Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  Hayabusa: A Powerful Log Analysis Tool for Forensics and Threat Hunting
  
  
• Massimo Iuliani at Amped
  Deepfake Detection Quiz Results – Can You Spot Deepfakes with Your Eyes?
  
  
• Brian Maloney
  Let’s Talk About Consent
  
  
• Christopher Eng at Ogmini
  Examining Mobile Hotspots – Orbic Speed RC400L – Part 4
  
  
• Elcomsoft
  • Breaking Barriers: First Full File System Extraction from Apple TV 4K Running tvOS 26
  • Password Managers: Security, Risks, and Forensic Implications
    
    
• Forensafe
  iOS User Notification Events
  
  
• The DFIR Report
  Cat’s Got Your Files: Lynx Ransomware
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Some unusual run-time rundll32.exe artifacts
  
  
• Shaunak Khosla at Altered Security
  BetterSuccessor: Still abusing dMSA for Privilege Escalation (BadSuccessor after patch)
  
  
• Any.Run
  LOLBin Attacks Explained with Examples: Everything SOC Teams Need to Know 
  
  
• ASEC
  • October 2025 Infostealer Trend Report
  • October 2025 Trends Report on Phishing Emails
  • October 2025 APT Group Trends
  • NKNShell Malware Distributed via VPN Website
  • Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
  • Phishing Emails Impersonating a Popular OTT Service
  • October 2025 Threat Trend Report on Ransomware
  • Analysis Report on AI-Based Obfuscated Malicious Apps Using Compromised Legitimate Websites as C2 Servers
  • October 2025 APT Attack Trends Report (South Korea)
  • Analysis Report on Malicious Apps Using Advanced Detection and Evasion Techniques
    
    
• AttackIQ
  • Emulating the Destructive Sandworm Adversary
  • Updated Response to CISA Advisory (AA24-109A): Akira Ransomware
    
    
• AWS Security
  • Analyze AWS Network Firewall logs using Amazon OpenSearch dashboard
  • New Amazon Threat Intelligence findings: Nation-state actors bridging cyber and kinetic warfare
  • Accelerate investigations with AWS Security Incident Response AI-powered capabilities
    
    
• Christine Barry at Barracuda
  Sinobi: The bougie-exclusive ransomware group that wants to be a ninja
  
  
• Nguyen Nguyen and Bart Blaze at CyberArmor
  Autumn Dragon: China-nexus APT Group Targets South East Asia
  
  
• Mehmet Ergene at Blu Raven Academy
  Time Traveling in KQL
  
  
• Brian Krebs at ‘Krebs on Security’
  • Microsoft Patch Tuesday, November 2025 Edition
  • The Cloudflare Outage May Be a Security Roadmap
  • Mozilla Says It’s Finally Done With Two-Faced Onerep
    
    
• CERT Ukraine
  Кібератака у відношенні навчального закладу на сході України з використанням програмного засобу GAMYBEAR (CERT-UA#18329)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 novembre
  
  
• Chainalysis
  U.S., U.K., and Australia Target Russian Cybercrime Infrastructure Supporting Global Ransomware Operations; U.S. Targets Crypto Laundering of Global Drug Trafficking Network
  
  
• Check Point
  • 17th November – Threat Intelligence Report
  • The Black Friday Cyber Crime Economy: Surge in Fraudulent Domains and eCommerce Scams
    
    
• Cofense
  The 6 URL Shorteners You Didn’t Know Were Helping Hackers
  
  
• Coveware
  Obscura Ransomware: A Case Study in Ransomware Data Loss 
  
  
• Chris Prall at CrowdStrike
  Defeating BLOCKADE SPIDER: How CrowdStrike Stops Cross-Domain Attacks
  
  
• Matthew Dobbs at Cyberbit
  Your 101 guide to MITRE ATT&CK Enterprise Matrix 
  
  
• Cybersec Sentinel
  GootLoader New Evasion Methods Target Search Driven Workflows
  
  
• Cyfirma
  Weekly Intelligence Report – 21 November 2025
  
  
• Andrea Draghetti at D3Lab
  • Nuova frode ai danni di Poste Italiane: email senza link, solo un numero da contattare!
  • La campagna di vishing continua: dal clone Poste alla finta email Google
    
    
• DCSO CyTec
  Cyber Conflict Briefing Q3 2025
  
  
• Detect FYI
  • Introducing the DRAPE Index: How to measure (in)success in a Threat Detection practice?
  • Beyond Detections : Scaling Analysis & Response to keep MDR relevant
  • From Ransomware to Nation-State -How MITRE ATT&CK v18 & Detection Strategies turn Active Directory…
  • Threat Hunting based on Tor Exit Nodes (+ KQLs queries)
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week46)
  
  
• DomainTools Investigations
  Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
  
  
• Elliptic
  US cracks down on Russian bulletproof hosting services enabling cybercrime
  
  
• Olaf Hartong at Falcon Force
  Microsoft Defender for Endpoint Internal 0x06 — Custom Collection
  
