Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Erik Pistelli at Cerbero
  • Memory Challenge 5: DumpMe
  • Memory Challenge 6: Injector
    
    
• Christopher Eng at Ogmini
  • BelkaCTF 7 – AAR Metamorphosis
  • BelkaCTF 7 – AAR Radars
  • Homelab – Windows Answer files (unattend.xml/autounattend.xml)
  • Windows Notepad – Windows 25H2 – Version 11.2507.26.0
  • Zeltser Challenge – Tenth Month Accomplishments
    
    
• Forensafe
  Android Calendar
  
  
• Adam Hachem at Hexordia
  Using Open Source Forensic Tools: Compiling from Code and Python Scripts
  
  
• Justin De Luna at ‘The DFIR Spot’
  Utilizing QELP for Rapid ESXi Analysis
  

THREAT INTELLIGENCE/HUNTING

• 0xMatheuZ
  Evading Elastic Security: Linux Rootkit Detection Bypass
  
  
• 360 Threat Intelligence Centre
  Recent Activity Analysis and Technological Evolution of APT-C-60 (False Hunter)
  
  
• Faan Rossouw at Active Countermeasures
  Malware of the Day – Command and Control via Google Workspace APIs
  
  
• Akash Patel
  • Tracking Lateral Movement — Named Pipes, Scheduler, Services, Registry, and DCOM (Event IDs)
  • Tracking Lateral Movement: PowerShell Remoting, WMIC, Explicit Credentials, NTLM Relay Attacks…
  • Sublime Just Got Even Smarter: Automatic Calendar Event Deletion Is Here
    
    
• Any.Run
  Major Cyber Attacks in October 2025: Phishing via Google Careers & ClickUp, Figma Abuse, LockBit 5.0, and TyKit 
  
  
• ASEC
  • Analysis of Trigona Threat Actor’s Latest Attack Cases
  • The Beast Ransomware Hidden in the GUI
  • Analysis of Gunra Ransomware Using Vulnerable Random Number Generation Function (Distributed for Linux Environments in ELF Format)
  • September 2025 APT Group Trends
  • Distribution of Rhadamanthys Malware Disguised as a Game Developed with Ren’Py
  • Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)
    
    
• Australian Cyber Security Centre
  Don’t take BADCANDY from strangers – How your devices could be implanted and what to do about it
  
  
• Maria Vasilevskaya at Auth0
  8 Log Detections for Credential Stuffing and MFA Exploit Prevention
  
  
• Bart Blaze
  Earth Estries alive and kicking
  
  
• Brian Krebs at ‘Krebs on Security’
  Aisuru Botnet Shifts from DDoS to Residential Proxies
  
  
• CERT-AGID
  • In corso uno smishing ai danni di Autostrade per l’Italia
  • Sintesi riepilogativa delle campagne malevole nella settimana del 25 – 31 ottobre
    
    
• Chainalysis
  Five Key Takeaways from MSMT’s Report on North Korean Cyber Operations
  
  
• Check Point
  • 27th October – Threat Intelligence Report
  • Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites
    
    
• Takahiro Takeda, Jordyn Dunk, James Nutland, and Michael Szeliga at Cisco’s Talos
  Uncovering Qilin attack methods exposed through multiple cases
  
  
• Corelight
  • No PoCs? No Problem: Hunting F5 Exploits When Details Are Sparse | Corelight
  • Announcing Corelight Threat Intelligence with CrowdStrike | Corelight
    
    
• CTF导航
  APT追踪第一集：“神秘大象”APT组织攻击战术分析
  
  
• Cybereason
  From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations
  
  
• Cyble
  • APT-C-60 Escalates SpyGlace Campaigns Targeting Japan with Evolved Malware, Advanced Evasion TTPs
  • Hacktivist Attacks on Critical Infrastructure Surge: Cyble Report
  • Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector
    
    
• Cyfirma
  Weekly Intelligence Report – 31 October 2025
  
  
• Darktrace
  Darktrace’s Analysis of Post-Exploitation Activities on CVE-2025-59287
  
  
• Kennedy Toomey at Datadog Security Labs
  Learnings from recent npm supply chain compromises
  
  
• DebugPrivilege
  Machines Gone Rogue
  
  
• Sergio Albea at Detect FYI
  Threat Hunting over internal Devices via KQL Queries
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week43)
  
  
• DomainTools Investigations
  Inside the Great Firewall Part 1: The Dump
  
  
• Elastic
  Elevating public sector cyber defense with AI-powered threat hunting | Elastic Blog
  
