Learn Scattered Spider’s Updated TTPs & How to Defend Against Them In this webinar, Permiso’s CTO and Head of P0 Labs Threat Research will discuss: – How Scattered Spider’s methods have evolved over the last couple of years. – Where they are focusing their attacks now, and how they are doing it. – How the Permiso platform discovers and defends against Scattered Spider identities. Register Today

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Remote Acquisition with Belkasoft R
  
  
• Christopher Eng at Ogmini
  Memory Forensics – Windows Notepad Part 5
  
  
• Forensafe
  iOS Find My
  
  
• Salvation DATA
  Prefetch Files in Windows Forensics
  
  
• Chris Grettenberger at Sumuri
  Unlocking the Power of Unified Logs in Mac Forensics
  

THREAT INTELLIGENCE/HUNTING

• AttackIQ
  • Emulating the Expedited Warlock Ransomware
  • Ransom Tales: Volume III – Emulating INC, Lynx and SafePay Ransomware
    
    
• CJ Moses at AWS Security
  Amazon disrupts watering hole campaign by Russia’s APT29
  
  
• Martin Zugec at Bitdefender
  Why Hypervisors Are the New-ish Ransomware Target
  
  
• Brian Krebs at ‘Krebs on Security’
  • DSLRoot, Proxies, and the Threat of ‘Legal Botnets’
  • Affiliates Flock to ‘Soulless’ Scam Gambling Machine
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 agosto
  
  
• Check Point
  • 25th August – Threat Intelligence Report
  • Phishing in the Classroom: 115,000 Emails Exploit Google Classroom to Target 13,500 Organizations
  • ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies
  • Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
    
    
• CISA
  Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System
  
  
• Simone Mattia, Alessandro Strino, and Federico Valentini at Cleafy
  PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT
  
  
• CloudSEK
  • Trusted My Summarizer, Now My Fridge Is Encrypted — How Threat Actors Could Weaponize AI Summarizers with CSS-Based ClickFix Attacks
  • The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN’s Legacy to Target Indonesian Senior Citizens
    
    
• Max Gannon at Cofense
  Phishing Kits Uncovered: Methods and Tactics Used to Evade SEGs, Sandboxes, and Analysts
  
  
• CTF导航
  • C# Loader｜Shellcode内存加载与免杀探索
  • Korban Android Ransomware分析
  • 故障修复之下的陷阱：Lazarus（APT-Q-1）近期利用 ClickFix 手法的攻击分析
  • APT-C-53（Gamaredon）针对乌克兰政府职能部门攻击事件分析
    
    
• Cyble
  • Australia and New Zealand Threat Landscape in H1 2025 is Worrying, but has a Silver-Lining 
  • SikkahBot Malware Campaign Lures and Defrauds Students in Bangladesh
    
    
• Cyfirma
  Weekly Intelligence Report – 29 August 2025
  
  
• Danny Zendejas
  Salesforce Related Breaches Continue
  
  
• Darktrace
  • Docker Engine API botnet
  • Emerging malware campaign
    
    
• Detect FYI
  • Malicious Encoded PowerShell: Detecting, Decoding & Modeling
  • Monitor Event Logs & Trigger DefenderXDR Alerts Without Ingesting Data
  • Integrating and Prioritizing Response Automation in the Detection Lifecycle
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week34)
  
  
• Eoghan Casey at Salesforce
  A Primer on Forensic Investigation of Salesforce Security Incidents
  
  
• Esentire
  Threat Actors Deploy Sinobi Ransomware via Compromised SonicWall SSL VPN Credentials
  
  
• Expel
  You don’t find ManualFinder, ManualFinder finds you
  
  
• FalconFeeds
  • Cybercrime Time Zones: How Threat Actor Activity Mirrors Global Clocks and Cultural Rhythms
  • Unmasking Qilin: Inside the Infrastructure, Tradecraft, and Tactics of a Rising Ransomware Menace
  • The Evolving Landscape of macOS Stealer Threats: A Deep Dive into 2024-2025 Trends, Tactics, and Defenses
  • The Digital Deception Landscape: Unmasking Fake Claims, Ransomware Hoaxes, and Recycled Breaches
    
    
• Guillaume Valadon and Anna Nabiullina at GitGuardian
  The Nx “s1ngularity” Attack: Inside the Credential Leak
  
  
• Google Cloud Threat Intelligence
  • Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats
  • Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
    