  
• FalconFeeds
  Kittenbusters: The Mystery Whistle-blower
  
  
• Gen
  Alliances of convenience: How APTs are beginning to work together
  
  
• Google Cloud Threat Intelligence
  • Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem
  • Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks
    
    
• GreyNoise
  • When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game
  • FortiWeb CVE‑2025‑64446: What We’re Seeing in the Wild
  • Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High
  • Introducing Query-Based Blocklists: Fully Configurable, Real-Time Threat Blocking in the GreyNoise Platform
    
    
• Hunt IO
  The Complete Guide to Hunting Cobalt Strike – Part 2: 10+ HuntSQL Recipes to Find Cobalt Strike
  
  
• Lindsey O’Donnell-Welch and Harlan Carvey at Huntress
  Velociraptor WSUS Exploitation, Pt. I: WSUS-Up?
  
  
• Jeffrey Bellny at CatchingPhish
  Endgame for Rhadamanthys (temporarily)
  
  
• Shusei Tomonaga at JPCERT/CC
  YAMAGoya: A Real-time Client Monitoring Tool Using Sigma and YARA Rules
  
  
• Kostas
  DetectionStream Just Got a Major Upgrade: Suricata Integration is Here!
  
  
• Mat Fuchs
  GHOST Framework: Zero Footprint EDR Testing That Trains Your Analysts for Real Threats
  
  
• Shmuel Uzan at Morphisec
  Morphisec Thwarts Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm
  
  
• Natto Thoughts
  China’s Cybersecurity Companies Advancing Offensive Cyber Capabilities Through Attack-Defense Labs
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 321. Adversaries Use Outlook LoadMacroProviderOnBoot for Persistence
  • 322. Is It Easy to Detect a PowerShell Abuse?
  • 323. Adversaries Keep Using NetExec: Forensic Perspective
  • 324. Adversaries Use HideMouse to Hide Evidence of Remote Access
  • 325. Can We Use Discovery Techniques for Hunting?
  • 326. Adversaries Abuse XstExport to Exract Emails Before Exfiltration
    
    
• Marine Pichon and Alexis Bonnefoi at Orange Cyberdefense
  A Pain in the Mist: Navigating Operation DreamJob’s arsenal
  
  
• Ian Ahl at Permiso
  Gainsight Breach Investigation: Another SalesLoft-Style Attack Unfolds
  
  
• Sıla Özeren Hacıoğlu at Picus Security
  Inside Sandworm: Decade of Cyber Sabotage and Espionage Activity
  
  
• Dan Green at Push Security
  Analyzing the latest Sneaky2FA BITB phishing page
  
  
• Recorded Future
  Operational Cyber Threat Intelligence
  
  
• Red Canary
  Intelligence Insights: November 2025
  
  
• SANS Internet Storm Center
  • Decoding Binary Numeric Expressions, (Mon, Nov 17th)
  • KongTuke activity, (Tue, Nov 18th)
  • Unicode: It is more than funny domain names., (Wed, Nov 12th)
  • Use of CSS stuffing as an obfuscation technique?, (Fri, Nov 21st)
  • Oracle Identity Manager Exploit Observation from September (CVE-2025-61757), (Thu, Nov 20th)
  • Wireshark 4.4.1 Released, (Sun, Nov 23rd)
    
    
• Securelist
  • IT threat evolution in Q3 2025. Mobile statistics
  • IT threat evolution in Q3 2025. Non-mobile statistics
  • Blockchain and Node.js abused by Tsundere: an emerging botnet
  • Inside the dark web job market
  • ToddyCat: your hidden email assistant. Part 1
    
    
• Gilad Friedenreich Maizles and Marty Kareem at Security Scorecard
  Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router
  
  
• Dheeraj Kumar and Tanmay Kumar at Securonix
  Securonix Threat Labs Monthly Intelligence Insights – October 2025
  
  
• Tomas Gatial at SentinelOne
  Threat Hunting Power Up | Enhance Campaign Discovery With Validin and Synapse
  
  
• Olivia Brown at Socket
  npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects
  
  
• SOCRadar
  • Dark Web Profile: Sarcoma Ransomware
  • Dark Web Market: FreshTools
    
    
• Colin Cowie at Sophos
  WhatsApp compromise leads to Astaroth deployment
  
  
• Stephan Berger
  Dissection of a PHP Backdoor leveraging php-win.exe
  
  
• Symantec Enterprise
  • Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites
  • Arms Race: AI’s Impact on Cybersecurity
    
    
• Alberto Pellitteri and Michael Clark at Sysdig
  Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that’s being actively exploited in ransomware campaigns
  
  
• System Weakness
  • Following the Data Trail: A Guide to Detecting Data Exfiltration ️‍♂️
  • CSI: Web Server — A Defender’s Guide to Detecting Web Attacks ️‍♂️
    
    
• Yash Verma at Trend Micro
  Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses
  
