Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  • Mastering Cloud Storage Forensics: Google Drive, OneDrive, Dropbox & Box Investigation Techniques
  • Every forensic investigator should know these common antiforensic wipers
  • Carving Hidden Evidence with Bulk Extractor: The Power of Record Recovery
    
    
• Andrew Malec
  LUKS, hashcat, and hidden volumes
  
  
• Christian Peter
  “Things that were, and things that are, and things that yet may be — ALEX is now available!”
  
  
• Christopher Eng at Ogmini
  • BelkaGPT – Effective Artificial Intelligence in DFIR
  • Using Open Source Tools
  • Trying out ALEX – Android Logical Extractor
  • SANS Holiday Hack Challenge 2025
  • SANS Holiday Hack Challenge 2025 – Progress
  • Examining Mobile Hotspots – Orbic Speed RC400L
    
    
• Oleg Afonin at Elcomsoft
  Exploring iPadOS, tvOS and audioOS 17 and 18 Devices: File System and Keychain Extraction
  
  
• Forensafe
  Android App Usage History
  
  
• Iram Jack
  • Forensic Imaging
  • Autopsy
  • Disk Filtration
  • ExfilNode
    
    
• Mattia Epifani at Zena Forensics
  Beyond the Known: A Call to Forensic Research on Samsung Android Artifacts
  
  
• Tasos Chatziefstratiou
  IIS User Access Logging (UAL)
  
  
• Dante Fazio at The Metadata Perspective
  Metadata Matters: Camera Original Photos vs. Screenshots in Court
  

THREAT INTELLIGENCE/HUNTING

• ⌛☃❀✵Gootloader Details ✵❀☃⌛
  Gootloader Is Back (Back Again)
  
  
• Adam at Hexacorn
  1 little known secret of cliconfg.exe
  
  
• Charlie Eriksen at Aikido
  Invisible Unicode Malware Strikes OpenVSX, Again
  
  
• Christine Barry at Barracuda
  Nitrogen ransomware: From staged loader to full-scale extortion
  
  
• Victor Vrabie at Bitdefender
  Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines
  
  
• Brian Krebs at ‘Krebs on Security’
  • Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody
  • Cloudflare Scrubs Aisuru Botnet from Top Domains List
    
    
• Campaign and public sector information security
  Dangerous PDF programs
  
  
• CERT-AGID
  • In corso una campagna di phishing ai danni di Banca d’Italia
  • Phishing ai danni di AdE: falsa “Dichiarazione Fiscale Criptovalute”
  • Sintesi riepilogativa delle campagne malevole nella settimana del 1 – 7 novembre
  • Analisi di Remcos RAT diffuso in Italia con campagna ClickFix a tema GLS
    
    
• Check Point
  • 3rd November – Threat Intelligence Report
  • Beating XLoader at Speed: Generative AI as a Force Multiplier for Reverse Engineering
  • Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed
    
    
• Max Gannon at Cofense
  International Threats – Infection URLs Used in Regional Phishing Campaigns
  
  
• David Burkett at Corelight
  Using the PEAK Framework to Expose Salt Typhoon | Corelight
  
  
• Crowdstrike
  CrowdStrike 2025 European Threat Landscape Report: Extortion Rises, Nation-State Activity Intensifies
  
  
• Cyberbit
  Scattered Spider, LAPSUS$, and ShinyHunters unite into a cybercrime merger of chaos 
  
  
• Cyfirma
  Weekly Intelligence Report – 07 November 2025
  
  
• Darktrace
  Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace
  
  
• Tesnim Hamdouni, Ian Kretz, and Sebastian Obregoso at Datadog Security Labs
  MUT-4831: Trojanized npm packages deliver Vidar infostealer malware
  
  
• DebugPrivilege
  • When was the last time you patched your Domain Controllers?
  • From vendor to ESC1
    
    
• Burak Karaduman at Detect FYI
  Agentic Detection Creation: From Sigma to Splunk Rules (or any platform)
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week44)
  