  
• Elastic Security Labs
  TOR Exit Node Monitoring Overview
  
  
• Aaron Walton at Expel
  Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
  
  
• Eye Research
  • Battling Shadow AI: Prompt Injection for the Good
  • WSUS Deserialization Exploit in the Wild (CVE‑2025‑59287)
    
    
• Flashpoint
  The Evolution of Data Extortion TTPs: From Exploiting Code to Exploiting People
  
  
• Fortinet
  • Stolen Credentials and Valid Account Abuse Remain Integral to Financially Motivated Intrusions
  • Cloud Abuse at Scale
    
    
• Gen
  • Decrypted: Midnight Ransomware
  • VibeScams: How AI website builders are shaping the internet
  • Gen Q3/2025 Threat Report
  • DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
    
    
• Genians
  Qilin Ransomware 분석
  
  
• Bhavesh Dhake, Will Silverstone, Matthew Hitchcock, and Aaron Fletcher at Google Cloud Threat Intelligence
  Keys to the Kingdom: A Defender’s Guide to Privileged Account Monitoring
  
  
• Group-IB
  • The Illusion of Wealth: Inside the Engineered Reality of Investment Scam Platforms
  • Detecting the NPM Supply Chain Compromise Before It Spread
    
    
• Paolo Coba and Lee Kirkpatrick at GuidePoint Security
  Finding the Master Keys: How to Hunt Malicious Client Secrets in M365
  
  
• Hudson Rock
  • Logins.zip Leverages Chromium Zero-Day: Stealthy Infostealer Builder Promises 99% Credential Theft in Under 12 Seconds
  • Russian Authorities Bust Meduza Infostealer Developers: Young Hackers Detained in Major Cybercrime Crackdown
    
    
• Hunt IO
  Multilingual ZIP Phishing Campaigns Targeting Financial and Government Organizations Across Asia
  
  
• Intrinsec
  Global Group: ransomware rebranding stories 
  
  
• Keisuke Shikano at JPCERT/CC
  TSUBAME Report Overflow (Apr-Jun 2025)
  
  
• David at ØSecurity
  A bit about timestomping
  
  
• Amy L. Robertson at MITRE ATT&CK
  ATT&CK v18: Detection Strategies, More Adversary Insights,
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 300. Same Name, Wrong Path
  • 301. Qilin Abuses Cyberduck for Exfiltration
  • 302. Hunting for CVE-2025-59287 Exploitation
  • 303. Hunting for Replication Through Removable Media
  • 304. Adversaries Abuse Microsoft Windows Resource Leak Diagnostic Tool for Dumping Memory
  • 305. BRONZE BUTLER Abuses Cloud Storage Services for Exfiltration
    
    
• OSINT Team
  • How Threat Hunters Think: The Mindset, Tools, and Methodology
  • Fileless Loaders Explained : How Attackers Run Code in Memory
  • MonsterV2 Malware-as-a-Service (MaaS) and the TA585 Threat Group’s Advanced ClickFix Campaigns…
    
    
• Dan Green at Push Security
  New LinkedIn phishing campaign identified by Push Security
  
  
• Qi’anxin X Lab
  Smoking Gun Uncovered: RPX Relay at PolarEdge’s Core Exposed
  
  
• SANS Internet Storm Center
  • Kaitai Struct WebIDE, (Sun, Oct 26th)
  • Bytes over DNS, (Mon, Oct 27th)
  • A phishing with invisible characters in the subject line, (Tue, Oct 28th)
  • How to collect memory-only filesystems on Linux systems, (Wed, Oct 29th)
  • X-Request-Purpose: Identifying “research” and bug bounty related scans?, (Thu, Oct 30th)
    
    
• Sojun Ryu and Omar Amin at Securelist
  Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs
  
  
• Sathwik Ram Prakki at Seqrite
  Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus
  
  
• Silent Push
  Silent Push Unearths AdaptixC2’s Ties to Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool for Malicious Payloads
  
  
• Socket
  • 10 npm Typosquatted Packages Deploy Multi-Stage Credential Harvester
  • Security Community Slams MIT-linked Report Claiming AI Powers 80% of Ransomware
    
    
• Sophos
  • Phake phishing: Phundamental or pholly?
  • BRONZE BUTLER exploits Japanese asset management software vulnerability
    
    
• Stephan Berger
  Today I learned: binfmt_misc
  
  
• Symantec Enterprise
  Ukrainian organizations still heavily targeted by Russian attacks
  
