Learn Scattered Spider’s Updated TTPs & How to Defend Against Them In this webinar, Permiso’s CTO and Head of P0 Labs Threat Research will discuss: – How Scattered Spider’s methods have evolved over the last couple of years. – Where they are focusing their attacks now, and how they are doing it. – How the Permiso platform discovers and defends against Scattered Spider identities. Register Today

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Christian Peter
  What’s Taters, Precious? – Parsing Potato Chat with iLEAPP
  
  
• Christopher Eng at Ogmini
  • Conference talk prep
  • BelkaCTF 7 – AAR Android
  • BelkaCTF 7 – AAR Workspace
  • ALEAPP Plugin – Gmail App – IMAP Accounts
  • BelkaCTF 7 – AAR Banking
  • BelkaCTF 7 – AAR Junk Messaging
  • Volatility 3 – Learning to Write a Plugin Part 1
    
    
• Forensafe
  iOS Microsoft Teams
  
  
• Joshua Hickman at ‘The Binary Hick’
  Further Observations – More on iOS Search Party
  
  
• Justin De Luna at ‘The DFIR Spot’
  Evil on Schedule: Investigating Malicious Windows Scheduled Tasks
  
  
• Kenneth G. Hartman at Lucid Truth Technologies
  Hardware‑Signed C2PA Camera Credentials Strengthen Image Authentication
  
  
• Matthew Plascencia
  Wireshark: Your Trusty Internet Wiretap
  
  
• Steve Whalen at Sumuri
  Why macOS Native Imaging Commands Are Preferred Over AFF4 for APFS Forensics
  

THREAT INTELLIGENCE/HUNTING

• Akash Patel
  • Mastering Memory Forensics: In-Depth Analysis with Volatility and Advanced Tools
  • Data Carving: Advanced Techniques in Digital Forensics
  • DNS in Forensics: The Hidden Goldmine for Threat Hunting
  • Fast-Flux DNS: How Malware Uses DNS to Stay Invisible
  • Introducing: Browser Forensics — Your Ultimate Guide to Manual Analysis
  • DGA: The Algorithmic Backbone of Modern Malware C2 Infrastructure
  • DoH, DoT, and Punycode: What Every Forensic GuyNeeds to Know About Modern DNS Evasion Tactics
    
    
• Hermon Kidane at Active Countermeasures
  Safe vs Malicious: DNS Edition
  
  
• Adam at Hexacorn
  DLL ForwardSideloading
  
  
• Allan Liska at ‘Ransomware Sommelier’
  Is the Ransomware Trust Paradox Breaking?
  
  
• Alparslan Akyıldız academy
  • Çin APT Ekosistemi
  • Mobil Cihazlara Yönelik Yapılan Organize APT Saldırıları
    
    
• ASEC
  • July 2025 APT Attack Trends Report (South Korea)
  • July 2025 Threat Trend Report on Ransomware
    
    
• Auth0
  Auth0 Security Detection Catalog
  
  
• Rohit Suresh Kanase at Barracuda
  Threat Spotlight: Split and nested QR codes fuel new generation of ‘quishing’ attacks
  
  
• BI.Zone
  • Deep dive into CVE-2025–29824 in Windows
  • Paper Werewolf targets Russia with WinRAR zero-day vulnerability
    
    
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | August 2025
  
  
• Patterson Cake at Black Hills Information Security, Inc.
  Stop Spoofing Yourself! Disabling M365 Direct Send
  
  
• Brad Duncan at Malware Traffic Analysis
  2025-08-20: SmartApeSG CAPTCHA page to ClickFix script to NetSupport RAT to StealCv2
  
  
• Brian Krebs at ‘Krebs on Security’
  • Oregon Man Charged in ‘Rapper Bot’ DDoS Service
  • SIM-Swapper, Scattered Spider Hacker Gets 10 Years
    
    
• CERT-AGID
  • Falsa patch per firma digitale diffonde malware
  • Sintesi riepilogativa delle campagne malevole nella settimana del 16 – 22 agosto
    
    
• Check Point
  18th August – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Ransomware incidents in Japan during the first half of 2025
  • Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices
    
    
• CloudSEK
  • Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery
  • The Ghost in the Machine: The Complete Dossier on TA-NATALSTATUS and the Cryptojacking Turf War
    
    
• Tej Tulachan at Cofense
  Phishing in the Cloud: SendGrid Campaign Exploits Account Security
  
  
• CrowdStrike
  • Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS
  • MURKY PANDA: A Trusted-Relationship Threat in the Cloud
    