    
• GreyNoise
  Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge
  
  
• Group-IB
  ShadowSilk: A Cross-Border Binary Union for Data Exfiltration
  
  
• Justin Timothy at GuidePoint Security
  The Rise of Infostealers: How Digital Identity Theft Fuels the Cybercrime Economy
  
  
• Huntress
  • Cephalus Ransomware: Don’t Lose Your Head
  • From a Fake AnyDesk Installer to MetaStealer
    
    
• David Sardinha at Intrinsec
  VAIZ, FDN3, TK-NET: A nebula of Ukrainian networks engaged in brute force and password spraying attacks
  
  
• Kevin Beaumont at DoublePulsar
  Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025
  
  
• Jeff Kieschnick at LevelBlue
  Like PuTTY in Admin’s Hands
  
  
• Anish Bogati at Logpoint
  Citrix Vulnerabilities Rising – When Gateways Give Way
  
  
• Matt Suiche
  ELEGANTBOUNCER: When You Can’t Get the Samples but Still Need to Catch the Threat
  
  
• Microsoft Security
  Storm-0501’s evolving techniques lead to cloud-based ransomware
  
  
• Mike Cohen at Rapid7
  Detecting Velociraptor misuse
  
  
• Mitiga
  • From Rogue OAuth App to Cloud Infrastructure Takeover
  • CORSLeak: Abusing IAP for Stealthy Data Exfiltration
    
    
• Ray Fernandez at Moonlock
  Fake macOS tutorials are spreading the new Shamos stealer
  
  
• Brad LaPorte at Morphisec
  Ransomware Evolution and Data Exfiltration: A Deep Dive for Cybersecurity Analysts 
  
  
• Natto Thoughts
  No Ranges, No Bounties, No Contests: Forging Offensive Capabilities in China’s 2000s Hacker Scene
  
  
• Hubert Lin at Netskope
  DNS Tunneling: The Blind Spot in Your Network Security Strategy
  
  
• Stamatis Chatzimangou at NVISO Labs
  Detection Engineering: Practicing Detection-as-Code – Documentation – Part 4
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 236. That’s How SHAMOS Bypasses Gatekeeper Checks
  • 238. LOLBAS ITW: Extensible Wizards Host Process
  • 237. That’s How Adversaries Abuse Expand.exe
  • 239. That’s How Adversaries Abuse PowerShell for Component Object Model Hijacking
  • 240. Adversaries Abuse Enterprise Incident Response Tools
  • 241. That’s How Lazarus Adopted ClickFix and How to Hunt It
  • 242. Can Msiexec Install a PDF file?
  • 243. NetSupport RAT: The Most Prevalent Threat of August 2025
    
    
• Isuf Deliu at Permiso
  Sliding into your DMs: Abusing Microsoft Teams for Malware Delivery
  
  
• Qi’anxin X Lab
  • 静默之控：主动与被动双模后门MystRodX的隐匿渗透
  • Heads up! MystRodX, A Covert Dual-Mode Backdoor
    
    
• SANS Internet Storm Center
  • Reading Location Position Value in Microsoft Word Documents, (Mon, Aug 25th)
  • Interesting Technique to Launch a Shellcode, (Wed, Aug 27th)
  • Getting a Better Handle on International Domain Names and Punycode, (Tue, Aug 26th)
  • Increasing Searches for ZIP Files, (Thu, Aug 28th)
    
    
• Seqrite
  • Operation HanKook Phantom: North Korean APT37 targeting South Korea
  • PromptLock: The First AI-Powered Ransomware & How It Works
    
    
• Shantaciak
  E3 — Phishing Macro to PowerShell C2
  
  
• Socket
  • Nx npm Packages Compromised in Supply Chain Attack Leveraging AI CLI Tools
  • Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions
    
    
• Sophos
  Velociraptor incident response tool abused for remote access
  
  
• Splunk
  Static Tundra Analysis & CVE-2018-0171 Detection Guide
  
  
• Vincent Zell at Stairwell
  Are your SVGs Malicious? Hiding malware in your graphics files
  
  
• Joe at Stranded on Pylos
  The Beginning and Ending of Threat Actors
  
  
• Sygnia
  Incident Response to Cloud Security Incidents: AWS, Azure, and GCP Best Practices
  
  
• Itz Sanskarr at System Weakness
  VSCode Tunnels: APTs’ New Favorite Backdoor for Remote Access
  
  
• The Raven File
  DPRK IT Workers Unveiled
  
  
• THOR Collective Dispatch
  • From the Fire: Q2FY25
  • Dispatch Debrief: August 2025
    
