Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • From Rejection to Relocation: Breaking Myths About Getting a Job Abroad
  • The Core Principles of Successful Incident Response
  • The Sneakiest Phishing Trick I’ve Seen Lately — And Why Your Email Security Won’t Save You
  • Beyond Tools: The Human Side of Incident Response
  • Divide and rule in Incident Response
    
    
• Christopher Eng at Ogmini
  • Pixel 7 – Researching Rooting Options
  • BelkaCTF 7 – AAR New Name
  • Pixel 7 – Unlocking the Bootloader
  • Pixel 7 – Patching init_boot
  • Pixel 7 – Data Acquisition
    
    
• Forensafe
  iOS Silent Phone
  
  
• Forensic Science International: Digital Investigation
  Volume 54
  
  
• Lucid Truth Technologies
  Mobile Phone Evidence Without the Device: Working from UFEDs, Backups, and Targeted Exports
  
  
• Matthew Plascencia
  Get Me All That Info With the Tap!
  
  
• The DFIR Report
  Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Beyond good ol’ Run key, Part 151
  
  
• Any.Run
  Lazarus Group Attacks in 2025: Here’s Everything SOC Teams Need to Know 
  
  
• ASEC
  August 2025 APT Group Trends
  
  
• Ben Bornholm at HoldMyBeer
  Ingesting BTV’s DC30 dataset into Databricks
  
  
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | September 2025
  
  
• Black Hills Information Security, Inc.
  Microsoft Store and WinGet: Security Risks for Corporate Environments
  
  
• Brad Duncan at Malware Traffic Analysis
  2025-09-07: Seven days of scans and probes and web traffic hitting my web server
  
  
• Brian Krebs at ‘Krebs on Security’
  • 18 Popular Code Packages Hacked, Rigged to Steal Crypto
  • Microsoft Patch Tuesday, September 2025 Edition
  • Bulletproof Host Stark Industries Evades EU Sanctions
    
    
• BushidoToken
  Ransomware Tool Matrix Update: Community Reports
  
  
• CERT-AGID
  • La criminalità digitale si evolve: gruppo ransomware minaccia di usare i dati rubati per addestrare IA
  • Sintesi riepilogativa delle campagne malevole nella settimana del 6 – 12 settembre
    
    
• Check Point
  • 8th September – Threat Intelligence Report
  • The Great NPM Heist – September 2025
  • Global Cyber Threats August 2025: Agriculture in the Crosshairs
  • Yurei & The Ghost of Open Source Ransomware
    
    
• Cisco’s Talos
  • Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response
  • Maturing the cyber threat intelligence program
    
    
• Max Gannon and Kahng An at Cofense
  Dual Threat: Threat Actors Combine Credential Phishing and Malware
  
  
• CTF导航
  • APT | Patchwork组织DarkSamural假旗攻击活动
  • 慢雾(SlowMist) 发布《稳定币反洗钱与合规路径技术研究报告》
  • APT-C-24（响尾蛇）近期使用LNK文件钓鱼攻击活动分析
  • Dropping-elephant rat恶意样本分析
    
    
• Cyfirma
  Weekly Intelligence Report – 12 September 2025
  
  
• Andrea Draghetti at D3Lab
  Campagna di smishing ai danni dell’Agenzia delle Entrate: finta dichiarazione fiscale sulle criptovalute
  
  
• Damien Lewke
  Echoes of Ransomware
  
  
• Darktrace
  Unpacking the Salesloft incident: Insights from Darktrace
  
  
• Detect FYI
  • Thoughts on the recent Ethereum smart contracts C2 abuse
  • The importance of match ratio using Threat Inteligence Feeds (combined with KQL Collectors)
  • The Present and Future of Managed Detection and Response
  • Intelligence-Driven Detection Engineering: From Threat Intel to Detection-as-Code (with the Pyramid…
  • Detection Gaps: The Hidden Enemy in SOC Threat Hunting & Detection Engineering
    
