| Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast |
| Sponsored by Permiso |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Atola Technology
Before Image Acquisition: The Power of Drive Diagnostics - Akash Patel
- Belkasoft
iOS Telegram Forensics. Part II: Artifacts, Secret Chats, Cache, Deleted Messages - Christopher Eng at Ogmini
- Damien Attoe
- Elcomsoft
- Forensafe
Android Application Icons - Foxton Forensics
Investigating Chrome history snapshots - InfoSec Write-ups
Digital Forensics — Windows USB Artifacts [Insider Threat Case] - Kevin Pagano at Stark 4N6
The Evidence Locker – A DFIR Image Compendium - Kenneth G Hartman at Lucid Truth Technologies
Torrential Downpour and BitTorrent Evidence – A Forensic Perspective on P2P Investigations - System Weakness
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
Hunt What Hurts: The Pyramid of Pain - Alex Necula
From ClickFix Fake Update to Vidar Stealer - Anthropic
Disrupting the first reported AI-orchestrated cyber espionage campaign - AttackIQ
- CJ Moses at AWS Security
Amazon discovers APT exploiting Cisco and Citrix zero-days - Jade Brown at Bitdefender
Bitdefender Threat Debrief | November 2025 - Brian Krebs at ‘Krebs on Security’
- CERT-AGID
- Check Point
- 10th November – Threat Intelligence Report
- New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond
- Global Cyber Attacks Surge in October 2025 Amid Explosive Ransomware Growth and Rising GenAI Threats
- Payroll Pirates: One Network, Hundreds of Targets
- The State of Ransomware – Q3 2025
- CISA
- Chetan Raghuprasad and Michael Szeliga at Cisco’s Talos
Unleashing the Kraken ransomware group - Cyberdom
- Cyble
- Cyfirma
Weekly Intelligence Report – 14 November 2025 - Andrea Draghetti at D3Lab
GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices - Damien Lewke
Vibe Hunting: Outcome-Driven Threat Hunting - Danny Zendejas
Rethinking SIEM Part II - Darktrace
Vo1d Botnet Exposed: How Darktrace Detected a Global Android Threat - DebugPrivilege
- Burak Karaduman at Detect FYI
Agentic Detection Creation — Now With Atomic Red Team and Splunk MCP Integration - Disconinja
Weekly Threat Infrastructure Investigation(Week45) - DomainTools Investigations
Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications - Elliptic
Elliptic’s Typologies Report: Disrupting the use of stablecoins by sanctioned actors - FalconFeeds
- The Life Cycle of a Malicious Domain: From Registration to Takedown
- When Leaks Lead to Leverage: How Threat Actors Use Breach Data for Long-Term Targeting
- Expert Threat Profile: Cyber Toufan—The Convergence of Negligence Exploitation and Destructive Capability
- The Nexus of Espionage and Finance: Analyzing the Chinese Transnational Cybercrime Ecosystem Through the Mount Sinai Incident
- Luis Corrons at Gen
SMS threats: the many faces of a tiny text - Genians
State-Sponsored Remote Wipe Tactics Targeting Android Devices - Google Cloud Threat Intelligence
- Billy Leonard at Google Threat Analysis Group
TAG Bulletin: Q3 2025 - Group-IB
Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure - Grumpy Goose Labs
Be KVM, Do Fraud - Hornet Security
- Hunt IO
The Complete Guide to Hunting Cobalt Strike – Part 1: Detecting Cobalt Strike in Open Directories - Lindsey O’Donnell-Welch at Huntress
Threats Plague Educational Organizations - Meyta Zenis Taliti at Intellibron
Threat Hunt Catalog: Bringing Sigma Detections to Life - Roy Halevi at Intezer
What the Anthropic Report on AI Espionage Means for Security Leaders - Invictus Incident Response
Profiling Silk Typhoon: Tactics, History & Defenses - Adam Goss at Kraven Security
- Doug Olenick at LevelBlue
LevelBlue Futures Report: Retail Leaders Reveal Security Concerns - Mike Cohen at Rapid7
Memory Analysis with Velociraptor – Part 1 - Ucha Gobejishvili at Mitiga
Now You See Me: Workday Logs - Nasreddine Bencherchali
SigmaHQ Quality Assurance Pipeline - Netscout
Who Turns to Stone Now? - Bart Parys at NVISO Labs
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery - Oleg Skulkin at ‘Know Your Adversary’
- 314. Adversaries Abuse PowerShell to Create Shortcuts for Persistence
- 315. Adversaries Abuse CURL to Collect Authentication Material
- 316. Adversaries Keep Using Plink and Putty to Establish a Reverse SSH Tunnel
- 317. Adversaries Use AppleScript Files More and More Often
- 318. Adversaries Use PowerShell to Hunt for Password Stores
- 319. Adversaries Abuse JSON Storage Services for Malware Delivery
- 320. Adversaries Abuse Finger in ClickFix Attacks
- Pepe Berba
- Picus Security
- xHunt APT: Cyber-Espionage Operations Targeting Kuwait and Exchange Servers
- Ferocious Kitten APT Exposed: Inside the Iran-Focused Espionage Campaign
- MalKamak APT’s ShellClient RAT: Inside Operation GhostShell
- GreenCharlie APT: Iran’s PowerShell-Based Cyber Espionage Campaigns
- DEV-1084 and MERCURY: Inside Iran’s DarkBit Ransomware Operations
- Proofpoint
- Dan Green at Push Security
Analysing “Scattered Lapsus$ Hunters” breaches since 2021 - Daniel Card at PwnDefend
- Suspected Zero Day – What to do if you have a device that may be in scope for exploitation?