    
• Nick Dai and Pierre Lee at Trend Micro
  TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents
  
  
• Truesec
  • Uncovering BEC Threats: How Threat Intelligence uses SOC and IR data
  • Tamperedchef – The Bad PDF Editor
    
    
• Trustwave SpiderLabs
  • Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery
  • Unraveling Phishing Campaigns Flagged by Trustwave’s URL Scanner
    
    
• Anton Cherepanov and Peter Strýček at WeLiveSecurity
  First known AI-powered ransomware uncovered by ESET Research
  
  
• Merav Bar and Rami McCarthy at Wiz
  s1ngularity: supply chain attack leaks secrets on GitHub: everything you need to know
  
  
• Heather Bates and Adam Ford at ZScaler
  Ransomware’s Impact on the Public Sector in 2025
  
  
• Блог Solar 4RAYS
  Обновленные инструменты группировки Fairy Trickster и ее вероятная связь с Lifting Zmiy
  
  
• Dale Hobbs at Black Hills Information Security
  Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security 
  
  
• Siddhant Mishra
  Lumma Stealer: Advanced Network Detection & Validation (Part 3)
  

UPCOMING EVENTS

• Black Hills Information Security
  • Defeating AI Malware Detection with AI w/ Brian Fehrman
  • BHIS – Talkin’ Bout [infosec] News 2025-09-02 #livestream #infosec #infosecnews
    
    
• Cellebrite
  DFU Decoded: Unlocking Hidden Truths with Media Intelligence
  
  
• Simply Defensive
  Automating the Blue Team with Kevin Mata (Swimlane) on SOAR & AI in Cyber – Simply Defensive S4E6
  
  
• Magnet Forensics
  Build Streamlined Workflows Across Your Entire DF Toolkit with Magnet Automate
  
  
• Off By One Security
  0-day Hunting Strategy with Eugene “Spaceraccoon” Lim
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Analyzing a Malicious LNK Dropper – Cryptowall Ransomware with GPT-5 & Copilot
  
  
• Alexis Brignoni
  DIgital Forensics Now Podcast S2 – E15
  
  
• Archan Choudhury at BlackPerl
  PWNDORA, Elite Cyber Lab Platform by BlackPerl, Coming Soon!
  
  
• Black Hat
  QuickShell: Sharing is Caring About an RCE Attack Chain on Quick Share
  
  
• Cellebrite
  Tip Tuesday: Searching Extraction Using RegEx
  
  
• Cloud Security Podcast by Google
  EP240 Cyber Resiliency for the Rest of Us: Making it Happen on a Real-World Budget
  
  
• Cyberwox
  They HACKED U.S Telecoms: Investigating Salt Typhoon (Chinese APT) with ANY.RUN Threat Intelligence
  
  
• Gerald Auger at Simply Cyber
  • Labor Laundering: How Threat Actors Infiltrate Remote Work | Simply Social Engineering S1 E8
  • Inside Hack Defender Academy: Gamified Malware Training for Blue Teamers | Simply Defensive S4 E5
    
    
• InfoSec_Bret
  SA – SOC343-321 – WinRAR Zero-Day Path Traversal Vulnerability (CVE‑2025‑8088)
  
  
• Insane Forensics
  What Does OT Malware Look Like?
  
  
• John Dwyer
  RedRaptorDemo
  
  
• LaurieWired
  Your iPhone is Lying to You About Files…
  
  
• Magnet Forensics
  • Optimise Your Investigative Process: Unlocking Efficiency Through AI-Powered Evaluation
  • Mobile Unpacked S3:E8 // Looking Closer at Locations
    
    
• Matthew Plascencia
  Wireshark Basics: Wireshark I
  
  
• Michael Haggis
  • 🌿🪓 Claude found the APT! 🕵️‍♂️⚡
  • 🛡️PowerShell-Hunter 2 Release
  • Process New Drivers with LOLDrivers MCP 🚀
    
    
• Microsoft Threat Intelligence Podcast
  Live from Black Hat: Ransomware, Responsible Disclosure, and the Rise of AI
  
  
• MSAB
  XRY Exclude File Type
  
  
• MyDFIR
  Breaking Into Cybersecurity Is Harder Than You Think (SOC Analyst)
  
  
• Parsing the Truth: One Byte at a Time
  Casey Anthony: The defense’s hidden expert
  
  
• Proofpoint
  Direct Send Exploitation & URL Rewrite Attacks: What Security Teams Must Know
  