    
• DomainTools Investigations
  Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor
  
  
• FalconFeeds
  • Code on Demand: An In-Depth Analysis of the Freelance Malware-as-a-Service Ecosystem
  • AI in the Underground: A Cyber Threat Intelligence blog on the Weaponization of Language Models
  • Cybercrime’s Middlemen: The Role of Data Brokers, Interpreters, and Translators in the Underground
  • Zero-Noise Attacks: The Silent Tactics of Threat Actors Avoiding Public Channels
    
    
• Flashpoint
  Infostealers to Watch in 2025: Katz, Bee, Acreed, and More
  
  
• HP Wolf Security
  HP Wolf Security Threat Insights Report: September 2025
  
  
• Hunt IO
  Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66
  
  
• Jamie Levy, Lindsey O’Donnell-Welch, and Michael Tigges at Huntress
  An Attacker’s Blunder Gave Us a Look Into Their Operations
  
  
• IC3
  Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
  
  
• InfoSec Write-ups
  LockBit 3.0 (“LockBit Black”) APT High Level Profile
  
  
• Pieter Arntz at Malwarebytes
  iCloud Calendar infrastructure abused in PayPal phishing campaign
  
  
• Mark Ohalloran
  AWS Incident Response: Uploading External CloudTrail Logs to S3 for Querying in Athena
  
  
• Kseniia Yamburh at Moonlock
  Mac.c stealer evolves into MacSync: Now with a backdoor
  
  
• Natto Thoughts
  Salt Typhoon: New Joint Advisory Offers a Beacon Through the Storm but Stirs Up New Questions
  
  
• Stamatis Chatzimangou at NVISO Labs
  Detection Engineering: Practicing Detection-as-Code – Versioning – Part 5
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 250. CastleRAT Abuses Steam Community Pages to Store C2 Addresses
  • 251. That’s How MostereRAT Abuses Ruby
  • 252. Is APT37 Noisy Enough to Be Detected?
  • 253. Ransomware Gangs Abuse PowerRun for Privilege Escalation
  • 254. That’s How Adversaries Modify Registry to Weaken Security
  • 255. Adversaries Use Azure Functions as C2
  • 256. That’s How Adversaries Abuse PowerShell Cmdlets
  • 257. Adversaries Abuse ITarian for Command and Control
    
    
• Andi Ahmeti at Permiso
  Inboxfuscation: Because Rules Are Meant to Be Broken
  
  
• Dan Green at Push Security
  How Push stopped a high risk LinkedIn spear-phishing attack against a company Exec
  
  
• Recorded Future
  • Getting Ahead of Payment Fraud: The Early Detection Window You’re Missing
  • The Intelligence Operations Organizations Need
    
    
• Red Canary
  You’re invited: Four phishing lures in campaigns dropping RMM tools
  
  
• Red Siege Information Security
  • Stupid Simple: Windows Data Exfiltration
  • Getting Started with Proxy Chains
  • Kerberoasting, Microsoft, and a Senator
    
    
• Resecurity
  KillSec Ransomware is Attacking Healthcare Institutions in Brazil
  
  
• Yoann Dequeker And Andarnaud Petitcol at RiskInsight
  AWSDoor : Persistance sur AWS
  
  
• SANS Internet Storm Center
  • HTTP Request Signatures, (Mon, Sep 8th)
  • DShield SIEM Docker Updates, (Wed, Sep 10th)
  • BASE64 Over DNS, (Wed, Sep 10th)
    
    
• Trey Bilbrey at Scythe
  SCYTHE Labs Threat Intel: Scattered Spider (UNC3944) Your Help Desk Became a Security Risk
  
  
• Security Scorecard
  What is Cyber Threat Hunting?
  
