Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Christopher Eng at Ogmini
  • Gmail App – IMAP Account Artifacts (Attachments)
  • Lifecycle of a Digital Photo on a Android Pixel 7 – Part 1
    
    
• Oleg Afonin at Elcomsoft
  Apple Face ID: Security Implications and Potential Vulnerabilities
  
  
• Forensafe
  Investigating Android Google Chat
  
  
• Yann Malherbe at InfoGuard Labs
  Automation of VHDX Investigations
  
  
• Matthew Plascencia
  Am I That Old Already?: New Forensic Artifacts in iOS 26
  
  
• Mattia Epifani at Zena Forensics
  Exploring Data Extraction from Android Devices: What Data You Can Access and How
  
  
• Salvation DATA
  Windows Shellbags Explained: What They Are and How They Help in Digital Forensics
  

THREAT INTELLIGENCE/HUNTING

• Amy Tierney at AppOmni
  Mapping TTPs to SaaS Supply Chain Attacks: Recent SaaS Breaches
  
  
• AttackIQ
  • The Evolution of RomCom: From Backdoor to Cyberwar 
  • Response to CISA Advisory (AA25-266A): CISA Shares Lessons Learned from an Incident Response Engagement
    
    
• Maria Vasilevskaya at Auth0
  Detecting Signup Fraud: 3 Ways to Use Auth0 Logs to Protect Your Business
  
  
• Barracuda
  • Lazarus Group: A criminal syndicate with a flag
  • The SOC case files: Akira ransomware turns victim’s remote management tool on itself
    
    
• Brad Duncan at Malware Traffic Analysis
  2025-09-24: Lumma Stealer infection with follow-up malware (possible Ghostsocks/Go Backdoor)
  
  
• Brian Krebs at ‘Krebs on Security’
  Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 20 – 26 settembre
  
  
• Check Point
  • 22nd September – Threat Intelligence Report
  • Nimbus Manticore Deploys New Malware Targeting Europe
  • Playing Offside: How Threat Actors Are Warming Up for FIFA 2026
    
    
• CISA
  • CISA Shares Lessons Learned from an Incident Response Engagement
  • Widespread Supply Chain Compromise Impacting npm Ecosystem
    
    
• Cisco’s Talos
  • What happens when you engage Cisco Talos Incident Response?
  • How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
    
    
• CloudSEK
  Botnet Loader-as-a-Service Infrastructure Distributing RondoDoX and Mirai Payloads
  
  
• Kahng An at Cofense
  Inside Vietnamese Threat Actor Lone None’s Copyright Takedown-Spoofing Campaign
  
  
• Gary Warner at CyberCrime & Doing Time
  Microsoft DCU’s Takedown of RaccoonO365
  
  
• Cyberdom
  Token Protection: The Good, the Bad, and the Assumptions
  
  
• Cyble
  • Cyble Honeypots Detect Exploit Attempts of Nearly Two Dozen Vulnerabilities 
  • Australia Ransomware Landscape 2025: Rich Targets Attract Ransomware Groups 
    
    
• Cyfirma
  Weekly Intelligence Report – 26 September 2025
  
  
• Damien Lewke
  Vibe Hacking: How Anthropic Just Made Threat Hunting Non-Negotiable
  
  
• Darknet
  Ransomware Payments vs Rising Incident Counts in 2025 – What’s Changing in RaaS Economics
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week38)
  
  
• DomainTools Investigations
  Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat
  
  
• Erik Hjelmvik at Netresec
  Gh0stKCP Protocol
  
  
• Expel
  Gonzo threat hunting: LapDogs & ShortLeash
  
  
• gm0
  The Gentlemen Ransomware Group Profile – Part 1: Background, Motivations, Affiliates and Attribution
  
  
• Sarah Yoder, John Wolfram, Ashley Pearson, Doug Bienstock, Josh Madeley, Josh Murchie, Brad Slaybaugh, Matt Lin, Geoff Carstairs, Austin Larsen at Google Cloud Threat Intelligence
  Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
  
  
• Howard Poston at HackTheBox
  Beware the Cozy Bear: Dissecting APT29’s obfuscated JavaScript watering hole campaign
  
  
• Hunt IO
  Hunting C2 Panels: Beginner’s Guide for Identifying Command and Control Dashboards
  
  
• Huntress
  • What’s the Average Cost of a Data Breach in 2025? | Huntress
  • A Vietnamese threat actor’s shift from PXA Stealer to PureRAT
    
    
• InfoSec Write-ups
  • Automating Ransomware Intelligence: Feed ransomware.live
  • Linux Threat Detection 1
    
    
• Adam Goss at Kraven Security
  From Logs to Leads: A Practical Cyber Investigation of the Brutus Sherlock
  
