Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Brian Maloney
  OneDrive. Let’s take this offline
  
  
• Chainalysis
  DPRK IT Workers: Inside North Korea’s Crypto Laundering Network
  
  
• Christopher Eng at Ogmini
  • Lifecycle of a Digital Photo on a Android Pixel 7 – Part 2
  • Android Forensics – Filesystem Timestamps ADB Script
    
    
• Elcomsoft
  • iPhone 17: the End of PWM Flickering?
  • Breaking into Password Managers: from Bitwarden to Zoho Vault
  • AI in Digital Forensics: a Tool, not an Oracle
    
    
• Forensafe
  iOS AllTrails
  
  
• Iram Jack
  • Memory Analysis Introduction
  • Memory Acquisition
    
    
• Magnet Forensics
  • Making media authentication easier to understand with automated analysis
  • Magnet Forensics support for iOS 26
  • That One Artifact: The search history that spoke volumes
    
    
• Maltego
  Exposing Pig Butchering Operations with Maltego
  
  
• Matthew Plascencia
  iOS 26 is On Location With More AI Goodness iOS 26 New Artifacts II
  
  
• Mattia Epifani at Zena Forensics
  Exploring Data Extraction from iOS Devices: What Data You Can Access and How
  
  
• OSINT Team
  Volatility3: Navigating the SAM registry hive from memory image
  
  
• The DFIR Report
  From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – Agent-to-Agent Communication via SMB (AdaptixC2)
  
  
• Adam at Hexacorn
  Using .LNK files as lolbins
  
  
• ASEC
  XiebroC2 Identified in MS-SQL Server Attack Cases
  
  
• Ayelen Torello at AttackIQ
  Ransom Tales: Volume IV – Emulating Rhysida, Charon and Dire Wolf Ransomware
  
  
• Chi Tran, Charlie Bacon, and Nirali Desai at AWS Security
  Defending against supply chain attacks like Chalk/Debug and the Shai-Hulud worm
  
  
• BI.Zone
  Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks
  
  
• c-APT-ure
  Using NetBIOS names for pivoting and threat clustering
  
  
• CERT Ukraine
  Бекдор CABINETRAT використовується UAC-0245 для цільових кібератак у відношенні СОУ (CERT-UA#17479)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 27 settembre – 3 ottobre
  
  
• Check Point
  29th September – Threat Intelligence Report
  
  
• Joey Chen at Cisco’s Talos
  UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
  
  
• codetodeploy
  Inside the VMware CVE Cluster: Enumeration, Escalation, and Exposure
  
  
• Ben Reardon at Corelight
  Hunting GTPDOOR at Black Hat USA 2025 | Corelight
  
  
• CyberBoo
  Microsoft Defender for Identity Deep Dive: Part 1
  
  
• Cyberdom
  Unlocking Microsoft Sentinel MCP
  
  
• Cyfirma
  Weekly Intelligence Report – 3 October 2025
  
  
• Dark Atlas
  Threat Profile: Conti Ransomware Group
  
  
• Darktrace
  Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace
  
  
• Detect FYI
  • The missing link in MDR. Spoiler, it starts with a Detection Engineering framework.
  • Threat Hunting sessions via AuthenticationProcessingDetails on AADSignInEventsBeta
  • Use KQL to Surface Non-Recommended TLS Parameters (IANA-based)
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week39)
  
  
• DomainTools Investigations
  SecuritySnack: 18+E-Crime
  
  
• Paul Asadoorian at Eclypsium
  The Hunt for RedNovember: A Depth Charge Against Network Edge Devices
  
  
• Elastic Security Labs
  • FlipSwitch: a Novel Syscall Hooking Technique
  • WARMCOOKIE One Year Later: New Features and Fresh Insights
    
    
• FalconFeeds
  • Digital Fault Lines: The Weaponization of Ethnic and Religious Tensions in Regional Cyber Conflicts
  • Proxy Wars in Cyberspace: Tracking Nation-State Influence Through Threat Actor Alliances
    