  
• The Weekly Purple Team
  Certipy Deep Dive — Escalating via AD CS with ESC4–ESC7
  
  
• Three Buddy Problem
  Salt Typhoon IOCs, Google Floats ‘Cyber Disruption Unit’, WhatsApp 0-Click
  

MALWARE

• ASEC
  • Underground Ransomware Being Distributed Worldwide, Including in South Korea
  • July 2025 APT Group Trends
  • Warning About NightSpire Ransomware Following Cases of Damage in South Korea
  • Interlock Ransomware Targeting Businesses
    
    
• Cryptax
  Linux/Trigona: analysis with r2ai
  
  
• Debugactiveprocess
  The Evolution of NFC Malware: Deep Dive into a Hardware-Level Banking Trojan
  
  
• Dr Josh Stroschein
  • RE 101 – Finding main() in Visual Studio Compiled Binaries
  • Assembly Shorts – Clearing Memory with XOR, REPNE, and STOSD
    
    
• Cara Lin at Fortinet
  Phishing Campaign Targeting Companies via UpCrypter
  
  
• G Data Software
  AppSuite PDF Editor Backdoor: A Detailed Technical Analysis
  
  
• Guy Korolevski at JFrog
  8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer
  
  
• Pierre-Henri Pezier at Nextron Systems
  Sindoor Dropper: New Phishing Campaign
  
  
• OSINT Team
  • DarkGate II: The Wrath of JAR
  • Open Directory Exposure: APK & EXE Dump Found on m.bureaux.fr
    
    
• Security Onion
  Quick Malware Analysis: NETSUPPORT RAT pcap from 2025-08-20
  
  
• Shubho57
  Analysis of a JavaScript file leads to XWORM and ReverseLoader (Exploit Kit)
  
  
• Liran Tal at Snyk
  Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident
  
  
• ThreatFabric
  Android Droppers: The Silent Gatekeepers of Malware
  
  
• VirusTotal
  • Applying AI Analysis to PDF Threats
  • Integrating Code Insight into Reverse Engineering Workflows
    
    
• István Márton at Wordfence
  15,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Dokan Pro WordPress Plugin
  
  
• Zhassulan Zhussupov
  Malware development trick 51: steal data via legit Bitbucket API. Simple C example.
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  NebulaRun
  

MISCELLANEOUS

• Brett Shavers
  Lazy* police work results in arresting an innocent person.
  
  
• Cloudbrothers
  Remove old or orphaned Sentinels from the XDR Streaming API
  
  
• Coalition
  How Hackers Leverage Insurance Details in Ransomware Attacks
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 08/25/25
  
  
• Doug Metz at Baker Street Forensics
  Is your USB device slowing down your forensic investigation?
  
  
• Forensic Focus
  • Techno Security & Digital Forensics Conference Returns To San Diego With Deep Dive Into AI, Cybercrime, And Justice
  • Digital Forensics Round-Up, August 27 2025
  • Amped Authenticate’s Video Mode: Raising The Bar For Forensic Video Analysis
    
    
• Oxygen Forensics
  • Keys to the Kingdom: Unlocking Critical Evidence with KeyScout & KeyDiver
  • How to Schedule A Remote Collection
    
    
• Dante Fazio at The Metadata Perspective
  Digital Forensics in Television and Movies: Separating Fact from Fiction
  

SOFTWARE UPDATES

• Belkasoft
  Belkasoft X 2.8 brings enhanced BelkaGPT capabilities for UFD data sources
  
  
• Canadian Centre for Cyber Security
  Assemblyline 4.6.0.13
  
  
• Digital Sleuth
  winfor-salt v2025.10.6
  
  
• Mandiant
  flare-floss – QUANTUMSTRAND beta 1
  
  
• Metaspike
  FEC Remote Authenticator 1.50.8
  
  
• MISP
  MISP 2.5.19 brings important fixes, improvements to the on-demand correlation engine, refinements in the task scheduler, and better error handling.
  
  
• MSAB
  XRY 11.1.1 Release: Unlocking Faster, Smarter Mobile Forensics
  
  
• OpenCTI
  6.7.16
  
  
• Paraben Corporation
  E3 Forensic Platform Version 4.4, Featuring New Passware Integration and Enhancements for Relativity export, and new iCloud Capabilities
  
  
• Rapid7
  Velociraptor Release 0.75 RC1
  
  
• Xways
  • X-Ways User Forum: X-Ways Forensics 21.5 SR-5
  • X-Ways User Forum: X-Ways Forensics 21.6 Beta 1b
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!