  
• Microsoft Security
  • AI vs. AI: Detecting an AI-obfuscated phishing campaign
  • Retail at risk: How one alert uncovered a persistent cyberthreat​​
  • XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory
    
    
• Natto Thoughts
  Who is Salt Typhoon Really? Unraveling the Attribution Challenge
  
  
• Ben Lister at NetSPI
  Webinar Recap: Everything You Wish You Didn’t Have to Know About Ransomware
  
  
• NVISO Labs
  • Detection Engineering: Practicing Detection-as-Code – Deployment – Part 6
  • Securing Microsoft Entra ID: Lessons from the Field – Part 1
    
    
• Oleg Skulkin at ‘Know Your Adversary’
  • 264. Hunting for SnakeDisk
  • 265. Hunting for Another Legitimate Tool Akira Uses for Exfiltration
  • 266. Hunting for PteroGraphin
  • 268. Hunting for COLDRIVER
  • 267. Hunting for PteroEffigy
  • 269. That’s How Adversaries Abuse Features of Winlogon
  • 270. Hunting for Shai-Hulud
    
    
• Outpost24
  • zerodayx1: Hacktivist groups turning to ransomware operations
  • Olymp Loader: A new Malware-as-a-Service written in Assembly
    
    
• Dena De Angelo at Palo Alto Networks
  The Ransomware Speed Crisis
  
  
• Aditya Vats at Permiso
  Rethinking AI Security: Every Interaction Is About Identity
  
  
• Promon
  App Threat Report 2025 Q2: Traditional malware & emerging AI threats in financial apps
  
  
• Pulsedive
  NPM Compromise: The Wrath of the Shai-Hulud Supply Chain Attack
  
  
• Raymond Roethof
  Microsoft Defender for Identity Recommended Actions: Remove non-admin accounts with DCSync permissions
  
  
• Recorded Future
  RedNovember Targets Government, Defense, and Technology Organizations
  
  
• Red Canary
  • Node problem: Tracking recent npm package compromises
  • Double agents: How adversaries can abuse “agent mode” in commercial AI products
  • Redefining incident response in the age of AI
  • Intelligence Insights: September 2025
    
    
• Ian Briley at Red Siege Information Security
  Threat Detection Made Simple: Splunk Attack Range Basics
  
  
• Resecurity
  Trinity of Chaos: The LAPSUS$, ShinyHunters, and Scattered Spider Alliance Embarks on Global Cybercrime Spree
  
  
• SANS Internet Storm Center
  • Help Wanted: What are these odd reuqests about?, (Sun, Sep 21st)
  • [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd)
  • Exploit Attempts Against Older Hikvision Camera Vulnerability, (Wed, Sep 24th)
  • Webshells Hiding in .well-known Places, (Thu, Sep 25th)
  • New tool: convert-ts-bash-history.py, (Fri, Sep 26th)
    
    
• Securityinbits
  • Deobfuscate PowerShell using MinusOne
  • LSASS Dump via comsvcs.dll: Defender Detection Guide
    
    
• Silent Push
  • Silent Push Analyzes New Disinformation Campaign Targeting 2025 Moldovan Elections Connected to Legacy Moscow Influence Campaign
  • Silent Push Examines the Dark Side of Dynamic DNS Providers
    
    
• Alex Hegyi and Vince Zell at Stairwell
  How to Detect NPM Package Manager Supply-Chain Attacks with YARA
  
  
• Sublime Security
  • Fake Meta Ads Manager in App Store and TestFlight used to phish Meta ad accounts
  • More than “plausible nonsense”: A rigorous eval for ADÉ, our security coding agent
    
    
• System Weakness
  • Tool vs. Detection — How Defenders Spot Your Favorite Hacker Tools
  • Linux Threat Detection 1: TryHackMe Walkthrough for SOC Analysts & Forensics Learners
    
    
• The Raven File
  GUNRA RANSOMWARE: What You Don’t Know!
  
  
• THOR Collective Dispatch
  • Baseline Bonanza: Ten Baseline Hunts You Should Do (and How to Do Them)
  • Dispatch Debrief: September 2025
    
    
• Trellix
  • Unmasking Hidden Threats: Spotting a DPRK IT-Worker Campaign
  • When AD Gets Breached: Detecting NTDS.dit Dumps and Exfiltration with Trellix NDR
  • npm Account Hijacking and the Rise of Supply Chain Attacks
    
    
• Fernando Tucci at Trend Micro
  This Is How Your LLM Gets Compromised
  
  
• Simon Biggs at Varonis
  Where Are my Keys?! Ransomware Group Steals AWS Keys to Advance
  
  
• Wiz
  • IMDS Abused: Hunting Rare Behaviors to Uncover Exploits
  • The emerging use of malware invoking AI
    

UPCOMING EVENTS

• Black Hills Information Security
  Talkin’ Bout [infosec] News 2025-09-29 #livestream #infosec #infosecnews
  
