Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Adam at Hexacorn
  Forensics of the past
  
  
• Akash Patel
  • Remote Execution and Kansa — Still One of the Most Underrated IR Tools
  • Log Analysis — It’s Not About Knowing, It’s About Correlating
  • Tracking Kerberos & NTLM Authentication Failures and Investigation
    
    
• Lucy Carey-Shields at Amped
  Forensic Video Workflow with Amped FIVE – Part Two: Analysis of Video Evidence
  
  
• Erik Pistelli at Cerbero
  Memory Challenge 3: Invisible
  
  
• Christopher Eng at Ogmini
  • Gmail App – IMAP Account Artifacts (Message Logging) – Part 2
  • Forensic ADB Scripts – adb-pull-stat.py
  • BSides NYC 0x05 – Contribute to Learn-Building DFIR Expertise Through Open Source
    
    
• Elcomsoft
  • Extracting Apple Unified Logs
  • Cheat Sheet: Perfect Acquisition (32-bit)
  • Effective Disk Imaging: Ports, Hubs, and Power
  • All USB Cables Are Equal, But Some Are More Equal Than Others
    
    
• Elliptic
  • $15 billion seized by US originates from Iran/China bitcoin miner “theft”
  • Prince Group targeted with $15B crypto seizure and sanctions for pig butchering operations
    
    
• Forensafe
  Solving Magnet Virtual Summit 2025 CTF (Windows)
  
  
• Hussam Shbib at Cyber Dose
  Be a Better Detective #6 Parsing Linux Memory Dump
  
  
• Ian Whiffin at DoubleBlak
  Safari Walkthrough
  
  
• Iram Jack
  • Supplemental Memory
  • Linux Memory Analysis
    
    
• Matthew Plascencia
  The Wonderful World of Windows Forensics
  
  
• Md. Abdullah Al Mamun
  Exposed Commands History of Moscow Hackers
  
  
• OSINT Team
  $UsnJrnl: Exploring the NTFS USN journal to track file system activity
  
  
• Kirill Magaskin at Securelist
  The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts
  
  
• Studio d’Informatica Forense
  Verifica di email originali o contraffatte per Le Iene
  

THREAT INTELLIGENCE/HUNTING

• Abdul Mhanni
  Becoming the Machine, A Virtual Account’s Guide to Total Control
  
  
• Faan Rossouw at Active Countermeasures
  Threat Hunting and the Philosophy of Assumed Breach
  
  
• Adam at Hexacorn
  • 1 little known secret of help.exe
  • 1 little known secret of nslookup.exe, part 2
  • 1 little known secret of wsreset.exe
    
    
• ASEC
  • Larva-25010 – Analysis on the APT Down Threat Actor’s PC
  • Analysis on the Qilin Ransomware Using Selective Encryption Algorithm
  • Statistics Report of Malware Targeting Linux SSH Servers in Q3 2025
  • Statistics Report on Malware Targeting Windows Database Servers in Q3 2025
    
    
• AttackIQ
  Response to Oracle Security Alert Advisory: Oracle E-Business Suite Pre-Auth RCE (CVE-2025-61882)
  
  
• Deerendra Prasad at Barracuda
  Threat Spotlight: Unpacking a stealthy new phishing kit targeting Microsoft 365
  
  
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief | October 2025
  
  
• Brian Krebs at ‘Krebs on Security’
  • Patch Tuesday, October 2025 ‘End of 10’ Edition
  • Email Bombs Exploit Lax Authentication in Zendesk
    
    
• BushidoToken
  Lessons from the BlackBasta Ransomware Attack on Capita
  
  
• CERT Ukraine
  “Протидія російським ДРГ”: UAC-0239 здійснює кібератаки з використанням фреймворку OrcaC2 та стілеру FILEMESS (CERT-UA#17691)
  
  
• CERT-AGID
  • Phishing sulla verifica del permesso di soggiorno prende di mira i cittadini stranieri in Italia
  • Phishing contro PagoPA abusa di open redirect Google
  • Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 ottobre
    