  
• Erik Hjelmvik at Netresec
  Optimizing IOC Retention Time
  
  
• FalconFeeds
  • The Global Carding Ecosystem: A Threat Intelligence Profile of Modern Financial Fraud and Underground Infrastructure (2024-2025 Outlook)
  • The Fog of Leaks: How Fake Breach Claims and Copycat Actors Confuse Attribution
  • Malware Multilingual: How Language Clues Reveal the Origins and Targets of Threat Groups
  • The Invisible War: How APT Groups Operate Without Making Headlines
  • The Rise of Cybercrime Cartels: Are We Entering a New Era of Organized Digital Crime?
  • The Apex of Evasion: Analyzing Decentralization, AI, and the Malicious Evolution of the Stealer Malware-as-a-Service Ecosystem (October 2025)
  • The Cybercrime Playbook: How Threat Actors Learn from Each Other—An Analysis of TTP Convergence and CTI Tracecraft
  • When Malware Becomes Marketing: How Ransomware Groups Use PR to Intimidate
  • Hybrid Threats To Global Trade: The Surge In Cyber Attacks On Ports And Sea Routes
  • The Global Digital Frontline: Analysis of Government Cyber Incidents, October 2024–September 2025
    
    
• Flashpoint
  LockBit 5.0 Analysis: Technical Deep Dive into the RaaS Giant’s Latest Upgrade
  
  
• g0njxa
  Approaching stealers devs: a brief interview with AURA
  
  
• Google Cloud Threat Intelligence
  • Preparing for Threats to Come: Cybersecurity Forecast 2026
  • GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools
    
    
• GreyNoise
  PHP Cryptomining Campaign: October/November 2025
  
  
• Group-IB
  Ghosts in /proc: Manipulation and Timeline Corruption
  
  
• HackTheBox
  • BianLian’s silent breach: How 1 exploit hit Nippon Steel’s supply chain
  • The Brickstorm breach: Anatomy of UNC5221’s 12-month espionage operation
  • Escaping the Scattered Spider’s web: 6 takeaways from our deep dive
    
    
• Hudson Rock
  Nikkei Breached: Infostealer Infection Grants Access to 17K+ Employee Slack Chat Histories
  
  
• Anna Pham at Huntress
  Gootloader | Threat Detection Overview
  
  
• Jeffrey Bellny at CatchingPhish
  Phishing via Phish Sim tools
  
  
• Yuma Masubuchi at JPCERT/CC
  Update on Attacks by Threat Group APT-C-60
  
  
• Kevin Beaumont at DoublePulsar
  CyberSlop — meet the new threat actor, MIT and Safe Security
  
  
• Kostas
  DetectionStream: Introducing the Sigma Training Platform
  
  
• Kroll
  Kroll Conversations: Meet the DFIR Experts
  
  
• LevelBlue
  • SpiderLabs Ransomware Tracker Update October 2025: Qlin Doubles Down on Attacks
  • Dissecting and Understanding APT Threat Group Activity
    
    
• Natto Thoughts
  A Researcher Came Knocking, and Taught China a Lesson in How to Manage Vulnerabilities — and Researchers
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 306. Adversaries Modify Registry to Enable Remote Debugging
  • 307. Hunting for Tar Abuse
  • 308. Adversaries Abuse OpenAI Assistants API
  • 309. Adversaries Use Hidden Hyper-V Virtual Machines
  • 310. Adversaries Keep Abuse Uncommon RMMs
  • 311. Hunting for MSBuild Abuse
  • 312. Hunting for Certutil Abuse
  • 313. Here’s How Real Adversaries Abuse PowerShell for Discovery
    
    
• Picus Security
  • Dissecting ValleyRAT: From Loader to RAT Execution in Targeted Campaigns
  • UNC6384’s 2025 PlugX Campaign Explained
  • Gossamer Bear APT: Windows Endpoint Campaign Explained
  • Prophet Spider Threat Actor Explained
  • Multi-Platform VanHelsing Ransomware (RaaS) Analysis
    
    
• Proofpoint
  • Remote access, real cargo: cybercriminals targeting trucking and logistics
  • Crossed wires: a case study of Iranian espionage and attribution
    
    
• Dan Green at Push Security
  The most advanced ClickFix yet?
  