    
• Guillaume Valadon and Carole Winqwist at GitGuardian
  Red Hat GitLab Breach: The Crimson Collective’s Attack
  
  
• Omar ElAhdan, Matthew McWhirt, Michael Rudden, Aswad Robinson, Bhavesh Dhake, and Laith Al at Google Cloud Threat Intelligence
  Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations
  
  
• GreyNoise
  • Coordinated Grafana Exploitation Attempts on 28 September
  • Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
    
    
• HackTheBox
  Sandworm unleashed: Inside APT44’s Dune-inspired cyber destruction
  
  
• Hunt IO
  Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia
  
  
• Huntress
  • Don’t Sweat the ClickFix Techniques: Variants & Detection Evolution
  • Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
    
    
• Infoblox
  Detour Dog: DNS Malware Powers Strela Stealer Campaigns
  
  
• Kijo Ninja at Kijo Ninja
  Rclone C2 data exfiltration technique
  
  
• Adam Goss at Kraven Security
  Stop Drowning in Data: Build Your Own CTI Aggregator for Free
  
  
• Doug Olenick at LevelBlue
  SpiderLabs Ransomware Tracker Update September 2025: Qilin, Akira Top Ransomware Attackers
  
  
• Idan Cohen at Mitiga
  ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches
  
  
• Netscout
  Keymous+ Threat Actor Profile
  
  
• NVISO Labs
  • You name it, VMware elevates it (CVE-2025-41244)
  • Lunar Spider Expands their Web via FakeCaptcha
  • What Did the Attacker Read? MailItemAccessed Tells You
    
    
• Oleg Skulkin at ‘Know Your Adversary’
  • 271. Does an Adversary Need to Install an RMM?
  • 272. Here’s Another Interesting Staging Folder You Can Use for Hunting
  • 273. That’s How PDB Paths Help to Uncover Malicious Files
  • 274. That’s How Phantom Taurus Abuses Exchange Management Shell
  • 275. Hunting for Suspicious URLs
  • 276. Hunting for Suspicious IIS Modules
  • 277. Adversaries Abuse a Free Request Logging Service as C2
  • 278. Hunting for Suspicious XLL Files
    
    
• Palo Alto Networks
  • Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
  • The Case for Multidomain Visibility
    
    
• Art Ukshini at Permiso
  P0LR Espresso – Pulling Shots of Cloud Live Response & Advanced Analysis
  
  
• Picus Security
  • Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact
  • Blue Report 2025: How to Act on 16M Attack Simulation Findings
  • RomCom Threat Actor Evolution (2023–2025)
    
    
• Resecurity
  ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
  
  
• Ashlee Benge at ReversingLabs
  Hunting SharpHounds with Spectra Analyze
  
  
• Sandfly Security
  Sandfly 5.5.4 – Chinese Rootkit Decloaking
  
  
• SANS
  • Hunting SaaS Threats: Insights from the FOR589 Course on Cybercriminal Campaigns
  • Log for Normal to Find Evil: Lessons from Real Crimes and Cyberattacks
    
    
• SANS Internet Storm Center
  • Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400), (Mon, Sep 29th)
  • [Guest Diary] Comparing Honeypot Passwords with HIBP, (Wed, Oct 1st)
  • “user=admin”. Sometimes you don’t even need to log in., (Tue, Sep 30th)
  • More .well-known Scans, (Thu, Oct 2nd)
    
    
• Cristian Souza at Securelist
  Forensic journey: hunting evil within AmCache
  
  
• Ayush Anand at Securityinbits
  Discovery using nltest, net and whoami
  
  
• Jeremy Scion and Marc N. at Sekoia
  Silent Smishing : The Hidden Abuse of Cellular Router APIs
  
  
• Seqrite
  Exploiting Legitimate Remote Access Tools in Ransomware Campaigns
  
  
• Shantaciak
  Investigating Email Threats: Why the Inbox Is Still the Front Door
  