  
• Thomas Roccia at SecurityBreak
  The State of Adversarial Prompts
  
  
• Siddhant Mishra
  • KillSec: From Hacktivism to RaaS — My Perspective on an Alarming Evolution
  • Detection Engineering for KillSec Ransomware: Limited Technical Analysis
    
    
• Silent Push
  • Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data
  • Advanced Queries For Real Malware Detection in Silent Push
    
    
• Socket
  • DuckDB npm Account Compromised in Continuing Supply Chain Attack
  • npm Author Qix Compromised in Major Supply Chain Attack
  • Crates.io Users Targeted by Phishing Emails
    
    
• SOCRadar
  Dark Web Profile: Mr Hamza
  
  
• Rajan Sanhotra at Sophos
  The State of Ransomware in Education 2025
  
  
• Vincent Zell at Stairwell
  CastleBot: YARA Rule for Core Backdoor
  
  
• Mike at sudo rem
  SSLVPN Honeypots: Fortigate Findings & Musings
  
  
• The Raven File
  Uncovering ALVIVA HOLDING: Links to Russian Shell Companies and Cybercrime
  
  
• THOR Collective Dispatch
  • Ask-a-Thrunt3r: August 2025 Recap 🐏
  • Even if many plugins are fine, the bad ones are BAD
    
    
• Threatmon
  Global Malware Campaign Activity – August 2025 Summary
  
  
• Maulik Maheta and Lishoy Mathew at Trellix
  Silent Pivot: Detecting Fileless Lateral Movement via Service Manager with Trellix NDR
  
  
• Trend Micro
  • Complexity and Visibility Gaps in Power Automate
  • Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed
  • EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks
    
    
• Sean Metcalf at TrustedSec
  Detecting Password-Spraying with a Honeypot Account
  
  
• Kenneth Kinion and Elliot Roe at Valdin
  Pivots Revisited: Still Valid Months Later?
  
  
• Vectra AI
  • GLOBAL RaaS: Dissecting a Modern Ransomware Franchise by Lucie Cardiet
  • 5-Minute Hunt: Detecting Risky Multi-Tenant Apps in Microsoft 365 by Lucie Cardiet
  • LockBit is Back: What’s New in Version 5.0 by Lucie Cardiet
    
    
• Aiden Grajo at Walmart
  Bypassing Malicious TDS in ClickFix Campaigns
  
  
• Victor M. Alvarez at YARA-X
  Smarter is not always better
  
  
• Zero Salarium
  Old But Gold, Dumping LSASS With Windows Error Reporting On Modern Windows 11
  
  
• Amir Moin and Swapnil Kumbhar at ZScaler
  Detecting Kerberos attacks and other Active Directory maladies with Deception
  

UPCOMING EVENTS

• Black Hills Information Security
  • Business Email Compromise Detect, Respond, & Prevent w/ Patterson Cake
  • BHIS – Talkin’ Bout [infosec] News 2025-09-15 #livestream #infosec #infosecnews
    
    
• Cellebrite
  Inside the Autumn 2025 Release
  
  
• Magnet Forensics
  • Legal Unpacked with Justin Fitzsimmons: a new webinar series on digital evidence and the law
  • AI Unpacked #5: The great AI debate with Digital Forensics Now
    
    
• Simply Defensive
  Why Most Threat Intel Fails — and How to Fix It | Jordan Kalm (Morado) | Simply Defensive S4 E8
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Tech Sector Targeting, Innovation Race, Fal.Con Countdown
  
  
• Alexis Brignoni
  LAVA usage demo! (LEAPPs Artifact Viewer App)
  
  
• Belkasoft
  Databases Under Attack: Malware in Trusted SQL Servers | Vedant Narayan
  
  
• Cellebrite
  • Tip Tuesday: We Want Your Feedback on Inseyets.PA
  • Inside a Cellebrite Training Class
    
    
• Cloud Security Podcast by Google
  EP242 The AI SOC: Is This The Automation We’ve Been Waiting For?
  