  
• System Weakness
  • CSI: Linux — Hunting for Persistence in the Ironshade Room ️‍♂️
  • Detection Engineering Training: Detecting Browser Credential Theft Attacks
  • Anatomy of a Phish: How We Got from the “Nigerian Prince” to Modern Scams
    
    
• Sydney Marrone at THOR Collective Dispatch
  Dispatch Debrief: October 2025
  
  
• Trend Micro
  Ransomware Spotlight: DragonForce
  
  
• Oddvar Moe at TrustedSec
  Hack-cessibility: When DLL Hijacks Meet Windows Helpers
  
  
• Varonis
  • Meet Atroposia: The Stealthy Feature-Packed RAT
  • The Silent Attackers: Exploiting VPC Endpoints to Expose AWS Accounts of S3 Buckets Without a Trace
    
    
• Vasilis Orlof at Cyber Intelligence Insights
  Intel Drops #4
  
  
• Vxdb
  Infostealers Disguised as Free Video Game Cheats
  
  
• Iván Cabrera at White Knight Labs
  Methodology of Reversing Vulnerable Killer Drivers
  
  
• Ben Powell (Sr. Web Content Writer) at ZScaler
  Understanding the Threat Hunting Lifecycle
  
  
• Palo Alto Networks
  • Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28)
  • Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
  • When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems
    

UPCOMING EVENTS

• Black Hills Information Security
  Talkin’ Bout [infosec] News 2025-11-03 #infosec #news
  
  
• Brett Shavers
  Fighting City Hall: DF/IR Lessons from a Pro Se Plaintiff. One judgment, two years saved, half a million reasons it was worth it.
  
  
• Cellebrite
  Cellebrite + Corellium: Where Digital Forensics Meets Mobile Security
  
  
• Cybersecurity mentors podcast
  Lessons Learned From the Australian National University Breach w/Suthagar Seevaratnam P2 | CMP S5 E4
  
  
• Simply Defensive
  Balancing Education and Real-World Cybersecurity with a SOC Analyst Student | Simply Defensive S5 E4
  
  
• Magnet Forensics
  • Legal Unpacked E2: Beyond the app icon: Drafting mobile device warrants that reflect how data is really stored
  • Smarter mobile investigations: Tools for today’s forensic service providers
    
    
• SANS
  SANS Difference Makers Awards 2025
  
  
• Silent Push
  • Workshop – Detection Strengthening Integrations for Preemptive Cyber Defense: SIEM Edition
  • Webinar – Unlocking the Power of Domain Search & PADNS-based Preemptive Detection  – Silent Push
    
    
• Sygnia
  Surviving the Breach: Lessons Learned From Past Breaches
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Cobalt Strike Loader Internals: From Loader to Shellcode Execution
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast S3 – 1
  
  
• Cloud Security Podcast by Google
  EP249 Data First: What Really Makes Your SOC ‘AI Ready’?
  
  
• Cyber Social Hub
  A.I. vs. Human Intuition
  
  
• InfoSec_Bret
  Challenge – Hidden Backdoor
  
  
• John Dwyer
  Malware analysis walkthrough – JavaScript Infostealer
  
  
• Kevin Pagano at Stark 4N6
  Truth in Data Podcast Feature – CTFs
  
  
• Magnet Forensics
  Mobile Unpacked S3:E10 // Picking apart the passcodes: Determining the method of unlock on devices
  
  
• Monolith Forensics
  Adding a Contact to a Case in Monolith
  
  
• MSAB
  #MSABMonday – XAMN Pro Context
  
  
• MyDFIR
  SOC Alert Triage Explained: What Most Beginners Get Wrong
  
  
• Off By One Security
  • ReVault! Compromised by your Secure SoC with Philippe Laulheret
  • Scaling LLM-Based Vulnerability Research via Static Analysis and Document Ranking
    
    
• Parsing the Truth: One Byte at a Time
  More with Larry on the Thing About Pam
  
  
• Permiso Security
  Permiso Demo Webinar | October 30th, 2025
  
  
• Richard Davis at 13Cubed
  The Easy Way to Analyze Linux Memory
  
  
• SANS Cloud Security
  2025 SANS CloudSecNext Summit
  
  
• Security BSides Dublin
  Security BSides Dublin 2025
  
  
• The Cyber Mentor
  • LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team
  • Intro to PowerShell: Hunting Network Activity.
    
