Spider Related Domain Names, (Thu, Jul 31st)
    
    
• Siddhant Mishra
  Breaking Free of Vendor Defaults: A New Era in Detection Engineering
  
  
• SOCRadar
  Dark Web Profile: SafePay Ransomware
  
  
• Josh “Soup” Campbell and Brandon Murphy at Sublime Security
  Multi-RMM attack: Splashtop Streamer and Atera payloads delivered via Discord CDN link
  
  
• Sujay Adkesar
  Windows 11 PCA Artifac
  
  
• Vishal Kamble at Symantec Enterprise
  Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics
  
  
• Tarek Mostafa
  Akira Ransom Group Profiling
  
  
• RakeshKrish at THE RAVEN FILE
  INSIDE QILIN RANSOMWARE AFFILIATE’s PANEL
  
  
• THOR Collective Dispatch
  • The Agentic Threat Hunter
  • The DEF CON 33 Thrunting Hot List
  • Dispatch Debrief: July 2025
    
    
• Trend Micro
  • Revisiting UNC3886 Tactics to Defend Against Present Risk
  • Gunra Ransomware Group Unveils Efficient Linux Variant
  • Trend Micro State of AI Security Report 1H 2025
    
    
• Truesec
  Takedown of large Pro-Russian DDoS Group
  
  
• Vasilis Orlof at Cyber Intelligence Insights
  • Bulletproof Hosting Hunt
  • Intel Drops #1
    
    
• Merav Bar at Wiz
  TraderTraitor: Deep Dive
  
  
• István Márton at Wordfence
  • Attackers Actively Exploiting Critical Vulnerability in Alone Theme
  • 100,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in AI Engine WordPress Plugin
    
    
• Brett Stone-Gross, Heather Bates, Rajdeepsinh Dodia, and Yesenia Barajas at ZScaler
  Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-08-04 #livestream #infosec #infosecnews
  
  
• Cellebrite
  • A New Data Hope: How to Conquer the Data Frontier in eDiscovery—And Win
  • The AI Advantage: Evidence Review
    
    
• Silent Push
  • Workshop – Investigating Infrastructure: A Practical Workflow for Threat Analysts
  • Webinar – SocGolish: From Fake Updates to Real Breaches 
    

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP13: Beyond the Bytes: Why Testing Unlocks the True Story in Your Data
  
  
• Alexis Brignoni
  • How to make LAVA Compliant LEAPP artifacts
  • Ditigal Forensics Now Podcast – S2 E14
  • Apple Unified Logs in iOS
    
    
• Anuj Soni
  Dynamic Malware Analysis: Tools & Workflow (Amadey Malware)
  
  
• Cellebrite
  • Mobile Forensic Capabilities on Search Warrants
  • [Fireside Chat] Breaking the Chains: How Cellebrite and Chainalysis Empower Investigators in the Fight Against Global Threats
  • Investigators and the Role of Mobile Phone Review in Coercive Control cases
  • The Role of Trust and Analytical Rigour in an AI Rich Environment
  • Uncovering the Unseen: Advancing Digital Forensics (Table Discussions)
    
    
• Chris Sienko at the Cyber Work podcast
  Working in ransomware response, investigation and recovery | John Price
  
  
• Cloud Security Podcast by Google
  EP236 Accelerated SIEM Journey: A SOC Leader’s Playbook for Modernization and AI
  
  
• Deepanshu Khanna
  • KubePwn (Part-8 contd..) – Digging into Privilege Misconfigurations & Escape Vectors in K8s cluster
  • KubePwn (Part-8) – Digging into Privilege Misconfigurations & Escape Vectors in K8s cluster
  • KubePwn (Part-11) – Data Exfiltration and Persistence (complete cluster access)
  • KubePwn (Part-10) – Privilege Escalation (container breakout) to Full cluster compromise
  • KubePwn (Part-9) – Enumerating Linux Capabilities & Identifying Escape Vectors in K8s cluster
    
    
• InfoSec_Bret
  SA – SOC342-320 – CVE-2025-53770 SharePoint ToolShell Auth Bypass and RCE
  
  
• MSAB
  #MSABMonday – Hash Tree Builder Part 1
  
  
• MyDFIR
  Why I Always Recommend This SOC Analyst Certification and Blue Team Training
  
  
• Parsing the Truth: One Byte at a Time
  Casey Anthony: The State’s Forensic Experts
  
  
• Proofpoint
  Threat Actor Theater: TA2541, TA558, and the Cyber Heist Crew TA582
  
  
• Silent Push
  • WORKSHOP: Pivoting Across Infrastructure to Detect Unknown Threats
  • How to Detect Fast Flux Infrastructure With Silent Push’s Free Community Edition
    
    
• The Cyber Mentor
  LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team
  
  
• The Defender’s Advantage Podcast
  Protecting the Core: Securing Protection Relays in Modern Substations
  
  
• THE Security Insights Show
  The Security Insights Show Episode 270 – Just Us!
  
