Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Lucy Carey-Shields at Amped
  Forensic Video Workflow with Amped FIVE – Part Three: Reporting and Presentation
  
  
• Erik Pistelli at Cerbero
  Memory Challenge 4: Remember Me
  
  
• Christopher Eng at Ogmini
  • Android Forensics – DJI Fly
  • Forensic ADB Scripts – adb-pull-tar.py
  • BSides NYC 0x05 – CTFd Contribution
  • Release – Windows Notepad Parser v1.0.5
  • Zeltser Challenge – Ninth Month Accomplishments
  • Packaged App – Registry Hives
    
    
• Computer Forensics Lab
  Complete Guide to iOS Digital Forensics Methods and Tools
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  C2PA in a Court of Law
  
  
• Forensafe
  Android Imgur
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Be careful when interpreting APFS timestamps
  
  
• Hussam Shbib at Cyber Dose
  Be a Better Detective #7 – Investigating Windows artifacts – Recycle Bin – 1
  
  
• Kevin Pagano at Stark 4N6
  BSides NYC 2025 CTF – Forensics
  
  
• Kenneth G. Hartman at Lucid Truth Technologies
  Subpoenas, Pen Registers, and IP Address Lookups
  
  
• North Loop Consulting
  Forensic Analysis of Apple Maps Tile Cache
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Beyond good ol’ Run key, Part 153
  
  
• Akash Patel
  • Understanding Where Windows Authentication Logs Actually Live — From AD to Entra ID
  • Event Log Clearing and Malware Execution: Evidence from Windows Logs
  • PowerShell Logging: Making the Invisible Visible
    
    
• Arctic Wolf
  Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe
  
  
• ASEC
  • September 2025 Trends Report on Phishing Emails
  • September 2025 Threat Trend Report on Ransomware
  • Ransom & Dark Web Issues Week 4, October 2025
  • September 2025 Infostealer Trend Report
  • September 2025 Security Issues in Korean & Global Financial Sector
  • September 2025 APT Attack Trends Report (South Korea)
    
    
• Ayelen Torello at AttackIQ
  Emulating the Prominent Global Group Ransomware
  
  
• Tony Burgess at Barracuda
  Malware Brief: XWorm, TrickMo, and Remcos
  
  
• Brian Krebs at ‘Krebs on Security’
  Canada Fines Cybercrime Friendly Cryptomus $176M
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 ottobre
  
  
• Check Point
  • 20th October – Threat Intelligence Report
  • Dissecting YouTube’s Malware Distribution Network
  • LockBit Returns — and It Already Has Victims
    
    
• Cisco’s Talos
  • Reducing abuse of Microsoft 365 Exchange Online’s Direct Send
  • IR Trends Q3 2025: ToolShell attacks dominate, highlighting criticality of segmentation and rapid response
    
    
• Marie Mamaril at Cofense
  Unpacking the Phishing Script Behind a Server-Orchestrated Deception
  
  
• David Burkett at Corelight
  Using the PEAK Framework to Expose Volt Typhoon | Corelight
  
  
• Coveware
  Insider Threats Loom while Ransom Payment Rates Plummet
  
  
• CrowdStrike
  • Ransomware Reality: Business Confidence Is High, Preparedness Is Low
  • CrowdStrike 2025 APJ eCrime Landscape Report: A New Era of Threats Emerges
  • From Domain User to SYSTEM: Analyzing the NTLM LDAP Authentication Bypass Vulnerability (CVE-2025-54918)
    
    
• CTF导航
  • 人机验证藏陷阱？ClickFix 剪贴板攻击的社会工程学
  • 蔓灵花（APT-Q-37）以多样化手段投递新型后门组件
  • Key IOCs for Pegasus and Predator Spyware Cleaned With iOS 26 Update
  • TA585 组织利用 ClickFix 钓鱼技术部署 MonsterV2 RAT 的深度技术分析
    
    
• Cybereason
  Cybereason TTP Briefing Q3 2025: LOLBINs and CVE Exploits Dominate
  
  
• Cyble
  Newcomers Fuel Ransomware Explosion in 2025 as Old Groups Fade
  
  
• Cyfirma
  Weekly Intelligence Report – 24 October 2025
  
  
• Damien Lewke
  Hunting the Edge: Lessons from the F5 Breach
  
  
• Daniel Koifman
  Deconstructing “Wmiexec-Pro”
  
  
• Katie Knowles at Datadog Security Labs
  CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
  
  
• DebugPrivilege
  We Have To Talk About Service Accounts!
  