  
• Siddhant Mishra
  Kimsuky/APT43 Phishing Infrastructure: A Technical Evolution
  
  
• SOCRadar
  Dark Web Profile: Scattered Lapsus$ Hunters
  
  
• Claudia Preciado at Stairwell
  Building on CISA’s Salt Typhoon YARA Rules: Stairwell finds 637 New Variants
  
  
• Brandon Webster and Bryan Campbell at Sublime Security
  Impersonated Evite and Punchbowl invitations used for credential phishing and malware distribution
  
  
• Kyle Knight at Sucuri
  Enhancing File Transfer Security with SSH Key Authentication
  
  
• System Weakness
  • Windows Credential Theft Detection
  • Logs Fundamentals | TryHackMe Write-Up
  • Introduction to SIEM | TryHackMe Write-Up
  • Reverse Engineering Session 2 by KK TAN ~ Real-world study CVE-2025–8088 [Experience Sharing]
  • HTB Holmes CTF Writeup: The Card
  • SOC127 — SQL Injection Detected — LetsDefend — Solution
    
    
• THOR Collective Dispatch
  • Ask-a-Thrunt3r: September 2025 Recap 🐏
  • Agentic Threat Hunting, Part 2: Starting a Hunt Repo
    
    
• Niranjan Hegde and Sijo Jacob at Trellix
  XWorm V6: Exploring Pivotal Plugins
  
  
• Richard Grainger at Triskele Labs
  Qilin on the rise: what Australian organisations need to know
  
  
• Jean-Francois Gobin at Truesec
  She Sells Web Shells by the Seashore (Part I)
  
  
• Elliot Roe at Valdin
  Introducing YARA Rules: Search and Monitor the Internet’s Infrastructure with YARA
  
  
• Joseliyo Sánchez at VirusTotal
  Advanced Threat Hunting: Automating Large-Scale Operations with LLMs
  
  
• Vishal Thakur
  Introducing TLP:Black — A New Layer of Confidentiality
  

UPCOMING EVENTS

• Cellebrite
  Exploited Online, Trapped Offline: Scam Compounds and Human Trafficking in APAC
  
  
• Cyber Social Hub
  What is Changing at Cyber Social Hub
  
  
• Magnet Forensics
  • Learn tips and best practices for reviewing and analyzing media evidence from leading media forensics experts
  • Cyber Unpacked S2:E4 // Voices from the field: Trends, challenges, and what’s next in DFIR
    
    
• Simply Defensive
  Hands-On Defense: Markus Schober on DFIR, Labs, and Building Better Blue Teamers | S5 E1
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  DIgital Forensics Now Podcast S3 – E0
  
  
• Behind the Binary by Google Cloud Security
  EP16 The Machine Learning Revolution in Reverse Engineering with Hahna Kane Latonick
  
  
• Patterson Cake at Black Hills Information Security
  Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2)
  
  
• Cellebrite
  Tip Tuesday: Final Call for Papers for the C2C User Summit
  
  
• Erik Pistelli at Cerbero
  Memory Challenge 1: Reveal
  
  
• Cyber Social Hub
  The FTK Imager Pro Game-Changer
  
  
• InfoSec_Bret
  SA – SOC211-161 – Utilman.exe Winlogon Exploit Attempt
  
  
• John Hammond
  reverse engineering for beginners
  
  
• Magnet Forensics
  Legal Unpacked E1: Search warrants for digital evidence: The data-driven approach
  
  
• Monolith Forensics
  • Sharing Files & Reports with Relay Users
  • Case Details in Monolith
    
    
• MSAB
  XAMN Early Access
  
  
• MyDFIR
  SOC Automation Project 2.0: How To Use AI in Your SOC Workflow
  
  
• Parsing the Truth: One Byte at a Time
  Business Email Compromise
  
  
• The Cyber Mentor
  Intro to PowerShell: Investigating Windows Processes
  
  
• Three Buddy Problem
  Oracle cl0p ransomware crisis, EU drone sightings, Cisco bootkit fallout
  

MALWARE

• Mauro Eldritch at Any.Run
  FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware 
  