  
• The Weekly Purple Team
  EDR on EDR Violence: Bring Your Own Vulnerable EDR
  
  
• Three Buddy Problem
  Rethinking APT Attribution: Dakota Cary on Chinese Contractors and Espionage-as-a-Service
  

MALWARE

• Elastic Security Labs
  MaaS Appeal: An Infostealer Rises From The Ashes
  
  
• Ladislav Zezula at Gen
  Decrypted: FunkSec Ransomware
  
  
• Jan Michael Alcantara at Netskope
  XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed
  
  
• Maxim Starodubov, Valery Akulenko, Danila Semenov at Securelist
  Cobalt Strike Beacon delivered via GitHub and social media
  
  
• Vaibhav Billade at Seqrite
  Spear Phishing Campaign Delivers VIP Keylogger via EMAIL Attachment
  
  
• Shubho57
  Analysis of a VBScript leading to Phantom stealer using ConfuserX Obfuscation
  
  
• SquareX Labs
  Architectural Limitations in Chrome Browser DevTools in Debugging Malicious Extensions
  
  
• Puja Srivastava at Sucuri
  Unauthorized Admin User Created via Disguised WordPress Plugin
  
  
• Ernesto Fernández Provecho at Trellix
  Let’s Be Objective: A Deep Dive into 0bj3ctivityStealer’s Features
  
  
• Zhassulan Zhussupov
  • Mobile malware development trick 2. Abuse Telegram Bot API: Contacts. Simple Android (Java/Kotlin) stealer example.
  • MacOS hacking part 7: Minimal Linux-style shellcode on macOS (Intel). Simple NASM (Intel) and C examples
    

MISCELLANEOUS

• abuse.ch
  Creating sustainability for abuse.ch and its community
  
  
• Brett Shavers
  How Sitting in 14 Legal Roles Created My DFIR Investigative Mindset
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 07/28/25
  
  
• Doug Metz at Baker Street Forensics
  Toby-Find: Simplifying Command-Line Forensics Tools
  
  
• Forensic Focus
  • Transforming Mental Health And Organisational Culture In Digital Forensics
  • S21 Spotlight Transcriber – Slow, Manual Transcription Or Insecure Online Service? There’s A Better Way.
  • Digital Forensics Round-Up, July 30 2025
  • Collaborative Forensics: Overcoming Challenges In Multi-Jurisdictional Investigations
    
    
• Ahmed Khanji at Gridware
  ASICs Cyber Crackdown: Perspective from a Risk Professional
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (8/1/2025)
  
  
• Magnet Forensics
  • The Mobile Unpacked Artifact Hunt challenge begins!
  • Enterprise turns to AI for speed and accuracy in DFIR 
  • The “deepfake detector” paradigm shift: The case for media authentication in court 
    
    
• Osama Elnaggar
  Elastic Certified SIEM Analyst Course Review
  
  
• Oxygen Forensics
  • Collect iOS Data Remotely with Oxygen’s iOS Agent
  • How to Use Remote iOS Agent in Oxygen Remote Explorer
    
    
• Patrick Siewert at ‘The Philosophy of DFIR’
  Part 1 of 3: Starting A Digital Forensic Business
  
  
• Salvation DATA
  What Is a Forensic Image? Understanding Its Role in Digital Forensics
  
  
• Joan Soriano at Security Art Work
  • Planificación en Threat Intelligence: Definiciones
  • Planificación en Threat Intelligence: Requisitos
    
    
• Team Cymru
  Team Cymru Tags Explained: Powering Faster, Smarter Threat Intelligence
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Vatican
  

SOFTWARE UPDATES

• Acelab
  New version of the PC-3000 Mobile PRO 2.10x has been released
  
  
• Amped
  Authenticate Update 38211: Introducing the Perspective Filter, Improvements to the Video Mode, and More!
  
  
• Binary Ninja
  Sidekick 5.0
  
  
• Doug Metz at Baker Street Forensics
  • Sharper Strings and Smarter Signals: MalChela 3.0.1
  • Enhance Threat Hunting with MITRE Lookup in MalChela 3.0.2
    
    
• Invictus Incident Response
  Black Hat First Look: Meet the New Microsoft Extractor Suite v4
  
  
• Metaspike
  Forensic Email Collector 4.1.507 Release Notes
  
  
• OpenCTI
  6.7.9
  
  
• radare2
  6.0.0
  
  
• Sweetscape Software
  Announcing 010 Editor – Version 16.0
  
  
• Ryan G. Cox at The Cybersec Café
  Cybersecurity is Data: Collect, Analyze, Interpret
  
  
• Xways
  • X-Ways Forensics 21.4 SR-7
  • X-Ways Forensics 21.5 SR-4
  • X-Ways Forensics 21.6 Preview 4
    
    
• Yamato Security
  • Suzaku v1.0.0 – Black Hat Arsenal USA 2025 Release
  • Hayabusa v3.4.0 – Black Hat Arsenal USA 2025 Release
    
    
• Yogesh Khatri
  mac_apt 20250828
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!