  
• Detect FYI
  • Deconstructing “Wmiexec-Pro”
  • Detecting Tampering of Windows Security Audit Policy
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week42)
  
  
• Ian Campbell at DomainTools Investigations
  DomainTools Investigations BSides NoVa Recap
  
  
• Elastic Security Labs
  • TOLLBOOTH: What’s yours, IIS mine
  • Time-to-Patch Metrics: A Survival Analysis Approach Using Qualys and Elastic
    
    
• Marcus Hutchins at Expel
  Along for the ride: When legitimate software becomes a signed malware loader
  
  
• FalconFeeds
  • Scattered Spiders Data Leak: Strategic Exposure Assessment Across Vietnam’s Public Sector and Global Affiliates
  • Deconstructing the GAP Subset Breach and the Critical Exposure of US Government & Military Personnel
  • What Makes an IOC Valuable? Understanding Indicators that Actually Matter
  • Threat Intel Without Borders: Why Regional Breaches Become Global Catastrophes in Hours
    
    
• Google Cloud Threat Intelligence
  • Pro-Russia Information Operations Leverage Russian Drone Incursions into Polish Airspace
  • To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER
  • Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials
    
    
• Noah Stone at GreyNoise
  Threat Actors Deploying New IPs Daily to Attack Microsoft RDP
  
  
• Group-IB
  • Exposing the Immediate Era Fraud in Singapore
  • Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
    
    
• Harfanglab
  RudePanda owns IIS servers like it’s 2003
  
  
• Justin Cady at Horizon3
  The Quiet Attack Path
  
  
• Huntress
  • Dealing with Imperfect Telemetry: Techniques for Effective Incident Response
  • Looking Through a Pinhole at a Qilin Ransomware Attack
  • Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)
    
    
• Infoblox
  Vault Viper: High Stakes, Hidden Threats
  
  
• Isaac Dunham
  The Modern Phish
  
  
• Kostas
  Detecting Abuse of OpenEDR’s Permissive EDR Trial: A Security Researcher’s Perspective
  
  
• MalwareTech
  Look At This Photograph – Passively Downloading Malware Payloads Via Image Caching
  
  
• Peter Harris at MaverisLabs
  Ransomware Unleashed: Insight into the 2025 Threat Surge
  
  
• Microsoft Security
  Inside the attack chain: Threat activity targeting Azure Blob Storage
  
  
• Natto Thoughts
  Beyond the Aliases: Decoding Chinese Threat Group Attribution and the Human Factor
  
  
• Netscout
  ASERT Threat Summary: Aisuru and Related TurboMirai Botnet DDoS Attack Mitigation and Suppression—October 2025—v1.0
  
  
• Florian Roth at Nextron Systems
  Beyond Availability – Forensic Backup Scanning with Veeam and THOR
  
  
• NSB Cyber
  #NSBCS.097 – Q3 Ransomware Report Teaser
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 293. That’s How APT-Q-37 Abuses C# Compiler
  • 294. Hunting for Suspicious DLL Export Functions
  • 295. Hunting for Phantom DLL Hijacking
  • 296. Hunting for Caminho Loader Behaviors
  • 297. Hunting for Python Telegram RAT
  • 298. Hunting for Abusing Dropbox for Malware Delivery
  • 299. That’s How Adversaries Abuse the BCP Utility
    
    
• Picus Security
  • CABINETRAT Malware Windows Targeted Campaign Explained
  • Cavalry Werewolf APT: Exposing FoalShell and StallionRAT Malware
  • New Rust Malware “ChaosBot” Leverages Discord for Stealthy Command and Control
  • Storm-2603 Ransomware Campaign Targets Microsoft SharePoint in 2025: Activity and TTP Analysis
  • WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor’s Evolution
  • XWorm Rises Again: Dissecting the Modular Malware’s V6 Resurrection
  • Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
  • FIN7 Cybercrime Group: Evolution from POS Attacks to Ransomware-as-a-Service (RaaS) Operations
  • Predatory Sparrow: Inside the Cyber Warfare Targeting Iran’s Critical Infrastructure
    