    
• CTF导航
  • Lockbit Linux ESXi 变种的逆向工程
  • Kimsuky（APT）泄漏工具包分析，附网盘下载地址
  • WinRAR 零日漏洞被又一个APT组织积极利用：纸狼人(Paper Werewolf)攻击活动深度分析
    
    
• Cyb3rhawk
  Soul instead of Shell — Payloads with Purpose
  
  
• Damien Lewke
  The Quiet War
  
  
• Delivr.to
  Emulating AiTM and BiTM Attacks
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week33)
  
  
• DomainTools Investigations
  • Hunting for Malware Networks
  • SpyNote Malware Part 2
    
    
• Kseniia Ignatovych and Isai Anthony at Elastic
  Building effective threat hunting and detection rules in Elastic Security
  
  
• Flashpoint
  New Ransomware-as-a-Service (RaaS) Groups to Watch in 2025
  
  
• Google Cloud Threat Intelligence
  A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
  
  
• Andrei Loshchev at Group-IB
  Evolving Mule Tactics in the META Region Banking Sector
  
  
• HackTheBox
  CyberJunkie explains: Data exfiltration via Windows Sandbox
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: Yara rules
  
  
• Harlan Carvey and Lindsey O’Donnell-Welch at Huntress
  Exposing Data Exfiltration: Detecting LOLBins, TTPs, and Ransomware Tactics
  
  
• InfoSec Write-ups
  • Psexec Hunt: CyberDefenders Write Up
  • Analysis of Black Energy Malware-Infected RAM Image with Volatility3
    
    
• Invictus Incident Response
  Profiling Sea Turtle: Tactics, History & Defenses
  
  
• Kasada
  Q2 2025 Threat Report
  
  
• Kevin Beaumont at DoublePulsar
  Colt Technical Services gets ransomware’d via SharePoint initial access— some learning points
  
  
• Bert-Jan Pals at KQL Query
  GraphApiAuditEvents: The new Graph API Logs
  
  
• Adam Goss at Kraven Security
  How to Generate Strategic Intelligence by Answering 20 Questions
  
  
• Microsoft Security
  • Dissecting PipeMagic: Inside the architecture of a modular backdoor framework
  • Think before you Click(Fix): Analyzing the ClickFix social engineering technique
    
    
• MikeCyberSec
  Detecting ClickFixing with detections.ai — Community Sourced Detections
  
  
• Ray Fernandez at Moonlock
  A new, cheaper Mac stealer is quickly spreading on the dark web
  
  
• Shmuel Uzan at Morphisec
  Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises with Social Media Footprints 
  
  
• Christopher Conrad at Netscout
  Botnet Pulse
  
  
• Nicter
  プロセスを隠蔽するMountBotの出現
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 229. That’s How UAT-7237 Interacts with Windows Registry
  • 230. Scaly Wolf Abuses BITSAdmin for Ingress Tool Transfer
  • 231. Adversaries Use Paste[.]rs to Host Stealer Payloads
  • 232. Qilin Ransomware Gang Abuses S5cmd for Data Exfiltration
  • 233. Another Tool – Same Detecton Opportunity
  • 224. That’s How MountBot Hides Its Processes
  • 235. Adversaries Abuse Msiexec as a Part of ClickFix
    
    
• Ian Barwise at OSINT Team
  Anti-Forensic Techniques to Cover Your Tracks, Part 2
  
  
• Palo Alto Networks
  • Fashionable Phishing Bait: GenAI on the Hook
  • Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
    
    
• Zack Korman at Pistachio
  Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
  
  
• Proofpoint
  Cybercriminals Abuse AI Website Creation App For Phishing
  
  
• Red Canary
  • Patching for persistence: How DripDropper Linux malware moves through the cloud
  • Intelligence Insights: August 2025
    
    
• SANS Internet Storm Center
  • Keeping an Eye on MFA-Bombing Attacks, (Mon, Aug 18th)
  • Increased Elasticsearch Recognizance Scans, (Tue, Aug 19th)
  • Don’t Forget The “-n” Command Line Switch, (Thu, Aug 21st)
  • Airtell Router Scans, and Mislabeled usernames, (Wed, Aug 20th)
    
    
• SecurityAura
  Ransomware in SMBs: Top 5 Missing or Incomplete Controls That Could Help Prevent or Cripple Attackers
  
  
• Siddhant Mishra
  • Lumma Stealer: The Playbook for Blue Teams (Part 1)
  • Lumma Stealer: Detection Engineering & Telemetry Anchors (Part 2)
    
    
• Socket
  • Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
  • Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
    