    
• Check Point
  • 13th October – Threat Intelligence Report
  • Microsoft Dominates Phishing Impersonations in Q3 2025
    
    
• CISA
  ED 26-01: Mitigate Vulnerabilities in F5 Devices
  
  
• Vanja Svajcer and Michael Kelley at Cisco’s Talos
  BeaverTail and OtterCookie evolve with a new Javascript module
  
  
• CloudSEK
  An Insider Look At The IRGC-linked APT35 Operations: Ep3 – Malware Arsenal & Tooling
  
  
• Cofense
  • Weaponized Trust: Microsoft’s Logo as a Gateway to Tech Support Scams
  • “Privacy” and “Prizes”: Rewards from a Malicious Browser Extension
    
    
• Ash Leslie, Doug Brown, and Mitch Datka at CrowdStrike
  Falcon Defends Against Git Vulnerability CVE-2025-48384
  
  
• Curated Intelligence
  Curated Intel Diary: Researching ASNs for CTI
  
  
• Cyfirma
  Weekly Intelligence Report – 10 October 2025
  
  
• Dark Atlas
  Suspicious ScreenConnect Abuse by Threat Actors
  
  
• Detect FYI
  • Re-Writing the Playbook — A detection-driven approach to Incident Response
  • Identifying File Exfiltration via RDP Sessions with KQL Queries (Dia de los Muertos Special)
  • Hunting WMI Event Subscription Persistence
  • Critical Asset Analysis for Detection Engineering
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week41)
  
  
• DomainTools Investigations
  SecuritySnack: Repo The Repo – NPM Phishing
  
  
• Dreadnode
  LOLMIL: Living Off the Land Models and Inference Libraries
  
  
• Magdalena Karwat at EclecticIQ
  Extending STIX: How Custom objects empower your intelligence work
  
  
• Paul Asadoorian at Eclypsium
  BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices
  
  
• Sai Molige at Forescout
  A Year Later, Interlock Ransomware Keeps Leveling Up
  
  
• Pei Han Liao at Fortinet
  Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia
  
  
• Google Cloud Threat Intelligence
  • DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
  • New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware
    
    
• GreyNoise
  GreyNoise’s Recent Observations Around F5
  
  
• Group-IB
  • A new weapon against payment fraud: Unique threat intelligence for anti-fraud teams
  • East-west tension: Are NDR vendors monitoring the wrong traffic?
    
    
• Hunt IO
  Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools
  
  
• Harlan Carvey and Lindsey O’Donnell-Welch at Huntress
  Dispelling Ransomware Deployment Myths
  
  
• Jeffrey Bellny at CatchingPhish
  • Data Exfiltration via ChatGPT Agent Mode
  • The Tale of the Obfuscated Hospital
    
    
• Kasada
  Q3 2025 Threat Intelligence Report
  
  
• Adam Goss at Kraven Security
  So You Want to Be a CTI Analyst? The Ultimate Career Guide
  
  
• Cris Tomboc at LevelBlue
  SocGholish: Turning Application Updates into Vexing Infections
  
  
• Amy Hogan-Burney at Microsoft Security
  Extortion and ransomware drive over half of cyberattacks
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 286. That’s How Astaroth Abusing GitHub
  • 287. Adversaries Abuse Dpaste to Store Malicious Files
  • 288. ClickFix, FileFix… So What?
  • 289. Hunting for Masquerading
  • 290. That’s How Adversaries Use PowerShell for Mutex Detection
  • 291. Adversaries Keep Abusing Microsoft Console Debugger
  • 292. Hunting for PhantomVAI Loader’s Behaviors
    
    
• OSINT Team
  Mapping Cyber Adversaries: How MITRE ATT&CK Helps You See Attacks Before They Happen
  
  
• Marcelo Ruano at Outpost24
  Carding ecosystem: The fall of traditional financial cybercrime
  