    
• Proofpoint
  • Beyond credentials: weaponizing OAuth applications for persistent cloud access
  • Proofpoint releases innovative detections for threat hunting: PDF Object Hashing
    
    
• Recorded Future
  • Navigating Your Threat Intelligence Maturity Journey
  • Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
    
    
• Red Canary
  Intelligence Insights: October 2025
  
  
• SANS Internet Storm Center
  • Many Online Services and Websites Affected by an AWS Outage, (Mon, Oct 20th)
  • Using Syscall() for Obfuscation/Fileless Activity, (Mon, Oct 20th)
  • What time is it? Accuracy of pool.ntp.org., (Tue, Oct 21st)
  • Infostealer Targeting Android Devices, (Thu, Oct 23rd)
  • webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant?, (Wed, Oct 22nd)
  • Phishing Cloud Account for Information, (Thu, Oct 23rd)
    
    
• Sansec
  SessionReaper attacks have started, 3 in 5 stores still vulnerable
  
  
• Securelist
  • PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations
  • The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques
    
    
• Nitish Singh and Nikhil Kumar Chadha at Securonix
  Securonix Threat Labs Monthly Intelligence Insights – September 2025
  
  
• Sekoia
  • Decoding UserAuthenticationMethod in Microsoft 365 audit logs: the bitfield mapping
  • TransparentTribe targets Indian military organisations with DeskRAT
    
    
• Sathwik Ram Prakki at Seqrite
  Anatomy of the Red Hat Intrusion: Crimson Collective and SLSH Extortions
  
  
• Silent Push
  Silent Push Detects Salt Typhoon Infrastructure Months Before It Went Live, New IOFA™ Feeds Provide Customers With Early Detection Ahead of Operational Use
  
  
• Kirill Boychenko at Socket
  Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys
  
  
• Kabilan S at SquareX Labs
  Hidden in Plain Sight: How we followed one malicious extension to uncover a multi-extension…
  
  
• Peter Djordjevic at Sublime Security
  Direct Send abuse on Microsoft 365: Just another failed authentication
  
  
• Symantec Enterprise
  • Warlock Ransomware: Old Actor, New Tricks?
  • ToolShell Used to Compromise Telecoms Company in Middle East
    
    
• Paolo Polidori at Sysdig
  Kubernetes Incident Response: Detect, investigate, and contain in under 10 minutes
  
  
• System Weakness
  • CyberTalents Digital Forensics: “Music Chairs” write-up
  • Initial Access Pot TryHackMe Walkthrough & Linux Forensics
  • Mastering Detection Engineering with Sigma for Cybersecurity
    
    
• Lauren Proehl at THOR Collective Dispatch
  From the Fire: Q3FY25
  
  
• Ernesto Fernández Provecho and Pham Duy Phuc at Trellix
  SideWinder’s Shifting Sands: Click Once for Espionage
  
  
• Trend Micro
  • When Tokenizers Drift: Hidden Costs and Security Risks in LLM Deployments
  • The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
  • Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
    
    
• Mihir Bhanushali at Triskele Labs
  Stopping a 25 TB Breach: SOC vs. Threat Actor
  
  
• Truesec
  • GlassWorm – Self-Propagating VSCode Extension Worm
  • She Sells Web Shells by the Seashore (Part III)
    
    
• Sean Metcalf at TrustedSec
  Detecting Password-Spraying in Entra ID Using a Honeypot Account
  
  
• Trustwave SpiderLabs
  Public Sector Ransomware Attacks Relentlessly Continue
  
  
• VirusTotal
  • VirusTotal Success Stories – SEQRITE
  • Hugging Face and VirusTotal: Building Trust in AI Models
    
    
• Peter Kálnai and Alexis Rapin at WeLiveSecurity
  Gotta fly: Lazarus targets the UAV sector
  
  
• Alan Sguigna at White Knight Labs
  Using MCP for Debugging, Reversing, and Threat Analysis
  
  
• Блог Solar 4RAYS
  Обзор уязвимостей веб-приложений за 3 квартал 2025
  
  
• Genians
  Analysis of the Lumma infostealer
  
  
• Palo Alto Networks
  • The Golden Scale: Notable Threat Updates and Looking Ahead
  • Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
  • The Smishing Deluge: China-Based Campaign Flooding Global Text Messages
  • Why Threat Actors Succeed
  • Cloud Discovery With AzureHound
    