  
• hasherezade at Check Point
  Rhadamanthys 0.9.x – walk through the updates
  
  
• Cleafy
  Klopatra: exposing a new Android banking trojan operation with roots in Turkey
  
  
• Dr Josh Stroschein
  IDA Pro Basics – Collapsing Function Folders, the Easy Way 🫰
  
  
• Dr. Web
  • Doctor Web’s Q3 2025 virus activity review
  • Doctor Web’s Q3 2025 review of virus activity on mobile devices
    
    
• Cara Lin at Fortinet
  Confucius Espionage: From Stealer to Backdoor
  
  
• Nicole Fishbein at Intezer
  Beginner’s guide to malware analysis and reverse engineering
  
  
• Uma Madasamy at K7 Labs
  Breakingdown of Patchwork APT
  
  
• Marc Messer and Dave Truman at Kroll
  FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook
  
  
• OSINT Team
  Opened a Can of XWorms
  
  
• Shubho57
  Analysis of a javascript file leads to Koi Loader Stealer
  
  
• Puja Srivastava at Sucuri
  Malvertising Campaign Hides in Plain Sight on WordPress Websites
  
  
• ThreatFabric
  Datzbro: RAT Hiding Behind Senior Travel Scams
  
  
• Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon at Trend Micro
  Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
  
  
• Daniel Kelley at Varonis
  MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Lamia
  

MISCELLANEOUS

• CyberCX
  A case for expeditious investigations
  
  
• Belkasoft
  [ON-DEMAND COURSE] BelkaGPT: Effective Artificial Intelligence in DFIR
  
  
• Djordje Lukic at Binalyze
  Why Detecting Browser-Stored Passwords Strengthens Cyber Resilience
  
  
• Cyber Codex
  A Deep Dive into the Ransomware Timeline and Its Shadow Empire | Cyber Codex
  
  
• Dr. Brian Carrier at Cyber Triage
  AI Principles for Digital Forensics and Investigations (DFIR)
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 09/29/25
  
  
• Elan at DFIR Diva
  Techno Security & Digital Forensics Conference: October 27-29, 2025
  
  
• Forensic Focus
  • Oxygen Analytic Center v.1.6: Smarter, Faster, More Secure Investigations
  • Digital Forensics Jobs Round-Up, September 29 2025
  • Inside The Fight Against Child Exploitation – Leadership And Wellness Lessons From Debbie Garner
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  • Inside the Unified Log 3: Log storage and attrition
  • Explainer: inodes and inode numbers
    
    
• Kenneth G. Hartman at Lucid Truth Technologies
  Defending Criminals: Are Defense Attorneys, Investigators, and Experts Working for the Dark Side?
  
  
• Magnet Forensics
  What does the State of Enterprise DFIR look like today? Share your insights in our survey!
  
  
• Passware
  All About PDF Decryption
  
  
• Sandfly Security
  Sandfly Now Available On Microsoft Azure Marketplace
  

SOFTWARE UPDATES

• Datadog Security Labs
  GuardDog v2.7.0
  
  
• Digital Sleuth
  winfor-salt v2025.11.0
  
  
• Elcomsoft
  Elcomsoft Distributed Password Recovery adds support for 8 password management apps
  
  
• Google
  Timesketch 20250929
  
  
• MALCAT
  0.9.11 is out: ARM and MachO analysis
  
  
• Metaspike
  • Forensic Email Collector (FEC) Changelog – 4.2.579.104
  • Forensic Email Intelligence – 2.2.579
    
    
• Microsoft
  msticpy – OAuth v2.0 fix for Defender
  
  
• MISP
  MISP 2.5.22 released with improvements and bugs fixes
  
  
• MSAB
  Q3 2025 Major Release is now available
  
  
• OpenCTI
  6.8.2
  
  
• Phil Harvey
  ExifTool 13.38
  
  
• radare2
  6.0.4
  
  
• Sigma
  Release r2025-10-01
  
  
• WithSecure Labs
  Chainsaw v2.13.0
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!