  
• Palo Alto Networks
  • PhantomVAI Loader Delivers a Range of Infostealers
  • Anatomy of an Attack: The “BlackSuit Blitz” at a Global Equipment Manufacturer
  • Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities
    
    
• Picus Security
  • Scattered LAPSUS$ Hunters: 2025’s Most Dangerous Cybercrime Supergroup
  • Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
    
    
• Proofpoint
  When the monster bytes: tracking TA585 and its arsenal
  
  
• Qi’anxin X Lab
  StealthServer: A Dual-Platform Backdoor from a South Asian APT Group
  
  
• Recorded Future
  How to Mitigate Supply Chain Attacks
  
  
• Jesse Griggs at Red Canary
  Commanding attention: How adversaries are abusing AI CLI tools
  
  
• Resecurity
  Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate
  
  
• RexorVc0
  CTI The Dark Cloak
  
  
• SANS Internet Storm Center
  • Heads Up: Scans for ESAFENET CDG V5 , (Mon, Oct 13th)
  • Clipboard Pictures Exfiltration in Python Infostealer, (Wed, Oct 15th)
  • TikTok Videos Promoting Malware Installation, (Fri, Oct 17th)
  • New DShield Support Slack, (Thu, Oct 16th)
    
    
• Securelist
  • Mysterious Elephant: a growing threat
  • Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution
  • Post-exploitation framework now also delivered via npm
    
    
• Seqrite
  • Judicial Notification Phish Targets Colombian Users – .SVG Attachment Deploys Info-stealer Malware
  • Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT)
  • Operation MotorBeacon : Threat Actor targets Russian Automotive Sector using .NET Implant
    
    
• Shantaciak
  • Where Blue Teams Stop Reacting and Start Designing
  • Sparking Curiosity: The Detection Engineering Life Cycle
    
    
• Kirill Boychenko at Socket
  131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store
  
  
• Sophos
  Threat Intelligence Executive Report – Volume 2025, Number 5
  
  
• Soumyadeep Basu at Soumyadeep Basu
  Detecting AWS X-Ray C2 Abuse
  
  
• Michael Haag at Splunk
  The Lost Payload: MSIX Resurrection
  
  
• Squiblydoo
  DeceptionPro: getting ahead of cybercrime
  
  
• Sublime Security
  • Google Careers impersonation credential phishing scam with endless variation
  • Facebook credential phishing with job scams impersonating well-known companies
    
    
• Gabriel Barbosa at Sucuri
  Contact Form Spam Attack: An Innocent Feature Caused a Massive Problem
  
  
• SuspectFile
  • The Alliance That Wasn’t: A Critical Analysis of ReliaQuest’s Q3 2025 Ransomware Report
  • Allardyce Bower Consulting data breach: cyber insurance not activated, reasons remain unclear
  • Why Allardyce Bower Consulting’s Ransomware Insurance Didn’t Work as Expected
    
    
• Symantec Enterprise
  Jewelbug: Chinese APT Group Widens Reach to Russia
  
  
• Synacktiv
  LinkPro: eBPF rootkit analysis
  
  
• System Weakness
  • LetsDefend — SOC Simulator — EventID: 44/ EN version
  • CyberTalents Digital Forensics: “Just Smile” write-up
  • CyberTalents Digital Forensics: “Hack a nice day” write-up
  • CyberTalents Digital Forensics: “XMEN-Files” write-up
    
    
• THOR Collective Dispatch
  • Sliver BOFs in Action: Bringing Sliver Armory BOFs to Purple Teaming
  • Aligning Risk Management and Threat-Informed Defense Practices (Part 1)
    
    
• Maulik Maheta at Trellix
  The Silent Threat in Active Directory: How AS-REP Roasting Steals Passwords Without a Trace and Trellix NDR’s Rapid Detection
  
  
• Junestherry Dela Cruz at Trend Micro
  Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing
  
