| Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast |
| Sponsored by Permiso |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alp Batur
Evidence of Program Existence: Amcache and Shimcache - Lucy Carey-Shields at Amped
Forensic Video Workflow with Amped FIVE – Part One: First Steps, Verification and File Considerations - Brian Maloney
OneDrive Quick Access - Erik Pistelli at Cerbero
Memory Challenge 2: MEM Challenge - Christopher Eng at Ogmini
- Cyber Triage
DFIR Next Steps: Suspicious Pulseway Use - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Photographic Revision vs Reality - Elcomsoft
Evidence Preservation: Why iPhone Data Can Expire - Forensafe
Investigating iOS Truth Social - Iram Jack
- OSINT Team
- Anthony Dourra at Paraben Corporation
DFIR: The Importance of Understanding Types of Evidence When Making Decisions - SJDC
Collecting iPhone Unified Logs via MacOS - Studio d’Informatica Forense
DMARC Forensics: un tool per verificare la compliance ed evitare problemi di spoofing - The Packd Byte
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
ntprint.exe lolbin - Arctic Wolf
Data Exfiltration - Ayelen Torello and Francis Guibernau at AttackIQ
Emulating the Versatile Qilin Ransomware - Maria Vasilevskaya at Auth0
Refresh Token Security: Detecting Hijacking and Misuse with Auth0 - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 4 – 10 ottobre - Check Point
- Cisco’s Talos
- CloudSEK
An Insider Look At The IRGC-linked APT35 Operations - Emmett Smith and Brooke McLain at Cofense
Phishing from Home – The Hidden Danger in Remote Jobs Lurking in Tesla, Google, Ferrari, and Glassdoor - Andreas Arnold at Compass Security
LockBit Breach: Insights From a Ransomware Group’s Internal Data - CrowdStrike
CrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability (now tracked as CVE-2025-61882) - Cyfirma
Weekly Intelligence Report – 10 October 2025 - Damien Lewke
Hunting Compressed Kill Chains - Darktrace
Akira SonicWall Campaign Uncovered - Disconinja
Weekly Threat Infrastructure Investigation(Week40) - DomainTools Investigations
Inside a Crypto Scam Nexus - Elastic Security Labs
What the 2025 Elastic Global Threat Report reveals about the evolving threat landscape - Elliptic
North Korea’s crypto hackers have stolen over $2 billion in 2025 - Esentire
New Rust Malware “ChaosBot” Uses Discord for Command and Control - Bas van den Berg at Eye Research
ClickFix Block: protect against fake CAPTCHA attacks | Eye Security - FalconFeeds
- Forescout
Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS - gm0
- Peter Ukhanov, Genevieve Stark, Zander Work, Ashley Pearson, Josh Murchie, Austin Larsen at Google Cloud Threat Intelligence
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign - Noah Stone at GreyNoise
100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure - Hunt IO
AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies - Huntress
- Maël Le Touz and John Wòjcik at Infoblox
Pig Butchering Scams and Their DNS Trail: Linking Threats to Malicious Compounds - InfoSec Write-ups
- Benjamin Tan and Moses Tay at INTfinity Consulting
Securing Your CMS from a DFIR Perspective - Invictus Incident Response
Anatomy of a BEC in 2025 - Kevin Beaumont at DoublePulsar
Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detail - Adam Goss at Kraven Security
Taming the Data Beast: A Threat Hunter’s Guide to Nushell - Alexandre Kim at MaverisLabs
Evading the Watchful Eye: A Red Teamer’s Guide to EDR Bypass Techniques - Md. Abdullah Al Mamun
Unknown Russian Cyber Attacks Since Sep 2025 - Microsoft Security
- Idan Cohen at Mitiga
ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches - Natto Thoughts