UPCOMING EVENTS

• Black Hills Information Security
  Talkin’ Bout [infosec] News 2025-10-27 #infosec #news
  
  
• Cellebrite
  Harnessing the Power of Advanced Extractions with Inseyets for Enterprise*
  
  
• Cybersecurity Mentors
  Lessons Learned From the Australian National University Breach w/Suthagar Seevaratnam P1| CMP S5 E3
  
  
• Huntress
  Live Hacking into Microsoft 365 with former NSA operative and Huntress CEO, Kyle Hanslovan
  
  
• Magnet Forensics
  Mobile Unpacked S3:E10 // Picking apart the passcodes: Determining the method of unlock on devices
  
  
• SANS
  Stay Ahead of Ransomware – Ransomware and Cyber Extortion on the Rise in the Cloud
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth In Data: EP16: The Gamification of Forensics: CTFs and Skill Mastery with guest Kevin Pagano
  
  
• Adrian Crenshaw
  DRS_CounterSurveil_Ep51 – Maid In The Middle: Detecting Evil Maid Attacks
  
  
• Adversary Universe Podcast
  Thriving Marketplaces and Regional Threats: The CrowdStrike 2025 APJ eCrime Landscape Report
  
  
• Alexis Brignoni
  AI in Digital Forensics Discussion
  
  
• Behind the Binary by Google Cloud Security
  EP17 What Lurks Beneath: Building a Robust Network at Black Hat with Mark Overholser
  
  
• Belkasoft
  • The Best AI for Digital Forensics | AI That Actually Works for DFIR
  • Trusted Apps Gone Rogue: Slack, Discord, and Telegram as Malware Channels | Vedant Narayan
    
    
• Cellebrite
  • Tip Tuesday: Cellebrite CTF 2025 Rules and Reminders
  • Simplify Internal Investigations with Guardian Collaborate for Enterprise
    
    
• Cloud Security Podcast by Google
  EP248 Cloud IR Tabletop Wins: How to Stop Playing Security Theater and Start Practicing
  
  
• Cyber Social Hub
  A.I. and Hardware Requirements in Digital Investigations
  
  
• Cyberwox
  How Cyber Threat Intelligence Reveals New Phishing Tactics (w/ ANY.RUN)
  
  
• Eclypsium
  BTS #62 – Unpacking the F5 Breach, Framework UEFI Shells
  
  
• Endace
  Packet Forensic Files Ep 63 Jack Chan – Fortinet
  
  
• Simply ICS Cyber
  Keeping Up With ICS Threat Intelligence | Simply ICS Cyber S2 E6
  
  
• InfoSec_Bret
  SA – SOC250 EventID: 212 – APT35 HyperScrape Data Exfiltration Tool Detected
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Malicious NordVPN Setup, Beginner Sample
  
  
• Magnet Forensics
  • From alerts to answers: Digital forensics in modern IR
  • Overcoming mobile forensics challenges in workplace investigations
    
    
• Malspace
  Breaking Silos in Threat Intelligence
  
  
• Michael Haggis
  🛡️ Stopping ClickFix Attacks in Real Time – BinHex.Ninja Security
  
  
• Microsoft Threat Intelligence Podcast
  The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report
  
  
• Monolith Forensics
  Case Notes in Monolith
  
  
• MSAB
  #MSABMonday – UNIFY File Upload
  
  
• MyDFIR
  • REAL SOC Analyst Investigation | MALWARE DETECTED | MYDFIR SOC Community
  • Why I Joined the MyDFIR SOC Community (and Why It’s Worth Every Penny)
    
    
• Paraben Corporation
  E3 Trial Install and License Tutorial
  
  
• Parsing the Truth: One Byte at a Time
  The Thing About Pam: A shooting
  
  
• Proofpoint
  From Web Injects to Info Stealers: How Cybercriminals Stay Ahead
  
  
• SANS
  • SANS 2025 Cloud Security Exchange: Expert Panel
  • Microsoft Keynote: Defending Against Modern Threats
  • Google Cloud Keynote: Avoid Mistakes in a Dynamic Landscape
    
    
• The Defender’s Advantage Podcast
  UNC5221 and the BRICKSTORM Campaign
  
  
• THE Security Insights Show
  THE Security Insights Show Episode 278: Pumpkin Patch Phishers: Carving Out Your Data This Halloween
  