  
• Stephen Kowski at Varonis
  Inbox Infiltration: The File Type You’re Overlooking
  
  
• Vasilis Orlof at Cyber Intelligence Insights
  • Mapping latest Lumma infrastructure
  • Intel Drops #3
    
    
• Vectra AI
  • Qilin’s 2025 playbook, and the security gap it exposes by Lucie Cardiet
  • From Conti to Black Basta to DevMan: The Endless Ransomware Rebrand by Lucie Cardiet
    
    
• Rami McCarthy at Wiz
  Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces
  
  
• Darshit Ashara, Pratik Kadam, and Michael Wylie at ZScaler
  Search, Click, Steal: The Hidden Threat of Spoofed Ivanti VPN Client Sites
  

UPCOMING EVENTS

• Black Hills Information Security
  Talkin’ Bout [infosec] News 2025-10-20 #livestream #infosec #news
  
  
• Dragos
  CAPTURE THE FLAG 2025
  
  
• Magnet Forensics
  Overcoming mobile forensics challenges in workplace investigations
  
  
• Simply Cyber
  From Help Desk to SOC: How KevTech Broke Into Cybersecurity Without Certs | Simply Defensive S5 E3
  
  
• Spur
  From Pyongyang to your SaaS: Spotting DPRK Tactics in Zoom & Slack
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  A Brief History of Ransomware
  
  
• Black Hills Information Security
  Talkin’ Bout [infosec] News 2025-10-13 #livestream #infosec #infosecnews
  
  
• Brett Shavers
  Every Seat But the Judge’s
  
  
• Cellebrite
  • Tip Tuesday: Cellebrite Autumn 2025 Release
  • Special Tip Tuesday: Registering for the Cellebrite CTF
  • Registration is OPEN for Cellebrite’s CTF 2025
    
    
• Amy Ciminnisi at Cisco’s Talos
  Laura Faria: Empathy on the front lines
  
  
• Cloud Security Podcast by Google
  EP247 The Evolving CISO: From Security Cop to Cloud & AI Champion
  
  
• Cyber from the Frontlines
  E18 The AI Threat Equation : From Models to Malware
  
  
• InfoSec_Bret
  SA – SOC235 EventID: 197 (Atlassian Confluence Broken Access Control 0-Day CVE-2023-22515)
  
  
• John Hammond
  • Script-Based Malware Analysis!
  • stealing passwords
    
    
• Magnet Forensics
  • Cloud or on-prem? Why not both — discover the new Nexus hybrid agent
  • Banish your mobile device backlogs and bottlenecks with Magnet Graykey Fastrak and Magnet Automate
    
    
• Monolith Forensics
  Evidence Details in Monolith
  
  
• MSAB
  • #MSABMonday – Hash Tree Builder update (Selection) in XRY 11.2.0
  • Forensic Fix Episode 23
    
    
• MyDFIR
  Turning Your Labs Into Real SOC Experience (That Gets You Noticed)
  
  
• Parsing the Truth: One Byte at a Time
  The Thing about Pam Hupp & Russ Faria’s Retrial (Part 2)
  
  
• Three Buddy Problem
  JAGS LABScon 2025 keynote: Steps to an ecology of cyber
  

MALWARE

• Any.Run
  New Malware Tactics: Cases & Detection Tips for SOCs and MSSPs
  
  
• Erik Pistelli at Cerbero
  MSI Format Package
  
  
• Cyble
  GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware
  
  
• Jeroen Beckers at NVISO Labs
  Patching Android ARM64 library initializers for easy Frida instrumentation and debugging
  
  
• Sekoia
  Defrosting PolarEdge’s Backdoor
  
  
• Shubho57
  Analysis of a malicious APK file
  
  
• Alan Sguigna at White Knight Labs
  Microsoft WinDbg Time Travel Debugging versus Intel Processor Trace
  