    
• SOCRadar
  Dark Web Profile: Beast Ransomware
  
  
• Sophos
  • The State of Ransomware in Retail 2025
  • Threat Intelligence Executive Report – Volume 2025, Number 4
    
    
• SquareX Labs
  Defending Against Salesforce OAuth Attacks With SquareX
  
  
• Evelyne Diaz Araque at Stairwell
  A YARA Rule for Threat Hunting DarkCloud Stealer
  
  
• Marco A. De Felice aka amvinfe at SuspectFile
  • A Young Ransomware Group, an Ancient Risk – Securotrop: The Interview
  • Qilin and Their Alleged “Legal Department”: Criminal Propaganda Disguised as Legitimacy
    
    
• System Weakness
  • DanaBot: CyberDefenders Write-Up
  • Autonomous Malware: The Future of Self-Evolving, Self-Spreading Cyber Threats
  • EDR Killer: Ransomware’s First Strike
  • Windows Detection Events
  • THM – “Snort Challenge – The Basics”
  • How to Use Wireshark for Threat Detection
  • Hunting APT29’s Hidden Highway: A SIGMA Detection Rule for Named Pipe Backdoors
    
    
• The Raven Files
  Unmasking DPRK IT Workers: Email Address Patterns as Hiring Red Flags
  
  
• Damien Lewke at THOR Collective Dispatch
  The Quiet War
  
  
• Trellix
  • The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign
  • The Silent, Fileless Threat of VShell
    
    
• Trend Micro
  • Unmasking Task Scams to Prevent Financial Fallout From Fraud
  • Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
  • Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)
    
    
• Taggart Tech
  The Tyranny of False Positives
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2025-08-25 #livestream #infosec #infosecnews
  
  
• Magnet Forensics
  • Optimise Your Investigative Process: Unlocking Efficiency Through AI-Powered Evaluation
  • Mobile Unpacked S3:E8 // Looking Closer at Locations
    

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Live at Black Hat: What’s AI Really Capable Of?
  
  
• AhmedS Kasmani
  Malware 101: ModuleStomping
  
  
• Ayush Anand
  How to Identify Malware Family in 10 Minutes (Offline)
  
  
• Belkasoft
  Video Compression Artifacts and Quality Challenges | Marco Fontani
  
  
• Cellebrite
  Tip Tuesday: Cellebrite is Here to Help
  
  
• Cloud Security Podcast by Google
  EP239 Linux Security: The Detection and Response Disconnect and Where Is My Agentless EDR
  
  
• Cyber Social Hub
  Digital Exploitation: From Trafficking to Trauma – A Frontline Perspective
  
  
• Erik Hjelmvik at Netresec
  Define Protocol from Traffic (XenoRAT)
  
  
• Huntress
  Community Fireside Chat | Cyber Insurance That Complements Cybersecurity
  
  
• InfoSec_Bret
  SA – SOC239-201 – Remote Code Execution Detected in Splunk Enterprise
  
  
• Insane Forensics
  Why OT Incident Response Is Different from IT
  
  
• John Hammond
  • BloodHound can map ANYTHING
  • Lesser Known Linux Persistence Mechanisms
    
    
• Magnet Forensics
  • Mobile Minute Episode 13: Easily uncover critical digital evidence with Magnet Review
  • Bridging the gap between DF and IR with new capabilities in Magnet Axiom Cyber
  • Introduction to Magnet Verify
    
    
• Michael Haggis
  🚀 Fresh ClickGrab ✨ | Into the Rabbit Hole 🐇🌀
  
  
• MSAB
  Hash Tree Builder Conclusion
  
  
• MyDFIR
  Certifications vs Projects: What Actually Gets You Hired?
  
  
• Oxygen Forensics
  Boost Your Efficiency with Concurrent Collections & Data Integration
  
  
• Parsing the Truth: One Byte at a Time
  Casey Anthony: John Bradley Testimony Shockers
  
  
• The Defender’s Advantage Podcast
  AI Tools and Sentiment Within the Underground Cyber Crime Community
  
  
• Three Buddy Problem
  Zero-day reality check: iOS exploits, MAPP in China and the hack-back temptation
  
  
• X-Ways Software Technology
  • 06 – Quick Guide to X-Ways Forensics: Search
  • 01 – Quick Guide to X-Ways Forensics: Image Creation
  • 07 – Quick Guide to X-Ways Forensics: Recover/Copy
  • 08 – Quick Guide to X-Ways Forensics: Evidence File Container
  • 02 – Quick Guide to X-Ways Forensics: Case Creation
  • 03 – Quick Guide to X-Ways Forensics: Report Noteworthy Files
  • 04 – Quick Guide to X-Ways Forensics: Filtering
  • 05 – Quick Guide to X-Ways Forensics: Refine Volume Snapshot
    