- Suspected Fortinet Zero Day Exploited in the Wild
- Analysing 1 Million Honeypot events with Defused Cyber Deception
- Rhadamanthys – Over 44 Million Credentials Stolen
- Fortiweb Vulnerabilities 2025
- A brief history of AI being used for Defensive Cyber
- Recorded Future
- Laura Brosnan at Red Canary
Sniffing out TruffleHog in AWS - SANS Internet Storm Center
- It isn’t always defaults: Scans for 3CX usernames, (Mon, Nov 10th)
- Formbook Delivered Through Multiple Scripts, (Thu, Nov 13th)
- SmartApeSG campaign uses ClickFix page to push NetSupport RAT, (Wed, Nov 12th)
- Microsoft Office Russian Dolls, (Fri, Nov 14th)
- Honeypot: FortiWeb CVE-2025-64446 Exploits, (Sat, Nov 15th)
- Finger.exe & ClickFix, (Sun, Nov 16th)
- SANS Holiday Hack Challenge 2025, (Sun, Nov 16th)
- Shadowserver
Rhadamanthys Historical Bot Infections Special Report - Silent Push
Advanced Threat Hunting: Four Techniques to Detect Phishing Infrastructure Before it Strikes - Simone Kraus
From Ransomware to Nation-State -How MITRE ATT&CK v18 & Detection Strategies turn Active Directory… - Socket
- Jon Munshaw at Sophos
Infostealers: The silent doorway to identity attacks — and why proactive defense matters - Splunk
- Jeremy Bender at Team Cymru
Team Cymru Supports Europol to Takedown of Three Key Cybercriminal Tools as Part of Operation Endgame - THOR Collective Dispatch
- Adithya Chandra and Maulik Maheta at Trellix
How Trellix Helix detects AS-REP Roasting in Active Directory - David Sancho, Vincenzo Ciancaglini, and Salvatore Gariuolo at Trend Micro
The Devil Reviews Xanthorox: A Criminal-Focused Analysis of the Latest Malicious LLM Offering - Lucie Cardiet at Vectra AI
Operation ENDGAME and the Battle for Initial Access by Lucie Cardiet - Joseliyo Sánchez at VirusTotal
VTPRACTITIONERS{ACRONIS}: Tracking FileFix, Shadow Vector, and SideWinder - VX API
Fake Lockbit 5.0 silliness and 3 layers of ransomware lasagna - Sina Kheirkhah and Jake Knott at watchTowr Labs
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb (??) Auth. Bypass) - Jay Pandya at White Knight Labs
Understanding Cloud Persistence: How Attackers Maintain Access Using Google Cloud Functions - Francesco Sercia at YLabs
Hamburglars - Блог Solar 4RAYS
В арсеналах Shedding Zmiy: инструмент для атак через недостатки настроек системного окружения популярной CMS - Taggart Tech
TOAD Attacks via Entra Guest Invites - Hunter Wade at Black Hills Information Security
Abusing Delegation with Impacket (Part 2): Constrained Delegation - Palo Alto Networks
UPCOMING EVENTS
- Black Hills Information Security
Talkin’ Bout [infosec] News 2025-11-17 #infosec #news - Cyber Triage
When (and When Not) to Use EDR in Investigations - DFRWS
Call for Papers Is Open for DFRWS-USA 2026! - Cybersecurity Mentors Podcast
Think Like a Spy, Hunt Like a Hacker: Former FBI Agent Eric O’Neill on Outsmarting Cybercriminals - Magnet Forensics
PRESENTATIONS/PODCASTS
- Black Hills Information Security
X-Typhon – Not your Father’s China with John Strand - Erik Pistelli at Cerbero
Memory Challenge 7: DeepDive - Chainalysis
Crypto National Security and Pig Butchering: Podcast Ep. 174 - Cloud Security Podcast by Google
EP251 Beyond Fancy Scripts: Can AI Red Teaming Find Truly Novel Attacks? - InfoSec_Bret
- John Hammond
- Magnet Forensics
- Monolith Forensics
- MSAB
- MyDFIR
- Parsing the Truth: One Byte at a Time
- Sandfly Security
Installing Sandfly Security in the DigitalOcean Marketplace 1-Click App - The Cyber Mentor
Live: PSAP Release | TCM Security | Blue Team | AMA - Three Buddy Problem
MALWARE
- 0xMatheuZ
Ioctl Secrets Writeup - Any.Run
ClickFix Explosion: Cross-Platform Social Engineering Turns Users Into Malware Installers - ASEC
- Ialle Teixeira at Debugactiveprocess
The Anatomy of Persistent Android NFC Malware in Brazil: How a malicious services achieve 24/7… - Tonmoy Jitu at Denwp Research