    
• Three Buddy Problem
  OpenAI’s Dave Aitel talks Aardvark, economics of bug-hunting with LLMs
  

MALWARE

• Arctic Wolf
  UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
  
  
• Bobby Rauch
  Breaking Down a Google Drive Phishing Scam — Total Security or Total Scam?
  
  
• Abdallah Elnoty at eln0ty
  SpyNote C2 Emulator
  
  
• ReversingLabs
  • Evaluating YARA Rules for macOS Malware Hunting in Spectra Analyze
  • Tracking an evolving Discord-based RAT family
    
    
• John Tuckner at Secure Annex
  Who’s that Pokemon? It’s Monero!
  
  
• John Tuckner at Secure Annex
  SleepyDuck malware invades Cursor through Open VSX
  
  
• Security Onion
  Spooky malware analysis!
  
  
• Shubho57
  Analysis of Latrodectus variant(msi installer)
  
  
• The Reverser’s Draft
  The PEB Walk Anatomy
  
  
• ThreatFabric
  New Android Malware Herodotus Mimics Human Behaviour to Evade Detection
  
  
• Jeffrey Francis Bonaobra, Joe Soares, and Emmanuel Panopio at Trend Micro
  Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
  
  
• Wordfence
  • 100,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress Plugin
  • Rogue WordPress Plugin Conceals Multi-Tiered Credit Card Skimmers in Fake PNG Files
  • Attackers Actively Exploiting Critical Vulnerability in WP Freeio Plugin
    
    
• YUCA
  Malops Challenge 9:Katz Stealer Write Up
  

MISCELLANEOUS

• Cellebrite
  • Actor, Host, Artist and Anti-Human Trafficking Advocate Terry Crews to Headline Cellebrite C2C User Summit 2026 
  • Find Your Investigative Path
  • Sharing is Caring: Shifting the Paradigm of Digital Investigations Workflows
  • Unlock the Strategic Advantage of AI in Digital Investigations
  • Endpoint Inspector: A Modern, Flexible and User-Friendly Solution for Your Organization
    
    
• CyberBoo
  • Microsoft Defender for Endpoint Part 3: Alert Management & Investigation Fundamentals
  • Microsoft Defender for Endpoint Part 4: Incident Management & Attack Story Analysis
    
    
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 10/27/25
  
  
• Forensic Focus
  • Digital Forensics Jobs Round-Up, October 27 2025
  • Oxygen Tech Bytes In September 2025
  • Digital Forensics Round-Up, October 29 2025
  • MSAB Whitepaper – Investigating RAM In A Mobile Device
  • GMDSOFT Tech Letter Vol 15. Analyzing Anti-Forensic Traces Left By Location Spoofing Apps
    
    
• HackTheBox
  Scattered Spider: A 90-day recovery plan to build better resilience
  
  
• Iram Jack
  Intro to Cold System Forensics
  
  
• Lykos Defence
  Whitepaper: From Chaos to Capability
  
  
• Magnet Forensics
  • Simplified start and export in Magnet Witness 1.10 
  • From seizure to verdict: Strengthening prosecutions with clear, admissible digital evidence
  • When the lab never sleeps
  • Protecting sensitive media evidence with cloud security you can verify
  • New! Magnet Certification Preparation
    
    
• Patrick Siewert at ‘The Philosophy of DFIR’
  Selling the Science: Marketing of DF/IR Services
  
  
• Raymond Roethof
  Microsoft Defender for Identity Recommended Actions: GPO can be modified by unprivileged accounts
  

SOFTWARE UPDATES

• Arkime
  v5.8.2
  
  
• Arsenal Recon
  Quick Tour Of New Features In Arsenal Image Mounter v3.12.331
  
  
• Didier Stevens
  Update: dnsresolver.py Version 0.0.4
  
  
• Digital Detective
  NetAnalysis® v4.1 – Decrypting Firefox v144
  
  
• Digital Sleuth
  winfor-salt v2025.12.1
  
  
• Maxim Suhanov
  dfir_ntfs file system parser 1.1.20
  
  
• OpenCTI
  6.8.10
  
  
• Sigma
  r2025-11-01
  
  
• Vound
  Intella 3.0.1 Release Notes
  
  
• Xways
  • X-Ways Forensics 21.7 Preview
  • X-Ways Forensics 21.6 SR-1
  • X-Ways Forensics 21.5 SR-10
  • Viewer Component
    
    
• YARA
  YARA v4.5.5
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!