  
• Qi An Xin Threat Intelligence Center
  Operation South Star:针对国产手机的 0day 间谍活动
  
  
• Recorded Future
  • Ransomware Detection With Real-Time Data | Recorded Future
  • Malicious Infrastructure Finds Stability with aurologic GmbH
    
    
• Susannah Clark Matt at Red Canary
  A defender’s guide to phishing
  
  
• Vladimir Pezo at ReversingLabs
  How PowerShell Gallery simplifies attacks
  
  
• Rohan Karnkoti
  Code-in-the-Middle : An Introduction to IR
  
  
• SANS Internet Storm Center
  • Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287, (Sun, Nov 2nd)
  • XWiki SolrSearch Exploit Attempts (CVE-2025-24893) with link to Chicago Gangs/Rappers, (Mon, Nov 3rd)
  • Updates to Domainname API, (Wed, Nov 5th)
  • Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary], (Wed, Nov 5th)
  • Honeypot: Requests for (Code) Repositories, (Sat, Nov 8th)
    
    
• John Tuckner at Secure Annex
  RansomVibing appears in VS Code extensions
  
  
• Security Alliance
  From North Korean IT Workers to IT recruiters
  
  
• Sekoia
  Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers
  
  
• Subhajeet Singha at Seqrite
  Operation Peek-a-Baku: Silent Lynx APT makes sluggish shift to Dushanbe
  
  
• Shantaciak
  Building the Logic
  
  
• Sky Blueteam
  Analyzing the unsafe chroot behavior of sudo CVE-2025-32463
  
  
• SOCRadar
  Bulwark: Unpacking the Packer That Redefines Malware Evasion
  
  
• Ross McKerchar, Rafe Pilling, Sarah Kern, Angela Gunn, Jane Adams, Mindi McDowell, and Ryan Westman at Sophos
  Detecting fraudulent North Korean hires: A CISO playbook
  
  
• Symantec Enterprise
  China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy
  
  
• System Weakness
  • Peeking Inside Malware’s Toolbox: An Intro to REMnux
  • Ransomware 101: How These Digital Muggers Work and Why Backup is Your Best Shield ️
  • From Alert to Action: A SOC Analyst’s Guide to Triage with Elastic ️
  • Alert Triage With Elastic — TryHackMe
  • To Hack or Not to Hack: The Unholy Trinity of Malware
  • [ SOC Alert => Lumma Stealer — DLL Side-Loading via Click Fix Phishing ] by LetsDefend / EventID…
  • From Noise to Signal: A SOC Analyst’s Guide to Alert Triage in Splunk
    
    
• Ryan G. Cox at The Cybersec Café
  Detections as Code in DataDog (Pt. 2): How I Test Detections
  
  
• The Raven File
  CLOP RANSOMWARE: DISSECTING NETWORK
  
  
• THOR Collective Dispatch
  • Ask-a-Thrunt3r: October 2025 Logtoberfest Edition 🍺🐏
  • Hunting Beyond Indicators – Part 2
    
    
• Jack Wigley, Jason Trapp and Trevor Tucker at Triskele Labs
  Threat Actors Using Python to Harvest Your Inbox
  
  
• Trustwave SpiderLabs
  • Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand
  • The Cat’s Out of the Bag: A ‘Meow Attack’ Data Corruption Campaign Simulation via MAD-CAT
    
    
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – October Update
  
  
• Kenneth Kinion at Valdin
  Finding Related Fake “DMCA Takedown” Domains with Validin
  
  
• Alexandra Martin at VirusTotal
  November is the Month of Searches: Explore, Learn, and Share with #MonthOfVTSearch
  
  
• VMRay
  How to turn Defender & Sentinel alerts into actionable threat intelligence
  
  
• WeLiveSecurity
  • Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming
  • ESET APT Activity Report Q2 2025–Q3 2025
    
    
• Блог Solar 4RAYS
  Фишинговая кампания Erudite Mogwai в России
  
  
• Palo Alto Networks
  • Know Ourselves Before Knowing Our Enemies: Threat Intelligence at the Expense of Asset Management
  • LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
    

UPCOMING EVENTS

• Black Hills Information Security
  Talkin’ Bout [infosec] News 2025-11-10 #infosec #news
  
  
• Cqure Academy
  *LIVE WEBINAR* Top 10 Techniques to Detect and Defend Against Threats
  
  
• Cybersecurity Mentors Podcast
  Inside Mandiant: Charles Carmakal on the Front Lines of Global Cyber Warfare | CMP S5 E5
  
  
• Huntress
  Live Hacking Into Microsoft 365 with Kyle Hanslovan
  
  
• Huntress
  Tradecraft Tuesday | Shadiest Catch: Looking Back (And Forward) at Phishing Tactics
  
