| Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast |
| Sponsored by Permiso |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Belkasoft
Navigating the Deluge: eDiscovery with RSMF and Belkasoft X - Christopher Eng at Ogmini
Pixel 7 – Timestamps / EXT4 - Chris Ray at Cyber Triage
DFIR Next Steps: Suspicious AnyDesk Use - Sebastian Weigmann at DFRWS
SOLVE-IT Alpha Release 0.2025.09: September 2025 - Magnet Forensics
UserAssist Forensic Artifacts: What they are and how to use them
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
A Network Threat Hunter’s Guide to DNS Records - Aikido
- Akash Patel
- ASEC
- Patterson Cake at Black Hills Information Security
Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) - Brad Duncan at Malware Traffic Analysis
2025-09-05: XLoader (Formbook) infection - Brian Krebs at ‘Krebs on Security’
Self-Replicating Worm Hits 180+ Software Packages - CERT-AGID
- Chamindu Pushpika at ChamX
APT29 Hybrid Intrusion Simulation - Check Point
- CTF导航
- Cyb3rhawk
From Abstract Terms to Acumen: SEO Poisoning - Cyber Fairy Tales Substack
Blockchain Security - Cyble
- Cyfirma
Weekly Intelligence Report – 19 September 2025 - Darktrace
SEO Poisoning and Fake PuTTY sites: Darktrace’s Investigation into the Oyster backdoor - Dexpose
Threat Actor Profile: APT27 - Dirk-jan Mollema
One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens - Disconinja
Weekly Threat Infrastructure Investigation(Week36,37) - Julia Ibinson at DomainTools
Avoiding Activation Scams this Football Season - Elastic
Navigating the Shai-Hulud worm: Elastic’s proactive defense against npm supply chain compromise - Elastic Security Labs
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents - Nikos Mantas at Falcon Force
FalconFriday — Detecting enumeration in AWS — 0xFF25 OrangeCon 25 Edition - FalconFeeds
- Behind the Keyboard: Behavioral Fingerprinting of Threat Actors in the Age of AI
- The Second Wave: How Recycled Access is Powering Repeat Breaches
- The Digital Fingerprint: How Ransom Notes Unmask the Psychology of Threat Actors
- Cybercrime as Customer Service: How Threat Actors Are Professionalizing Victim Negotiation
- Flare
- Forensicfossil
File Integrity Monitoring - G Data Software
AppSuite, OneStart & ManualFinder: The Nexus of Deception - GitGuardian
- GreyNoise
GreyNoise Intel Now Available Through MCP - Mansour Alhmoud at Group-IB
Tracking MuddyWater in Action : Infrastructure, Malware and Operations during 2025 - Hunt IO
Tracking AsyncRAT via Trojanized ScreenConnect and Open Directories - Huntress
- Infoblox
Deniability by Design: DNS-Driven Insights into a Malicious Ad Network - Mado at InfoSec Write-ups
Advanced OAuth Secrets Leads To Account Takeover(ATO) - Invictus Incident Response
A Candid Perspective on the Cloud Threat Landscape: A Recap from fwd:cloudsec EU - Andrey Polkovnichenko at JFrog
Shai-Hulud npm supply chain attack – new compromised packages detected - Lumen
SystemBC – Bringing the Noise - Roei Sherman at Mitiga
Breaking Down the Microsoft Entra ID Actor Token Vulnerability: The Perfect Crime in the Cloud - Ray Fernandez at Moonlock
New stealer is targeting Macs and evading antivirus detection - Oleg Skulkin at ‘Know Your Adversary’
- 258. That’s How Adversaries Abuse WMI for Software Discovery
- 259. That’s How Bloody Wolf Abuses WMI for Discovery
- 260. That’s How Bloody Wolf Abuses Telegram for Exfiltration
- 261. Another Legitimate Web Service Abused by APT28
- 262. That’s How Adversaries Disable Warning Messages
- 263. Hunting for PyPY Packages Delivering SilentSync RAT