Analyzing What Appears to be GNNCRY’s macOS Test Build - Dr Josh Stroschein
- Elastic Security Labs
RONINGLOADER: DragonBreath’s New Path to PPL Abuse - errbody
Endpoint Ransomware - Esentire
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT - Thijs Xhaflaire at Jamf
Digit stealer: a JXA-based infostealer that leaves little footprint - Pieter Arntz at Malwarebytes
We opened a fake invoice and fell down a retro XWorm-shaped wormhole - Shubho57
Analysis of a BlankGrabber variant (bat file) - Siddhant Mishra
Tracking the Trackers: Lessons from the APT43/Kimsuky Takedown - Stephen Thoemmes at Snyk
Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Linked to Crypto Reward-Farming Scam - Alberto Pellitteri and Lorenzo Susini at Sysdig
Hunting Reverse Shells: How the Sysdig Threat Research Team builds smarter detection rules - Junestherry Dela Cruz and Sarah Pearl Camiling at Trend Micro
Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics - YUCA
- Zhassulan Zhussupov
Linux hacking part 8: Linux password-protected bind shell. Simple NASM example - Шифровальщики-вымогатели The Digest “Crypto-Ransomware”
BlackShrantac
MISCELLANEOUS
- Adam at Hexacorn
1 or more little secrets of disksnapshot.exe - Brett Shavers
Fight City Hall: If You Missed the Webinar, You’re Making Mistakes You Don’t Know About - Cellebrite
Digital Witness is Key to Queensland Mother’s Six-Year Journey to Justice - CyberBoo
Microsoft Defender for Endpoint Part 5: Live Response & Automated Investigation - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 11/10/25 - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Airtight SEAL - Forensic Focus
- Digital Forensics Jobs Round-Up, November 10 2025
- How Cellebrite Is Unlocking The Power Of AI For Digital Investigations
- Picture The Proof: Powering Investigations With Exterro Imager Pro
- Managing GenAI Risk In Police Investigations
- Digital Forensics Round-Up, November 12 2025
- Amped Software Opens Pre-Registration For Amped Connect U.S. 2026: A Free, Full-Day Digital Forensics Event In Myrtle Beach, SC
- Call For Papers: Open Source (Digital) Forensics Devroom At FOSDEM 2026
- Semantics 21 Introduces AI Describe – The World’s First Secure And Offline AI Describer For CSAM And Indecent Material
- Don Sears at Forescout
Ransomware Trends: To Ban or Not to Ban Ransom Payments? - Howard Oakley at ‘The Eclectic Light Company’
Explainer: .DS_Store files - Magnet Forensics
Why digital forensics became mission-critical for federal agencies - Matthew Plascencia
Don’t Sell the Human Soul of Your Work to the Machine - Grayson Milbourne at OpenText
OpenText Cybersecurity 2025 Global Ransomware Survey: Confidence Up, Recovery Down - Nazrul Islam Rana at OSINT Team
18 Digital Forensic Tools Every Cybersecurity Professional Should Know (2025 Guide) - Amber Schroader at Paraben Corporation
Preserving the Past through Digital Forensics - Joseph Williams at Pen Test Partners
Finding your path into DFIR
SOFTWARE UPDATES
- Airbus Cybersecurity
IRIS-Web v2.4.25 - Amped
Authenticate Update 39075: Deepfake Detection has a New Dress and is Now Available in the Smart Report, Improved GUI and Report, and More! - Berla
iVe Software v4.13 Release - C.Peter
UFADE 1.0.2 - Didier Stevens
Update: numbers-to-hex.py Version 0.0.4 - Digital Sleuth
winfor-salt v2025.14.3 - Elcomsoft
Elcomsoft System Recovery 8.36 adds Windows Server 2025 support, BitLocker key exporting, and enhanced SRUM analysis - Foxton Forensics
Browser History Examiner — Version History – Version 1.23.0 - Google
Timesketch 20251114 - IsoBuster
IsoBuster 5.7 beta released - Lethal-Forensics
MacOS-Analyzer-Suite v1.0.0 - Mandiant
Capa v9.3.0 - OpenCTI
6.8.11 - Rapid7
Velociraptor v0.75.5 - Three Planet Software
Apple Cloud Notes Parser v0.23 - Yamato Security
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 