  
• Magnet Forensics
  AI Unpacked #6: Everything you wanted to know—and weren’t afraid to ask
  
  
• Spur
  The Spur Relay — Q4 2025: New Proxy Threats, SDK Abuse & Detection
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data: EP17: The Changing Role of Digital Forensics: The Digital Detective of the Future
  
  
• Adversary Universe Podcast
  Extortion Rises and Nation-State Activity Intensifies: The CrowdStrike 2025 European Threat Landscape Report
  
  
• Anuj Soni
  Set Up Your Malware Analysis Lab the Right Way
  
  
• Behind the Binary by Google Cloud Security
  EP18 10,000 DLLs and Too Much Math – Wrapping Up FLARE-On 12 with the FLARE Team
  
  
• Cellebrite
  Tip Tuesday: That’s a Wrap on the 2025 CTF
  
  
• Chainalysis
  FBI’s Murder-For-Hire Crypto Investigation: Podcast Ep. 173
  
  
• Cloud Security Podcast by Google
  EP250 The End of “Collect Everything”? Moving from Centralization to Data Access?
  
  
• Compass Security
  Windows Access Tokens – From Authentication to Exploitation
  
  
• Endace
  The Packet Forensic Files, Ep 64 with Steve Fink about building effective and resilient SOCs
  
  
• Flare
  Attack on Identity: Dissecting the 2025 Microsoft Digital Defense Report
  
  
• John Hammond
  • Window Batch Malware Analysis!
  • Fake DMCA MALWARE Scam
    
    
• Logzio
  Investigating SIEM Incidents with Logz.io
  
  
• Magnet Forensics
  • Legal Unpacked E2: Beyond the app icon: Drafting mobile device warrants that reflect how data is really stored
  • Smarter mobile investigations: Tools for today’s forensic service providers
    
    
• Microsoft Threat Intelligence Podcast
  Beyond AI for Security Hype: What Really Matters in Cyber Defense
  
  
• MITRE
  ATT&CKcon 6.0
  
  
• Monolith Forensics
  Assigning Users to a Case in Monolith
  
  
• MSAB
  #MSABMonday – XAMN Pro Exporting Options
  
  
• MyDFIR
  • REAL SOC Analyst Investigation | Email Phishing | MYDFIR SOC Community
  • From Teacher to Cybersecurity: How Nigel Is Pivoting Toward a SOC Career
    
    
• OALabs
  IDA Free Reverse Engineering – Step-by-Step EXE Analysis
  
  
• Paraben Corporation
  • Import Passware Device Unlocks into E3
  • Capturing and Reviewing Steam Data in E3
  • Zandra AI Processing data in a Memory Dump
    
    
• Parsing the Truth: One Byte at a Time
  25 Years of Turmoil in Digital Forensics
  
  
• Permiso Security
  • Overview of Permiso’s AI security capabilities – identifying AI users, builders and agents
  • How Permiso identifies AI exposures
  • Identifying AI users, builders and agents for any identity
  • How Permiso creates badges for identities that are AI users, builders and agents
    
    
• Proofpoint
  Elect More Hackers: Tech Skills for Real-World Change
  
  
• Richard Bejtlich at TaoSecurity
  I’m Hosting a New Podcast
  
  
• Sandfly Security
  Linux Stealth Rootkit Hunting Video Presentation
  
  
• SANS
  How Modern Threats Are Redefining the Rules of Defense with Paul Chichester
  
  
• Security Onion
  Security Onion Conference 2025 Recordings Now Available!
  
  
• SentinelOne
  LABScon25 Replay | LLM-Enabled Malware In the Wild
  
  
• Studio d’Informatica Forense
  Workshop su Web Forensics e Indagini Digitali per MSAB a Roma
  
  
• Sumuri
  • TALINO Talk Episode 18
  • How to Nominate a Law Enforcement Agency for SUMURI Gives Back 2025
    
    
• THE Security Insights Show
  THE Security Insights Show Episode 279: Security Copilot Updates
  
  
• The Weekly Purple Team
  🚨 CVE-2025-59287: Purple Teaming the Critical WSUS RCE Vulnerability
  
  
• Uriel Kosayev
  For serious people only – MAoS – Malware Analysis on Steroids
  

MALWARE

• ASEC
  An Unerring Spear: Cephalus Ransomware Analysis
  
  
• Kacper Ratajczak at CERT Polska
  Analysis of NGate malware campaign (NFC relay)
  