- Jordan Mussman at Open Source DFIR
Less is More - OSINT Team
- Palo Alto Networks
“Shai-Hulud” Worm Compromises npm Ecosystem in Supply Chain Attack - Patrick Wardle at Objective-See
[0day] From Spotlight to Apple Intelligence - Ian Ahl at Permiso
Anatomy of the Salesloft Breach – Detection, Response, and Lessons Learned - Adam Crosser at Praetorian
Domain Fronting is Dead. Long Live Domain Fronting! - Prodaft
Modus Operandi of Subtle Snail - Proofpoint
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels - Dan Green at Push Security
Why attackers are moving beyond email-based phishing - Qi’anxin X Lab
史上最强?揭秘11.5T级超大规模僵尸网络AISURU的内幕 - Andrew Cook at Recon Infosec
Microsoft Teams Social Engineering: A Ransomware Attack Vector - Recorded Future
CopyCop Deepens Its Playbook with New Websites and Targets - Gauthier Vidal,Louis Distel and Valentin Thirion at RiskInsight
BarbHack : Ce qu’il faut en retenir - SANS Internet Storm Center
- Securelist
- Ayush Anand at Securityinbits
AdaptixC2 Defender Guide - Sekoia
APT28 Operation Phantom Net Voxel - Alex Delamotte, Vitaly Kamluk & Gabriel Bernadett-Shapiro at SentinelOne
Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware - Socket
- Stairwell
Stairwell Report Uncovers Massive Malware Blind Spot in Enterprise Security - Steven Masada at Microsoft
Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service - Kyle Knight at Sucuri
Understanding Spamhaus and Its Role in Email Security - Sygnia
- Synacktiv
Dissecting DCOM partie 1 - System Weakness
- Ahsan Ayub at Todyl
EpiBrowser: A Sophisticated PUP Masquerading as Chromium - Trellix
Dark Web Roast – August 2025 Edition - Trend Micro
- Lucie Cardiet at Vectra AI
Scattered Lapsus$ Hunters Announce They Are Going Dark but the Threat Remains by Lucie Cardiet - Matthieu Faou and Zoltán Rusnák at WeLiveSecurity
Gamaredon X Turla collab - Merav Bar, Rami McCarthy, and Barak Sharoni at Wiz
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware - Zensec
Unmasking Akira: The ransomware tactics you can’t afford to ignore - Andy Gill at ZephrSec
pyLDAPGui – How It was Born - Блог Solar 4RAYS
- Genians
AI-Driven Deepfake Military ID Fraud Campaign by Kimsuky APT
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2025-09-22 #livestream #infosec #infosecnews - Magnet Forensics
Mobile Unpacked S3:E9 // NOW That’s what I call iOS: 26 - SANS
Stay Ahead of Ransomware: Proper Incident Containment… and Horror Stories - SentinelOne
LABScon 2025 | From LLM Malware to Hotel Room Bugs: A Look at This Year’s Talks - Silent Push
Workshop – Advanced Queries for Malware Detection
PRESENTATIONS/PODCASTS
- Behind the Binary by Google Cloud Security
EP15 Getting Ready for FLARE-On 12 – An Inside Look at the Reverse Engineering Gauntlet - Belkasoft
Rootkits in Disguise: Genuine Tools Turned Malicious | Vedant Narayan - Cellebrite
Tip Tuesday: Find Training in the Learning Hub - Clint Marsden at the TLP – Digital Forensics Podcast
Episode 24: Voice AI Under Attack: Hackers Exploit AI Call Agents | Traffic Light Protocol Podcast - Cloud Security Podcast by Google
EP243 Email Security in the AI Age: An Epic 2025 Arms Race Begins - Compass Security
- InfoSec_Bret
SA – SOC176-234 – RDP Brute Force Detected - Magnet Forensics
AI Unpacked #5: The great AI debate with Digital Forensics Now - Matthew Plascencia
Decrypting Encrypted Packets | Wireshark Hacking 3 - Monolith Forensics
- MSAB
#msabmonday – Hash Tree Builder with XRY Express - MyDFIR
- Off By One Security
UEFI Bootkits and Kernel-Mode Rootkits Development with Alejandro Vazquez - Parsing the Truth: One Byte at a Time