China’s Vulnerability Research: What’s Different Now? - NCSC
Strengthening national cyber resilience through observability and threat hunting - NVISO Labs
- Oleg Skulkin at ‘Know Your Adversary’
- 279. The Confucius Group Uses Malicious PowerPoint Show Files
- 280. Hunting for Suspicious TLDs
- 281. Adversaries Abuse Bunny.net CDN
- 282. Here’s Another RMM You Most Likely Don’t Detect
- 283. That’s How Ransomware Gangs Abuse Wbadmin
- 284. That’s How WhatsApp Worm Disables UAC
- 285. That’s How Stealit Hides PowerShell Window
- Palo Alto Networks
- From Ransom to Revenue Loss
- The ClickFix Factory: First Exposure of IUAM ClickFix Generator
- Responding to Cloud Incidents A Step-by-Step Guide from the 2025 Unit 42 Global Incident Response Report
- When AI Remembers Too Much – Persistent Behaviors in Agents’ Memory
- Closing the Cloud Security Gap
- The Golden Scale: Bling Libra and the Evolving Extortion Economy
- Rain Ginsberg
substation_at_0742.nfo - Recorded Future
Massive Malicious NPM Package Attack Threatens Software Supply Chains - Tony Lambert and Chris Brook at Red Canary
A taxonomy of Mac stealers: Distinguishing Atomic, Odyssey, and Poseidon - SANS Internet Storm Center
- Quick and Dirty Analysis of Possible Oracle E-Business Suite Exploit Script (CVE-2025-61882) [UPDATED[, (Mon, Oct 6th)
- Polymorphic Python Malware, (Wed, Oct 8th)
- Exploit Against FreePBX (CVE-2025-57819) with code execution., (Tue, Oct 7th)
- [Guest Diary] Building Better Defenses: RedTail Observations from a Honeypot, (Thu, Oct 9th)
- Wireshark 4.4.10 and 4.6.0 Released, (Sun, Oct 12th)
- Securelist
- Thomas Roccia at SecurityBreak
Introducing PromptIntel - Liran Tal at Snyk
Phishing Campaign Leveraging the NPM Ecosystem - Socket
- SOCRadar
Fake Microsoft Teams Installers Deliver Oyster Backdoor - Sophos
- Vincent Zell at Stairwell
Yurei: A New Ransomware Threat - Bryan Campbell at Sublime Security
UK Home Office visa & immigration scam targets Sponsor Management System accounts - Marco A. De Felice aka amvinfe at SuspectFile
- Synacktiv
LLM Poisoning [1/3] – Reading the Transformer’s Thoughts - Eduardo Kayky at System Weakness
LetsDefend — SOC Simulator/EN version - THOR Collective Dispatch
- Andrew Scott at Todyl
The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk - Trellix
The Evolution of Russian Physical-Cyber Espionage - Trend Micro
- Jean-Francois Gobin at Truesec
She Sells Web Shells by the Seashore (Part II) - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – September Update - Kenneth Kinion at Valdin
Exploring Invoice Fraud Email Attempts with Validin - Vasilis Orlof at Cyber Intelligence Insights
Intel Drops #2 - Lucie Cardiet at Vectra AI
Seeing Beneath the Surface: What Crimson Collective Reveals About Cloud Detection Depth by Lucie Cardiet - Callum Roxan, Killian Raimbaud, and Steven Adair at Volexity
APT Meets GPT: Targeted Operations with Untamed LLMs - watchTowr Labs
- Wiz
- Vinay Polurouthu, Manohar Ghule, and Brendon Macaraeg at ZScaler
Defending Against Last-Mile Reassembly Attacks - Блог Solar 4RAYS
NGC4141: восточноазиатская группировка атакует кастомные веб-приложения
UPCOMING EVENTS
- Simply Defensive
Detection Engineering Tutorial: Cloud Security, Kubernetes Logging & SOC Career Path | S5 E2 - Huntress
Tradecraft Tuesday | Huntress CTF 2025 - Magnet Forensics
- Paula Januszkiewicz and Amr Thabet at Cqure Academy
*LIVE WEBINAR* When Evil Goes Incognito: Best practices for Threat Hunters and Incident Responders - Silent Push
Workshop – Detecting Phishing Infrastructure Before Attacks
PRESENTATIONS/PODCASTS
- Hexordia
Truth in Dat: EP15: The Artifact Authority: Expert Witness Testimony - Cellebrite
- Cellebrite