  
• Cybereason
  Tycoon 2FA Phishing Kit Analysis
  
  
• Dr. Web
  Cavalry Werewolf hacker group attacks Russian state institutions
  
  
• Microsoft Security
  • SesameOp: Novel backdoor uses OpenAI Assistants API for command and control
  • ​​Whisper Leak: A novel side-channel attack on remote language models
    
    
• Ovi Liber
  New Kimsuky Malware “EndClient RAT”: First Technical Report and IOCs
  
  
• Pulsedive
  Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper
  
  
• Shikha Sangwan at Securonix
  CHAMELEON#NET: A Deep Dive into Multi-Stage .NET Malware Leveraging Reflective Loading and Custom Decryption for Stealthy Operations
  
  
• Shubho57
  Analysis of Ares RAT (elf file)
  
  
• Kush Pandya at Socket
  9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads
  
  
• Ben Martin at Sucuri
  Slot Gacor: The Rise of Online Casino Spam
  
  
• Quentin Roland at Synacktiv
  Site Unseen: Enumerating and Attacking Active Directory Sites
  
  
• Bernardo.Quintero at VirusTotal
  Reversing at Scale: AI-Powered Malware Detection for Apple’s Binaries
  
  
• István Márton at Wordfence
  400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin
  
  
• Zhassulan Zhussupov
  Malware development trick 54: steal data via legit Angelcam API. Simple C example.
  
  
• Will Seaton, Viral Gandhi, Himanshu Sharma, and Yesenia Barajas at Zscaler
  Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report
  
  
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
  Monkey
  

MISCELLANEOUS

• Ahmed K. Ali
  Extracting and Flashing Hard Drive PCB Firmware with the CH341A Programmer
  
  
• Belkasoft
  DFIR Reports with Belkasoft X
  
  
• Brett Shavers
  Ripping the Band-Aid Off DF/IR
  
  
• Cellebrite
  The AI Advantage: Managing Investigations with Confidence
  
  
• Decrypting a Defense
  Cities Start Going Flockless, NYPD Cameras Lawsuit, CSAM & the Private Search Doctrine, OSINT Intro for Witness Social Media & More
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 11/03/25
  
  
• DomainTools Investigations
  Inside the Great Firewall Part 2: Technical Infrastructure
  
  
• Forensic Focus
  • Navigating The Next Era Of Digital Investigations: A Thought Leadership Perspective
  • GMDSOFT MD-Series Q3 Release Note Highlights
  • Carol Brooks, Cyber Psychologist, Platinum 3P
  • Digital Forensics Round-Up, November 05 2025
  • DFI Well-Being At The National Level: Why Lived Experience Must Shape Policy
  • Forensic Focus Digest, November 07 2025
    
    
• HackTheBox
  • The new HTB Academy: Built for learners and powered by your feedback
  • Stop the alert overload: How to train like you’re actually under attack
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Inside the Unified Log 7: Claude diagnoses the log
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (November 2025)
  
  
• Oxygen Forensics
  Unlock Tangible ROI in Remote Data Collections
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.190!
  
  
• Cameron Paddy at Triskele Labs
  The need for independent cyber investigations
  
  
• Vxdb
  The Underground Minecraft Account Market
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.4.24
  
  
• Brian Maloney
  OneDrive updates
  
  
• Didier Stevens
  Update: cs-parse-traffic.py Version 0.0.6
  
  
• Digital Sleuth
  winfor-salt v2025.13.3
  
  
• Doug Metz at Baker Street Forensics
  CyberPipe v5.3: Enhanced PowerShell Compatibility and Reliability
  
  
• Elcomsoft
  iOS Forensic Toolkit 8.81 adds iOS 17 and 18 support for checkm8 extractions
  
  
• Microsoft
  msticpy – Defender data provider update for API changes
  
  
• MISP
  MISP v2.5.24 – Security & Stability Update
  
  
• MobilEdit
  New release: MOBILedit Forensic 9.7 — Exynos bypassing, multi-user Android analysis and more!
  
  
• Phil Harvey
  ExifTool 13.41
  
  
• Xways
  • Viewer Component
  • X-Ways Forensics 21.5 SR-10
  • X-Ways Forensics 21.6 SR-2
  • X-Ways Forensics 21.7 Preview 2
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!