How brute force & the Kik App saved a young girl - SANS
Evolving Threats: The Role of AI in Modern Ransomware Attacks | Mari DeGrazia - The Cyber Mentor
LIVE: SOC 201 Release | Incident Response | Threat Hunting | Cybersecurity - The Defender’s Advantage Podcast
How vSphere Became a Target for Adversaries
MALWARE
- Adam at Hexacorn
- ASEC
- CISA
Malicious Listener for Ivanti Endpoint Mobile Management Systems - DomainTools Investigations
Banker Trojan Targeting Indonesian and Vietnamese Android Users - Dr Josh Stroschein
- Michal Rajčan at Jamf
Jamf Threat Labs discovers apps that leak credentials - Richard Christopher
Bumblebee - Shubho57
Analysis of rar file leads to a phishing site and two vulnerabilities - Silent Push
CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions - Sophos
GOLD SALEM’s Warlock operation joins busy ransomware landscape - István Márton at Wordfence
Attackers Actively Exploiting Critical Vulnerability in Case Theme User Plugin - Zero Salarium
EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State - Zhassulan Zhussupov
Malware development: persistence – part 28. CertPropSvc registry hijack. Simple C/C++ example. - ZScaler
MISCELLANEOUS
- Sergiy Pasyuta at Atola
Logical imaging in Insight Forensic 5.7 - Dr. Erdal Ozkaya at Binalyze
Incident Readiness vs. Incident Response - Brett Shavers
Every Monster Leaves Teeth Marks. Some Go to the Bone. - Page McBeth at Cellebrite
Digital Forensics Labs Are Drowning: 4 Ways Investigators Can Step In - Christopher Eng at Ogmini
CISA IR Training – Anatomy of an Attack Ransomware Workshop (IR224) - Computer Forensics Lab
- Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 09/15/25 - Forensafe
Artifast Suite for Incident Response - Forensic Focus
- Oxygen Tech Bytes In August 2025
- Why Mobile Investigation Technology Is Essential For Modern Enterprises
- Tamas Zelczer, CEO, Cursor Insight
- Digital Forensics Jobs Round-Up, September 15 2025
- Dr Áine MacDermott, Senior Lecturer In Cyber Security And Digital Forensics, Liverpool John Moores University
- UPCOMING WEBINAR – Mobile Unpacked S3:E9 // NOW That’s What I Call iOS: 26
- Digital Forensics Round-Up, September 17 2025
- How To Perform Geometrical Analysis And Check Perspective In Amped Authenticate
- Forensic Focus Digest, September 19 2025
- HackTheBox
Hack The Box + LetsDefend: Shaping the future of community-led cyber readiness - Kevin Beaumont at DoublePulsar
The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic… - Michalis Michalos
Keeping privacy when running queries: how to obfuscate your KQL results - Reverse Engineering
Bringing Metal to a crypto backdoor fight! Exploiting the GPU and the 90s crypto wars to crack the APT Down code signing keys - Shantaciak
Before the Alarm: Why Prerequisites Make or Break Incident Response - Courtney Shar at THOR Collective Dispatch
Beyond Hackers in Hoodies: A Project Manager’s Move into Cybersecurity - Alfredo Oliveira and David Fiser at Trend Micro
Using Containers to Secure Your MCP Infrastructure
SOFTWARE UPDATES
- Atola
Atola Insight Forensic 5.7 - C.Peter
UFADE 1.0.1 - Digital Sleuth
winfor-salt v2025.10.10 - Oxygen Forensics
Introducing Oxygen Forensic Detective v.18.0 - Lethal Forensics
Microsoft-Analyzer-Suite v1.6.1 - Metaspike
Forensic Email Collector (FEC) Changelog – 4.2.564.1066 - MISP
MISP Synchronisation – Test and Validation Project - OpenCTI
6.7.20 - Rapid7
Velociraptor v0.75.2 - Security Onion
Security Onion 2.4.180 now available including several new features and updated components! - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 