  
• Cellebrite
  Autumn 2025 Release: Through the APAC Lens
  
  
• Magnet Forensics
  Legal Unpacked E1: Search warrants for digital evidence: The data-driven approach
  
  
• Yuri Gubanov at Belkasoft
  BelkaGPT & BelkaGPT Hub: AI That Actually Works for DFIR
  

PRESENTATIONS/PODCASTS

• Belkasoft
  Time Lies: Detecting Malware with Faked Timestamps | Vedant Narayan
  
  
• Black Hat
  • Tinker Tailor LLM Spy: Investigate & Respond to Attacks on GenAI Chatbots
  • Think Inside the Box: In-the-Wild Abuse of Windows Sandbox in Targeted Attacks
  • Operation BlackEcho: Voice Phishing Using Fake Financial and Vaccine Apps
    
    
• Cellebrite
  Tip Tuesday: Adding Evidence
  
  
• Cloud Security Podcast by Google
  EP244 The Future of SOAPA: Jon Oltsik on Platform Consolidation vs. Best-of-Breed in the Age of Agentic AI
  
  
• Cyber from the Frontlines
  E17 Exploiting Emotion Inside Romance Scams
  
  
• Huntress
  What is Business Email Compromise (BEC) and How Do Hackers Use It?
  
  
• InfoSec_Bret
  SA – SOC246 EventID: 208 – Forced Authentication Detected
  
  
• John Hammond
  • ServiceUI.exe
  • Dark Web Leak Site
    
    
• Magnet Forensics
  • Introducing the new Magnet Nexus hybrid collection agent
  • Mobile Unpacked S3:E9 // NOW That’s what I call iOS: 26
    
    
• Matthew Plascencia
  Wireshark Display Filters | Wireshark 4
  
  
• Microsoft Threat Intelligence Podcast
  Stopping Domain Impersonation with AI
  
  
• Monolith Forensics
  Chain of Custody Actions in Monolith
  
  
• MSAB
  #MSABMonday Subset GUID
  
  
• MyDFIR
  • How To Setup & Install T-Pot Honeypot (UPDATED)
  • Cybersecurity SOC Analyst Lab – Email Analysis (PhishStrike)
    
    
• Off By One Security
  • Tackling Shellcode with SHAREM Shellcode Analysis Framework
  • Introductory Windows Stack Overflow Exploitation
    
    
• Parsing the Truth: One Byte at a Time
  Elsbeth Battles AI
  
  
• Proofpoint
  Hot sauce and hot takes: An Only Malware in the Building special
  
  
• The Weekly Purple Team
  Dropping Creds With WSASS to Bypass PPL
  
  
• Three Buddy Problem
  • Live at LABScon: Aurora Johnson and Trevor Hilligoss on China’s ‘internet toilets’
  • Live at LABScon: Lindsay Freeman on tracking Wagner Group war crimes
  • Live at LABScon: Visi Stark shares memories of creating the APT1 report
  • Cisco firewall zero-days and bootkits in the wild
    

MALWARE

• Any.Run
  Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies
  
  
• ASEC
  Bypassing Mark of the Web (MoTW) via Windows Shortcuts (LNK): LNK Stomping Technique
  
  
• Darktrace
  ShadowV2: An emerging DDoS for hire botnet
  
  
• Dr Josh Stroschein
  • Where in the world is PRINTF? Using the legacy library file to link with NASM
  • Linking Object Files from C and NASM in Windows
  • 🏗️ Assembly Shorts – Creating a FOR Loop
    
    
• Paul Asadoorian at Eclypsium
  HybridPetya Ransomware Shows Why Firmware Security Can’t Be an Afterthought
  
  
• Esentire
  Eye of the Storm: Analyzing DarkCloud’s Latest Capabilities
  
  
• Yurren Wan at Fortinet
  SVG Phishing hits Ukraine with Amatera Stealer, PureMiner
  
  
• G Data Software
  BlockBlasters: Infected Steam game downloads malware disguised as patch
  
  
• Intrinsec
  Analysis of Acreed, a rising infostealer
  
  
• Priyadharshini at K7 Labs
  From LNK to RAT: Deep Dive into the LNK Malware Infection Chain
  
  
• Kyle Cucci at SecurityLiterate
  Elephant in the Sandbox: Analyzing DBatLoader’s Sandbox Evasion Techniques
  
  
• Pieter Arntz at Malwarebytes
  New SVG-based phishing campaign is a recipe for disaster
  
  
• Ghanashyam Satpathy and Xinjun Zhang at Netskope
  Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox
  