MALWARE

• Andrew Malec
  Following the Trail of Malicious JavaScript
  
  
• Any.Run
  • Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries 
  • How to Enrich IOCs with Actionable Threat Context: Tips for SOC Analysts 
    
    
• ASEC
  Proxyware Malware Being Distributed on YouTube Video Download Site – 2
  
  
• Cryptax
  r2ai with lmstudio and gpt-oss
  
  
• CyberArmor
  Nigerian Hacker Exposed: AI, Infrastructure, and Love
  
  
• Dr Josh Stroschein
  • 🔎 Quick Shellcode Analysis with Speakeasy
  • Suricata 8: Unveiling the Next Generation of Threat Detection with Peter Manev
    
    
• Dr. Web
  • Take 2: Scaly Wolf persistently targets Russian engineering company’s secrets
  • Android backdoor spies on employees of Russian businesses
    
    
• Vincent Li at Fortinet
  The Resurgence of IoT Malware: Inside the Mirai-Based “Gayfemboy” Botnet Campaign
  
  
• Hack & Cheese
  Reverse Engineering of the Lockbit Linux ESXi Variant
  
  
• Harihara Sudhan at K7 Labs
  Examining the tactics of BQTLOCK Ransomware & its variants
  
  
• ZePeng Chen at McAfee Labs
  Android Malware Promises Energy Subsidy to Steal Financial Data
  
  
• RevEng.ai
  Unmasking KorPlug: A Technical Breakdown – Part 2
  
  
• S2W Lab
  Detailed Analysis of the Stealer-Traffer Ecosystem
  
  
• Securelist
  • Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824
  • GodRAT – New RAT targeting financial institutions
    
    
• Shubho57
  Analysis of a SnakeKeyLogger variant (.NET Executable)
  
  
• VMRay
  Hidden in plain sight: How threat actors abuse SVGs for phishing
  
  
• Zhassulan Zhussupov
  • MacOS hacking part 9: shellcode injection via task_for_pid – thread hijacking. Simple C (Intel) example
  • MacOS hacking part 10: shellcode injection via task_for_pid – create remote thread. Simple C (Intel) example
    
    
• Блог Solar 4RAYS
  Рассвет и стремительный закат банковского трояна Gorilla
  

MISCELLANEOUS

• Brett Shavers
  • Tech skills are cheap. Legal knowledge is priceless. Mindset is everything.
  • Courtroom Trials Are the Final Exam for Your Work. Why Haven’t You Attended One?
    
    
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 08/18/25
  
  
• Digital Forensics Myanmar
  • EZ Tools Manual Update (2025)
  • IOS Brute Force
  • Android Brute Force
    
    
• Durok
  Automating DFIR pipelines with OpenRelik
  
  
• Forensic Focus
  • UPCOMING WEBINAR – Retail Under Siege: Fighting Back Against Ransomware With Next-Gen Forensics
  • Digital Forensics Jobs Round-Up, August 18 2025
  • Wrapping Up The S21 Transcriber Spotlight Session – What We’ve Covered
  • Blue Light Wellbeing’s Support For Digital Forensic Investigators
  • Digital Forensics Round-Up, August 20 2025
  • Forensic Focus Digest, August 22 2025
    
    
• LockBoxx
  Course Review: “Advanced Detection Engineering in the Enterprise”
  
  
• MikeCyberSec
  Supercharged SecOps Series – CrowdStrike Falcon MCP (Pub. Preview)
  
  
• Oxygen Forensics
  10 Ways Oxygen Remote Explorer Transforms Compliance and Data Preservation Efficiency
  
  
• John P. Mello Jr. at ReversingLabs
  OWASP GenAI Incident Response Guide 1.0: How to put it to work
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.170!
  
  
• Anthony La Scala at SentinelOne
  The Evolution of Endpoint Protection with Advanced Threats
  

SOFTWARE UPDATES

• FlipForensics
  TriageHasher V1.0.0
  
  
• MISP
  MISP v2.5.18 released with new on-demand correlation engine, a new improved task scheduling system and many more updates
  
  
• OpenCTI
  6.7.14
  
  
• Phil Harvey
  ExifTool 13.34
  
  
• SigmaHQ
  pySigma v1.0.0rc2
  
  
• Sujay Adkesar
  Volume Shadow Copy Explorer (VSCExplorer)
  
  
• WithSecure Labs
  Chainsaw v2.13.0-beta.0
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!