  
• Compass Security
  • Kerberos Deep Dive Part 3 – AS-REP Roasting
  • Kerberos Deep Dive Part 4 – Unconstrained Delegation
    
    
• Cyberwox
  Cybersecurity Homelab – Deploying Wazuh SIEM & XDR on Proxmox
  
  
• Huntress
  • Tradecraft Tuesday | The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far)
  • EDR, Ethics, and a Hacker Mistake | Tradecraft Tuesday
    
    
• InfoSec_Bret
  SA – SOC205-231 – Malicious Macro has been executed
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Theory – What breakpoints to set for unpacking
  
  
• Magnet Forensics
  • Blockchain intelligence from TRM Labs in Magnet Graykey
  • Simplify digital evidence sharing and review with Magnet Review
    
    
• Microsoft Threat Intelligence Podcast
  Click, Call, Compromise: Inside the Latest Loader Campaigns
  
  
• Monolith Forensics
  • Searching Notes in Monolith Notes App
  • Exporting a Single Note to PDF in Monolith Notes App
  • Exporting Multiple Notes to PDF in Monolith Notes App
  • Creating a Case in Monolith Notes App
  • Creating a Note in Monolith Notes App
  • Navigating the UI in the Monolith Notes App
  • Intro to Monolith Notes App
    
    
• MSAB
  XAMN Language Packs
  
  
• MyDFIR
  • SOC Automation Project Updated | Part 2/4
  • SOC Automation Project Updated | Part 3/4
  • REAL SOC Analyst Investigation | Unusual Network Traffic
    
    
• OALabs
  IDA Free Reverse Engineering – Step-by-Step DLL Analysis
  
  
• Off By One Security
  CTRAPS: CTAP Impersonation and API Confusion Attacks on FIDO2
  
  
• Parsing the Truth: One Byte at a Time
  Casey Anthony Lessons Learned
  
  
• Proofpoint
  Freighty Cats: RFQ Phishing Comes to A Warehouse Near You
  
  
• Richard Davis at 13Cubed
  AI vs. Windows Forensics
  
  
• The Weekly Purple Team
  Using Velociraptor for Evil
  
  
• Three Buddy Problem
  Can Apple’s New Anti-Exploit Tech Stop iPhone Spyware Attacks?
  

MALWARE

• ASEC
  • CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic
  • Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis
    
    
• Bogdan Zavadovschi, Victor Vrabie, Adrian Schipor, and Martin Zugec at Bitdefender
  EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
  
  
• Cybereason
  Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers
  
  
• Cyble
  LunoBotnet: A Self-Healing Linux Botnet with Modular DDoS and Cryptojacking Capabilities
  
  
• Dr Josh Stroschein
  • Leveraging WinDbg in Binary Ninja – TTD and the WinDbg Backend
  • 🧙‍♂️ Magika Unveiled: AI-Powered File Type Detection in Action!
    
    
• Pei Han Liao at Fortinet
  SEO Poisoning Attack Targets Chinese-Speaking Users with Fake Software Sites
  
  
• Maurice Fielenbach at Hexastrike
  ValleyRAT Exploiting BYOVD to Kill Endpoint Security
  
  
• Nicole Fishbein at Intezer
  Frankenstein Variant of the ToneShell Backdoor Targeting Myanmar
  
  
• Ferdous Saljooki and Maggie Zirnhelt at Jamf
  ChillyHell: A Deep Dive into a Modular macOS Backdoor
  
  
• Marc Messer and Dave Truman at Kroll
  FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook
  
  
• Sean Shirley at LevelBlue
  AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan
  
  
• Palo Alto Networks
  • Data Is the New Diamond: Latest Moves by Hackers and Defenders
  • AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks
  • Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain
    
    
• Pulsedive
  Thorium 101: Inside CISA’s Open Source Malware Analysis Platform
  
  
• Ashlee Benge at ReversingLabs
  Ransomware 2025: Infostealers on the March
  
  
• Securelist
  Notes of cyber inspector: three clusters of threat in cyberspace
  
  
• Seqrite
  • Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts
  • Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign 
    