  
• OSINT Team
  • Malware Analysis : HTB Sherlocks Writeup- Loggy
  • Python Developers Beware: These Innocent PyPI Packages Secretly Hijack Your System with Deadly RAT!
  • Malware Analysis – An Introduction and Tools
  • Spread of Android Malware in FakeApp mode Government Service Application
  • Day 61- Basics of threat intelligence and OSINT for beginners
    
    
• Palo Alto Networks
  • Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign
  • Bookworm to Stately Taurus Using the Unit 42 Attribution Framework
    
    
• Shubho57
  Analysis of a Javascript file, in which a malicious Network IP leads to Nanocore RAT
  
  
• Siddhant Mishra
  Preliminary File List Analysis of Kimsuky / APT43 Leak
  
  
• Liran Tal at Snyk
  Malicious MCP Server on npm postmark-mcp Harvests Emails
  
  
• Socket
  • Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
  • Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys
    
    
• Gabor Szappanos and Steeve Gaudreault at Sophos
  HeartCrypt’s wholesale impersonation effort
  
  
• Puja Srivastava at Sucuri
  Hidden WordPress Backdoors Creating Admin Accounts
  
  
• Sarah Pearl Camiling and Jacob Santos at Trend Micro
  New LockBit 5.0 Targets Windows, Linux, ESXi
  
  
• Jason Reaves at Walmart
  NodeJS backdoors delivering proxyware and monetization schemes
  
  
• Zhassulan Zhussupov
  Malware development: persistence – part 29. Add Windows Terminal profile. Simple C example.
  
  
• ZScaler
  • Technical Analysis of Zloader Updates
  • YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus
  • COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX
    

MISCELLANEOUS

• Anton Chuvakin
  Decoupled SIEM: Where I Think We Are Now?
  
  
• Kyle Shields and Matt Meck at AWS Security
  Optimize security operations with AWS Security Incident Response
  
  
• Belkasoft
  BelkaGPT and BelkaGPT Hub: AI That Actually Works for DFIR
  
  
• Brett Shavers
  AI in DF/IR: Who is first to pull the rip cord?
  
  
• Cellebrite
  • Rethinking Digital Evidence Sharing: Moving Beyond Old Habits for Modern Policing
  • 5 Best Practices to Master Testifying in Digital Forensics Cases
    
    
• Cybereason
  7000+ IRs Later: The 11 Essential Cybersecurity Controls
  
  
• DFIR Dominican
  • DFIR Jobs Update – 09/22/25
  • How To Break Into DFIR (Part 5 of 5) – Specializations
    
    
• Forensic Focus
  • Atola Insight Forensic 5.7 Introduces New Logical Imaging Module For Faster Evidence Acquisition
  • Wrapping Up The S21 GAD & Investigator Wellbeing Spotlight Session – What We’ve Covered
  • Digital Forensics Round-Up, September 24 2025
  • Magnet Forensics Introduces The New Magnet Nexus Hybrid Collection Agent
  • Amped Software Facilitates Redaction With New Tab, Multiple ROI Motion Detection, And Keyframe Reuse In Latest Amped Replay Release
  • UPCOMING WEBINAR – Beyond The AI Hype: Exterro Intelligence Delivers Outcomes You Can Trust
    
    
• Debbie Garner at Hexordia
  Training First Responders in Digital Evidence Handling: How To Protect Your Department from Case-Destroying Mistakes
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  • Inside the Unified Log 1: Goals and architecture
  • Inside the Unified Log 2: Why browse the log?
    
    
• Magnet Forensics
  • Introducing the new Magnet Nexus hybrid collection agent
  • Beyond Push-Button Forensics: The Reality of Forensic Automation
  • The rising cost of digital fakes, frauds, and forgeries in the private sector
    
    
• MobilEdit
  New Apple Watch Reader is here! Get data from the latest Apple Watch devices
  
  
• Amber Schroader at Paraben Corporation
  Why OSINT + DFIR is the Ultimate Power Couple
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.180!
  
  
• Sygnia
  Building a High-Performance Incident Response Team: Key Roles, Responsibilities, and Structure
  
  
• The Cybersec Café
  Security Engineer Starter Guide: Cloud Security
  

SOFTWARE UPDATES

• Arkime
  v5.8.0
  
  
• Brian Maloney
  OneDriveExplorer v2025.09.24
  
  
• Digital Sleuth
  winfor-salt v2025.10.11
  
  
• Microsoft
  msticpy – M365 authn, Bokeh fixes, RRCF Outliers, Prisma Cloud…
  
  
• OpenCTI
  6.8.0
  
  
• Phil Harvey
  ExifTool 13.37
  
  
• PuffyCid
  Artemis v0.16.0 – Released!
  
  
• The Metadata Perspective
  HEART: Health Events & Activity Reporting Tool
  
  
• Volatility Foundation
  Volatility 3 2.26.2
  
  
• Yamato Security
  Hayabusa v3.6.0 – Nezamezuki Release
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!