| Learn Scattered Spider’s Updated TTPs & How to Defend Against Them In this webinar, Permiso’s CTO and Head of P0 Labs Threat Research will discuss: – How Scattered Spider’s methods have evolved over the last couple of years. – Where they are focusing their attacks now, and how they are doing it. – How the Permiso platform discovers and defends against Scattered Spider identities. Register Today |
| Sponsored by Permiso |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna
How the NTFS USN Journal Powers DFIR Investigations - Christopher Eng at Ogmini
- Chris Ray at Cyber Triage
DFIR Next Steps: Suspicious LogMeIn Use - Damien Attoe
The Realm Files – Vol 1 – Intro to RealmDB - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Google Pixel 10 and Massive C2PA Failures - Forensafe
iOS Wire - Matthew Plascencia
Tap and Filter: Filtering in Wireshark
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
Malware of the Day – Velociraptor as C2 - Adam at Hexacorn
DLL ForwardSideloading, Part 2 - Arctic Wolf
GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe - AttackIQ
Response to CISA Advisory (AA25-239A): Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System - Barracuda
- Jade Brown at Bitdefender
SafePay Ransomware: How a Non-RaaS Group Executes Rapid Fire Attacks - Brad Duncan at Malware Traffic Analysis
2025-09-03: Kongtuke CAPTCHA page to ClickFix script to Lumma Stealer - Brian Krebs at ‘Krebs on Security’
- CERT-AGID
- Check Point
1st September – Threat Intelligence Report - Dr. Giannis Tziakouris and Elio Biasiotto at Cisco
Detecting Exposed LLM Servers: A Shodan Case Study on Ollama - Sourov Zaman, Craig Strubhart, and Grant Bourzikas at Cloudflare
The impact of the Salesloft Drift breach on Cloudflare and our customers - Koushik Pal at CloudSEK
Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix - CTF导航
- Cyb3rhawk
- Cyfirma
Weekly Intelligence Report – 05 September 2025 - Daniel Koifman
Thoughts on the recent Ethereum smart contracts C2 abuse - Darktrace
- Disconinja
Weekly Threat Infrastructure Investigation(Week35) - Steve Behm at DomainTools
Using the DomainTools Feed API in Splunk - DomainTools Investigations
Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook - Elastic Security Labs
Investigating a Mysteriously Malformed Authenticode Signature - Esentire
New Botnet Emerges from the Shadows: NightshadeC2 - FalconFeeds
A Glimpse Behind the Curtain: Unmasking Kimsuky’s Threat Actor Operations, Infrastructure, and Capabilities - Flare
- Yun Zheng Hu and Mick Koomen at Fox-IT
Three Lazarus RATs coming for your cheese - g0njxa
Approaching stealers devs: a brief interview with MacSync (ex-mentalpositive) - Guillaume Valadon and Gaetan Ferry at GitGuardian
The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows - Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng at Google Cloud Threat Intelligence
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) - GreyNoise
25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming - Anton Ushakov at Group-IB
From Deepfakes to Dark LLMs: 5 use-cases of how AI is Powering Cybercrime - Hudson Rock
The Infostealer-to-APT Pipeline: How Stolen Diplomatic Credentials Fuel Cyber-Political Power Plays - Hunt IO
From Panel to Payload: Inside the TinyLoader Malware Operation - Huntress
- Kasada
Q2 2025 Bot Attack Trends: AI Scraping, Scalper Bots, and Travel Fraud - Kevin Beaumont at DoublePulsar
Citrix Netscaler backdoors — Part One — May 2025 activity against governments - Adam Goss at Kraven Security
Beyond the Buzzwords: How to Measure Success Using CTI Metrics - Abul Azed at Microsoft
Cloud forensics: Why enabling Microsoft Azure Storage Account logs matters - Ray Fernandez at Moonlock
New malware JSCoreRunner is spreading via fake PDF converters - Oleg Skulkin at ‘Know Your Adversary’
- 245. That’s How TamperedChef Queries the System for Security Products
- 244. Adversaries Abuse Python to Deliver Commercial Malware
- 246. That’s How TinyLoader Maintains Persistence
- 247. Another Hunting Opportunity from ClickFix
- 248. That’s How Adversaries Abuse Netsh for Discovery
- 249. Adversaries Use Active Setup for Persistence
- Matt Black at OSINT Team
From Alias to Attribution: An Analyst’s Guide to Dark Web Threat Actor Profiling - Palo Alto Networks
Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances - Proofpoint
Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers - Recorded Future
- H1 2025 Malware and Vulnerability Trends
- From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
- Russian Influence Assets Converge on Moldovan Elections
- Influence Operations and Conflict Escalation in South Asia
- One Step Ahead: Stark Industries Solutions Preempts EU Sanctions
- TAG-144’s Persistent Grip on South American Organizations
- Chris Brook, Alex Walston and Harrison Koll at Red Canary
Understanding OAuth application attacks and defenses - Resecurity
Azure AD Client Secret Leak: The Keys to Cloud - SANS Internet Storm Center
- pdf-parser: All Streams, (Sun, Aug 31st)
- Wireshark 4.4.9 Released, (Sun, Aug 31st)
- A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd)
- Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086, (Wed, Sep 3rd)
- From YARA Offsets to Virtual Addresses, (Fri, Sep 5th)
- John Tuckner at Secure Annex
DePIN comes to browser extensions - Securelist
- Aleksandar Milenkoski, Sreekar Madabushi (Validin) & Kenneth Kinion (Validin) at SentinelOne
Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms - Sanjay Katkar and Mahua Chakrabarthy at Seqrite
Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector. - Simone Kraus
- SOCRadar
- Joe at Stranded on Pylos
Intelligence Poverty and the Commercial Data Economy - Brandon Webster at Sublime Security
Callback phishing with online appointment abuse and distribution lists - Marco A. De Felice aka amvinfe at SuspectFile
“It’s Not a Matter of Legal or Illegal”: Interview with a Qilin Affiliate - Visir at System Weakness
Session Forensics TryHackMe Walkthrough: Decode JWTs, Investigate Logs & Catch Token Forgery - Tehtris
Threat Intelligence report – September 2025 - THOR Collective Dispatch
- Trellix
- Trend Micro
Do Security Blogs Enable Vibe-Coded Cybercrime? - Buddy Tancio, Aldrin Ceriola, Khristoffer Jocson, Nusrath Iqra, and Faith Higgins at Trend Micro
An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps - Tom Neaves at Trustwave SpiderLabs
Rogue AI Agents In Your SOCs and SIEMs – Indirect Prompt Injection via Log Files - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – August Update - Vasilis Orlof at Cyber Intelligence Insights
A Stark connection - Strahinja Janjusevic at Vectra AI
New Technologies bring new risks: MCP-Powered Swarm C2 by Strahinja Janjusevic - Bernardo Quintero at VirusTotal
Uncovering a Colombian Malware Campaign with AI Code Analysis - Fernando Tavella at WeLiveSecurity
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes - Wiz
- Zero Salarium
Stealthy Persistence With Non-Existent Executable File - Блог Solar 4RAYS
Solar 4RAYS FlagHunt: разбор заданий
UPCOMING EVENTS
- AnyRun
New Malware Tactics: Cases & Detection Tips for SOCs - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-09-08 #livestream #infosec #infosecnews - Gerald Auger at Simply Cyber
DFIR Careers in Cybersecurity - Magnet Forensics
Simplify digital evidence sharing and review with Magnet Review - Simply Defensive
How a Detective Became the Ginger Hacker: SOC Life, Job Hunts & Blue Team Wisdom | S4E7
PRESENTATIONS/PODCASTS
- Behind the Binary by Google Cloud Security
EP14 Web3’s Dark Side: Unmasking the New Age of Financial Crime - Belkasoft
Registry Secrets: How Malware Stays Hidden in Windows | Vedant Narayan - Cellebrite
Tip Tuesday: Digital Justice Awards Nominations - Clint Marsden at the TLP – Digital Forensics Podcast
Episode 23:AI Voice Agent Security: Voice AI Under Siege: SIP Spoofing, Cost Drain, and How to Fight Back - Cloud Security Podcast by Google
EP241 From Black Box to Building Blocks: More Modern Detection Engineering Lessons from Google - Compass Security
- InfoSec_Bret
SA – SOC335-313 – CVE-2024-49138 Exploitation Detected - Magnet Forensics
Build Streamlined Workflows Across Your Entire DF Toolkit with Magnet Automate - MSAB
#msabmonday – Exclude Irrelevant Locations - MyDFIR
- Off By One Security
UEFI Bootkits and Kernel-Mode Rootkits Development - Paraben Corporation
Using Zandra AI in Incident Response - Parsing the Truth: One Byte at a Time
Epstein’s Missing Minute Found - The Cyber Mentor
Using Stacking to Find Evil
MALWARE
- ASEC
Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion - Dr Josh Stroschein
- Itz Sanskarr at InfoSec Write-ups
Reverse Engineering WannaCry Ransomware: A Deep Dive - Marc Messer and Dave Truman at Kroll
FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook - Lab52
Analyzing NotDoor: Inside APT28’s Expanding Arsenal - MALCAT
Get your swimsuit, we’re diving into a black SEO scheme - Shubho57
Analysis of a word document leads to Ducktail (Fake job application) - Kush Pandya at Socket
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials - Zhassulan Zhussupov
MacOS hacking part 11: bind shell for ARM (M1). Simple Assembly (M1) and C (run shellcode) examples - Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
MISCELLANEOUS
- Jack Hyland at Black Hills Information Security
MailFail - Brett Shavers at DFIR.Training
The DFIR Training Blog: Why I’m Doing This - Phil Roth at CrowdStrike
EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 09/01/25 - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Bellingcat Challenge – August 2025(Hidden Hazards) - Forensic Focus
- Exterro Changes The Rules Of The AI Game With Introduction Of Exterro Intelligence For Legal Review And Investigations
- Tetiana Hrybok, Head Of Quality Assurance, Atola Technology
- Digital Forensics Jobs Round-Up, September 01 2025
- Connecting The World’s Intelligence While Protecting The People Behind It
- Digital Forensics Round-Up, September 03 2025
- Retail Under Siege: How Ransomware Is Rewriting The Rules Of Digital Forensics In The UK
- Forensic Focus Digest, September 05 2025
- Will Francillette at French365Connection
Entra: Retrieve Entra Connect Version Information - InfoSec Write-ups
- Kevin Pagano at Stark 4N6
Forensics StartMe Updates (9/1/2025) - Lesley Carhart
- Magnet Forensics
- Oxygen Forensics
36 Cloud Apps & Services Only Accessible with Oxygen Forensics - Patrick Siewert at ‘The Philosophy of DFIR’
Part 3 of 3: Evolving A Digital Forensic Business - Ryan G. Cox at The Cybersec Café
Detections as Code in DataDog: How I Built an MVP for a Small Team
SOFTWARE UPDATES
- Airbus Cybersecurity
IRIS-Web v2.4.23 - Alexis Brignoni
iLEAPP v2.3.0 - Amped
Amped Replay Update 38515: New Redact Tab, Improved Motion Detection and More! - Cyber Triage
Cyber Triage 3.15: Import Defender Telemetry + More SOC Features - Didier Stevens
Update: pdf-parser.py Version 0.7.13 - Digital Sleuth
winfor-salt v2025.10.7 - Manabu Niseki
Mihari v8.2.0 - OpenCTI
6.7.17 - Phil Harvey
ExifTool 13.35 (production release) - Rapid7
Velociraptor v0.75.1 - Xways
- Yogesh Khatri
mac_apt 29250905
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
Hi there,
Just a quick note to say that our free CaseNotes application is now available directly from GitHub as an open-source project. It includes all C# source code and supporting libraries.
The old download page from our First Response website now links straight to GitHub to make finding it a bit easier.
The GiHub link is here: https://github.com/finbarr996/First-Response-CaseNotes/tree/main
Your weekly newsletter is superb – keep up the great work. 😊
Kind regards,
John.
John Douglas MSc NCE MCSFS MBCS
Technical Director & Head of Forensic Services
first response – cybersecurity & incident response
tel: +44 (0) 20 7981 2573
mob: +44 (0) 7414 247 547
email: john.douglas@first-response.co.ukjohn.douglas@first-response.co.uk
web: first-response.co.ukhttp://www.first-response.co.uk/
Twitter: @FirstResponseEU
Facebook: http://www.facebook.com/firstresponseEuropehttp://www.facebook.com/firstresponseEurope
LinkedIn: uk.linkedin.com/pub/john-douglas/5/913/24ahttp://uk.linkedin.com/pub/john-douglas/5/913/24a
This message is confidential and may contain legally privileged information for the intended recipient(s) only. If you have received this message in error please delete it and notify the sender immediately; you should not retain the message or disclose its contents to anyone. First Response cannot accept liability for any errors or omissions in the contents of this message which may arise as a result of transmission through the Internet. Emails cannot be guaranteed to be secure or error free as they may be intercepted, corrupted, lost, destroyed, arrive late or be incomplete. First Response may monitor e-mail communications in accordance with applicable law and regulations.
First Response Limited is a limited company registered in England and Wales. Company Registration Number 07917007. Registered office: Zeeta House, 200 Upper Richmond Road, London, SW15 2SH.
LikeLike