  
• Zhassulan Zhussupov
  MacOS hacking part 12: reverse shell for ARM (M1). Simple Assembly (M1) example
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  ShrinkLocker
  

MISCELLANEOUS

• Anton Chuvakin
  SIEM, Startups, and the Myth (Reality?) of IT Inertia: A Reformed Analyst Reflects on SIEM MQ 2025
  
  
• Brett Shavers
  When the Investigation Gets Lost in the Machine
  
  
• Brett Shavers at DFIR.Training
  If Your Case Fell Apart, It Probably Wasn’t the Tool’s Fault
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 10/13/25
  
  
• Michael Karsyan at Event Log Explorer blog
  Windows Event Log API Bug Ruins Most Event Log Software
  
  
• F-Response
  Know your F-Response versions…
  
  
• Forensic Focus
  • Oxygen Forensics Releases Oxygen Remote Explorer v1.9.1
  • Forensic Imaging Of A Third-Party’s Cellphone Denied In FMLA Suit
  • Digital Forensics Jobs Round-Up, October 13 2025
  • Matthew Plascencia, Digital Forensic Investigator, Exhibit A Cyber
  • Passware Kit 2025v4 Released: Unlock Transcend Portable SSDs
  • Digital Forensics Round-Up, October 15 2025
  • Amped Software Launches New Three-Part Blog Series: A Real Case-Based Forensic Video Workflow With Amped FIVE
  • Oxygen Forensics Training – Extraction in a Box (XiB)
  • Detego Global And Raven Enter Strategic Partnership To Tackle Child Exploitation Through Technology
    
    
• Hornet Security
  Was das britische Ransomware-Zahlungsverbot für Ihr Unternehmen bedeutet
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  • Inside the Unified Log 5: Navigation
  • Inside the Unified Log 6: Difficult times
    
    
• Mahmoud Soheem
  • Getting Started with The DFiR Galaxy Workstation
  • DFiR Galaxy Workstation: A Swiss army knife for DFIR Investigations
  • Available Tools in DFiR Galaxy Workstation
    
    
• MISP
  MISP performance tuning
  
  
• Oxygen Forensics
  • Add The Best Possible Translation to Your Digital Investigations
  • How to Extract and Parse Data from ChatGPT
    
    
• Ryan G. Cox at The Cybersec Café
  How to Improve Your Security Posture After a Security Incident
  

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 38827: New Filter Presets, Project Snapshots, and Advancements to Convert DVR, Annotate, Compression Analysis, Advanced File Info, and Much More
  
  
• Belkasoft
  What’s new in Belkasoft X v.2.9
  
  
• Cellebrite
  Autumn 2025 Release: Entering the Next Frontier in Digital Investigations and Mobile Cybersecurity
  
  
• Doug Metz at Baker Street Forensics
  Streamline Digital Evidence Collection with CyberPipe 5.2
  
  
• Elcomsoft
  iOS Forensic Toolkit 8.80 enhances logical acquisition, adds support for Apple Unified Logs
  
  
• F-Response
  F-Response 8.7.1.36 Now Available
  
  
• Logisek
  ThreatHunting – Windows Event Log Threat Hunting Toolkit
  
  
• Manabu Niseki
  Mihari v8.2.1
  
  
• MISP
  MISP 2.5.23 Released with Enhanced Benchmarking, Many Bug Fixes, and Documentation Updates
  
  
• North Loop Consulting
  KeyProgrammerParser v4.1
  
  
• OpenCTI
  6.8.6
  
  
• Passware
  Passware Kit 2025 v4 Now Available
  
  
• Xways
  • X-Ways User Forum: X-Ways Forensics 21.2 SR-13
  • X-Ways User Forum: X-Ways Forensics 21.3 SR-12
  • X-Ways User Forum: X-Ways Forensics 21.4 SR-8
  • X-Ways User Forum: X-Ways Forensics 21.5 SR-9
  • X-Ways User Forum: X-Ways Forensics 21.6 Beta 7
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!