    
• Shubho57
  Analysis of a SuStealer Variant
  
  
• System Weakness
  • Malware Analysis Chronicles: Unpacking AgentTesla
  • Connecting Ghidra to a Local LLM: A Practical Guide
    
    
• ThreatFabric
  The Rise of RatOn: From NFC heists to remote control and ATS
  
  
• Martin Smolár at WeLiveSecurity
  Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
  
  
• Wordfence
  • 600,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Fluent Forms WordPress Plugin
  • The Price of ‘Free’: How Nulled Plugins Are Used to Weaken Your Defense
    
    
• ZScaler
  • APT37 Targets Windows with Rust Backdoor and Python Loader
  • Technical Analysis of kkRAT
    
    
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Obscura
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  Backdoor.Win32.Remcos
  

MISCELLANEOUS

• Atola Technology
  Capture the Flag: New DFIR Challenges to Improve Your Skills
  
  
• Belkasoft
  Empowering Non-Forensic Experts with Intuitive Tools to Bridge the DFIR Talent Gap
  
  
• Brett Shavers
  DF/IR Isn’t About Computers. It’s About Hunting Humans.
  
  
• Cellebrite
  • The Ultimate Guide to Navigating Incident Response with Digital Forensics Solutions
  • Bridging the Gap Between Mobile Data Collection and eDiscovery
  • Conquering the Data Frontier of eDiscoveryKey Steps to Set Yourself Up for Success
  • From Pocket to Courtroom: The Legal Significance of Mobile Data
  • Performing Collection from Mobile Devices in an MDM Environment
    
    
• Decrypting a Defense
  Surveillance of NYCHA Residents, Facial Recognition False Arrest, Karen Read Trial Evidence, Deleted Messages & More
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 09/08/25
  
  
• Forensic Focus
  • Hannah Bailey, Founder, Blue Light Wellbeing
  • GMDSOFT Tech Letter Vol 14. Data Analysis Using WhatsApp Backup Feature
  • Halfway Through The S21 Global Alliance Database & Investigator Wellbeing Spotlight Session
  • Digital Forensics Round-Up, September 10 2025
  • UK Policing On The Edge: Lessons From The 2025 Oscar Kilo Well-Being Survey
  • Eric Schoedon – Certified Expert In IT, Automotive Engineering, And Emerging Forensic Technologies
  • Detego Global Champions South Wales Police And Falcons Rugby Teams With 2025/26 Sponsorship
    
    
• Debbie Garner at Hexordia
  A Shift in Strategy: Why Law Enforcement Executives Must Prioritize Digital Forensics Now
  
  
• Hunt IO
  From Malpedia to Metalcore: Daniel Plohmann Talks Malware Research and Music
  
  
• Magnet Forensics
  • Magnet Witness now integrated with Magnet One: Streamline your collaboration and sharing in video investigations
  • Create Magnet Axiom Portable Cases in record time
    
    
• Paraben Corporation
  The Silent Witness in the Sky: A Deep Dive into Drone Forensics for Criminal Investigations
  
  
• Salvation DATA
  Amcache vs Shimcache: Understanding the Key Differences in Digital Forensics
  
  
• Antonio Sanz at Security Art Work
  ¿Quieres aprender DFIR? ¡Practica con CTF!
  
  
• Shantaciak
  Incident Response: Where Cybersecurity Reputation Lives or Dies
  
  
• Ryan G. Cox at The Cybersec Café
  Lack of SOAR and AI Agents isn’t Killing Your SOC. Poor Alerts Are.
  

SOFTWARE UPDATES

• Digital Sleuth
  winfor-salt v2025.10.9
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.2.556.1124
  
  
• MISP
  MISP 2.5.21 released with a new recorrelate feature, various fixes and updates.
  
  
• OpenCTI
  6.7.19
  
  
• Phil Harvey
  ExifTool 13.36 (production release)
  
  
• Xways
  X-Ways Forensics 21.6 Beta 3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!