  
• The Weekly Purple Team
  🔒 When EDR Misses: Detecting SSL C2 usage with SIEM & Detection as Code
  
  
• Three Buddy Problem
  Apple’s iOS forensics freeze, WhatsApp zero-click, China outs NSA
  

MALWARE

• Any.Run
  Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance 
  
  
• Esentire
  Unpacking NetSupport RAT Loaders Delivered via ClickFix
  
  
• Lab52
  From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign
  
  
• Renaud Tabary at MALCAT
  Malcat scripting tutorial: deobfuscating Latrodectus
  
  
• Netskope
  • New Python RAT Targets Gamers via Minecraft
  • RedTiger: New Red Teaming Tool in the Wild Targeting Gamers and Discord Accounts
    
    
• Ashlee Benge at ReversingLabs
  Triaging MalDocs with Spectra Analyze
  
  
• Tom Hegel at SentinelOne
  PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation
  
  
• Shubho57
  Analysis of BQTLock Ransomware
  
  
• SquareX Labs
  AI Sidebar Spoofing: Malicious Extensions Impersonates AI Browser Interface
  
  
• Junestherry Dela Cruz at Trend Micro
  Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities
  
  
• Wordfence
  • Malware Using Variable Functions and Cookies For Obfuscation
  • Mass Exploit Campaign Targeting Arbitrary Plugin Installation Vulnerabilities
    
    
• Zhassulan Zhussupov
  • Malware development trick 52: steal data via legit Slack API. Simple C example.
  • Malware development trick 53: steal data via legit XBOX API. Simple C example.
    

MISCELLANEOUS

• Brett Shavers
  • I screwed up so you don’t have to
  • I Was There When Digital Forensics Lost Its Soul.
  • Your Lab Is Ready: Free Evidence Samples + Free Software to Work Practice Cases.
  • The End of DF/IR Is Here… Again
    
    
• Cellebrite
  • How Does Your Agency Stack Up? Get a Digital Evidence Reality Check!
  • 2025 Industry Trends Survey for Enterprise Solutions
    
    
• CyberBoo
  Microsoft Defender for Endpoint Part 2: Deployment & Implementation Guide
  
  
• Cyberdom
  Sentinel MCP Unlocked
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 10/20/25
  
  
• Forensic Focus
  • Inside F3: Building Community And Sharing Knowledge In Digital Forensics
  • A New Data Hope: How To Conquer The Data Frontier In eDiscovery – And Win
  • Digital Forensics Round-Up, October 22 2025
  • MSAB Q3 2025 Release: BruteStorm Surge And Powerful Enhancements On MSAB Suite
  • Amped Software Deployed The Latest Amped FIVE Update With New Addition Filter Presets, Project Snapshots, And Many More Improvements
  • Sonya Ryan Discusses Online Safety And Child Protection On MSAB Podcast
  • Forensic Focus Digest, October 24 2025
    
    
• Hunt IO
  From Munitions to Malware: Interview with Joseph Harrison About His Path to Threat Intelligence
  
  
• Oxygen Forensics
  • 5 Ways DFIR Teams Can Instantly Strengthen Remote Data Collection
  • How to Parse Unsupported Applications Using Parent Application Rules
    
    
• Salvation DATA
  【Case Study】VIP3.0 – Advanced Video Detection & Log Analysis for Faster, Smarter Investigations
  
  
• Ryan G. Cox at The Cybersec Café
  How to Run a Table Top Exercise for Incident Response
  

SOFTWARE UPDATES

• Arkime
  v5.8.1
  
  
• Canadian Centre for Cyber Security
  Assemblyline 4.6.0.20
  
  
• Digital Sleuth
  winfor-salt v2025.12.0
  
  
• Lethal Forensics
  Microsoft-Analyzer-Suite v1.7.0
  
  
• North Loop Consulting
  Arsenic Update v2.0.1
  
  
• OpenCTI
  6.8.8
  
  
• Phil Harvey
  ExifTool 13.40
  
  
• Security Onion
  Security Onion 2.4.190 now available including Onion AI Assistant for Pro Customers!
  
  
• Xways
  • Viewer Component
  • X-Ways Forensics 21.6
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!