Tip Tuesday: Using Streamline in Inseyets UFED - Cloud Security Podcast by Google
EP246 From Scanners to AI: 25 Years of Vulnerability Management with Qualys CEO Sumedh Thakar - Magnet Forensics
- Michael Haggis
🖱️ ClickGrab Updates: New Techniques, Redirect Follower, Community Integrations & More! 💁🏼 - Microsoft Threat Intelligence Podcast
Threat Landscape Update: Ransomware-as-a-Service and Advanced Modular Malware - Monolith Forensics
- MSAB
XAMN Early Access Part II - MyDFIR
Heres Why You Should Be Simulating Attacks in Your Home Lab - Parsing the Truth: One Byte at a Time
The Thing About Pam Hupp & Russ Faria Part 1 - Proofpoint
When Being Aware of Cybersecurity Means Knowing You’re Human - Sandfly Security
Linux Stealth Rootkit Hunting Presentation - SentinelOne
LABScon25 Replay | Auto-Poking The Bear: Analytical Tradecraft In The AI Age - The Cyber Mentor
LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team - The DFIR Journal
SharePoint Sync: Productivity Turned Data Exfiltration - The Weekly Purple Team
⚔️ Vibe Hacking using AI for Automation in Offensive & Defensive Ops 🚨 - Three Buddy Problem
MALWARE
- CTF导航
APT | 海莲花组织Havoc远控木马分析 - Cybereason
Addressing CL0P Extortion Campaign Targeting Oracle EBS CVE-2025-61882 - Dr Josh Stroschein
- Fortinet
- Harshil Patel and Prabudh Chakravorty at McAfee Labs
Astaroth: Banking Trojan Abusing GitHub for Resilience - Ray Fernandez at Moonlock
Mac.c stealer evolves into MacSync with a backdoor and remote control - Rizqi Setyo Kusprihantanto at OSINT Team
MCP as Your Malware Analysis Assistant - Paolo Luise
Ghidra and strings - Shubho57
Analysis of bat file dropper - Rizqi Mulki at System Weakness
Android Application Reverse Engineering: Unveiling Hidden Secrets - Zhassulan Zhussupov
Linux hacking part 7: Linux sysinfo stealer: Telegram Bot API. Simple C example - بانک اطلاعات تهدیدات بدافزاری پادویش
HackTool.Win32.APT-GANG8220
MISCELLANEOUS
- Decrypting a Defense
ICE Increases Capabilities, SIM Card Farm, NYCHA Surveillance Hearing, Fixing Broken Phones for Extraction & More - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 10/06/25 - Forensic Focus
- Exterro Launches FTK Imager Pro, Unlocking Faster Access To Encrypted Evidence For Investigators Worldwide
- All About PDF Decryption – Discover On Passware Knowledge Base
- UPCOMING WEBINAR – Inside The Autumn 2025 Release
- Alexander Fehrmann: How To Analyze Impression Evidence In Amped FIVE
- Forensic Focus Digest, October 10 2025
- GreyNoise
Introducing GreyNoise Feeds: Real-Time Intel for Real-Time Response - Group-IB
Top 7 Cybersecurity Newsletters Worth Your Inbox - Manuel Feifel at InfoGuard Labs
Analyzing and Breaking Defender for Endpoint’s Cloud Communication - Kevin Pagano at Stark 4N6
Cyber Unpacked with Magnet Forensics Feature - Magnet Forensics
- MISP
Wazuh and MISP integration - Oxygen Forensics
- Shantaciak
The Incident Response Strategy: Blueprint Before the Storm - Pilar Garcia at Sucuri
Introducing Sucuri Academy: Your New Destination for Website Security Education - System Weakness
New Forensics Certification from Blue Cape Security? I got it, here is my review. - Bernardo.Quintero at VirusTotal
Simpler Access for a Stronger VirusTotal
SOFTWARE UPDATES
- Brian Maloney
OneDriveExplorer v2025.10.09 - Digital Sleuth
winfor-salt v2025.11.1 - Doug Metz at Baker Street Forensics
Cross-Platform DFIR Tools: MalChelaGUI on Windows - North Loop Consulting
Arsenic v2.0 - OpenCTI
6.8.4 - Passmark Software
OSForensics V11.1 build 1011 8th October 2025 - Passware
Passware Kit Mobile 2025 v4 Now Available - Phil Harvey
ExifTool 13.39 - Ulf Frisk
MemProcFS Version 5.16 - WithSecure Labs
Chainsaw v2.13.1 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 