  
• Truesec
  Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments
  
  
• Valdin
  Inside DPRK’s Fake Job Platform Targeting U.S. AI Talent
  
  
• Lucie Cardiet at Vectra AI
  How Typhoon APTs Infiltrate Infrastructure Without Leaving a Trace by Lucie Cardiet
  
  
• István Márton at Wordfence
  Attackers Actively Exploiting Critical Vulnerability in Post SMTP Plugin
  
  
• Блог Solar 4RAYS
  • Solar 4RAYS: Хроники расследований инцидентов в 2025 году
  • Ландшафт вредоносных атак: аналитика сенсоров
    
    
• Jeremy Brown at Palo Alto Networks
  Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise
  

UPCOMING EVENTS

• Cellebrite
  DFU Decoded: Unlocking Hidden Truths with Media Intelligence
  
  
• Cyber Social Hub
  Registration Open for CyberSocialCon 2025
  
  
• Magnet Forensics
  Mobile Unpacked S3:E11 // Analyzing an app’s lifecycle
  
  
• SANS
  Stay Ahead of Ransomware – Threat Hunting for Ransomware and Cyber Extortion
  

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data EP18: From Policy to Processor: How Legislation Aids Child Exploitation Investigations
  
  
• Adversary Universe Podcast
  Prompted to Fail: The Security Risks Lurking in DeepSeek-Generated Code
  
  
• Behind the Binary by Google Cloud Security
  EP19 The Art of Deconstructing Problems: Tools, Tactics, and the ScatterBrain Obfuscator with Nino Isakovic
  
  
• Cloud Security Podcast by Google
  EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success
  
  
• HackTheBox
  Brewing chaos: How a ransomware group hit Asahi
  
  
• Huntress
  Community Fireside Chat | Nailing Your Incident Response (IR) Planning
  
  
• InfoSec_Bret
  Challenge – Golden Ticket
  
  
• Magnet Forensics
  • Mobile Minute Ep. 15 // How Magnet Automate turns your lab into a 24-hour justice delivery center
  • Protecting your organization from manipulated media with Magnet Verify
  • How digital forensics and automation are transforming federal investigations
    
    
• Microsoft Threat Intelligence Podcast
  Ahoy! A Tale of Payroll Pirates Who Target Universities
  
  
• Monolith Forensics
  Adding a File to a Case in Monolith
  
  
• MSAB
  #MSABMonday – XRY Specify Process Options
  
  
• MyDFIR
  • Cybersecurity SOC Analyst Lab – Web Investigation (PCAP)
  • From YouTube Tutorials to Real SOC Skills | MYDFIR Member Interview
  • From Truck Driver to Studying for SOC Analyst | Anthony’s Journey
    
    
• Off By One Security
  Burnout: Don’t Get Scorched 🔥
  
  
• Parsing the Truth: One Byte at a Time
  The Mushroom Murders Part 1
  
  
• Permiso Security
  Episode 04 – Gainsight — Salesforce: Another OAuth Supply-Chain Scare?
  
  
• Proofpoint
  From Toasters to Botnets: Securing Everyday IoT
  
  
• Sandfly Security
  Destination Linux Podcast: Tor, VPNs and Anonymity Risks
  
  
• SANS
  Inside Digital Forensics: Hunting for Truth in the Dark with Heather Barnhart
  
  
• The Weekly Purple Team
  🔴🔵 Blinding EDR with Windows Filtering Platform
  
  
• Three Buddy Problem
  Gemini 3 reactions, Fortinet/Chrome zero-days, a Cloudflare monoculture and a billion-dollar crypto twist
  

MALWARE

• Bloo
  Inside the Shellcode: Dissecting North Korean APT43’s Advanced PowerShell Loader
  
  
• Erik Pistelli at Cerbero
  Memory Challenge 8: MemLabs Lab 4 – Obsession
  
  
• Melissa Eckardt at cyber.wtf
  Rhadamanthys Loader Deobfuscation
  
  
• Cybereason
  License to Encrypt: “The Gentlemen” Make Their Move
  
  
• Darktrace
  Xillen Stealer Updates to Version 5 to Evade AI Detection
  
  
• hasherezade’s 1001 nights
  Flare-On 12 – Task 9
  
  
• K7 Labs
  • Masked in Memory: A Hidden .PYC fragment utilises cvtres.exe to communicate with C&C
  • Brazilian Campaign: Spreading the Malware via WhatsApp
    
    
• Jan Michael Alcantara at Netskope
  The Future of Malware is LLM-powered
  
  
• PetiKVX
  Analysis of Virus.Win32.Aidlot (MS-DOS, ASM)
  
  
• RexorVc0
  Snake Evolution
  
  
• Shubho57
  Analysis of a malicious VS code executable
  
  
• Siddhant Mishra
  Inside the Shellcode: Dissecting North Korean APT43’s Advanced PowerShell Loader
  
  
• ThreatFabric
  Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption
  
  
• Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi at Trustwave SpiderLabs
  SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp
  
  
• Facundo Muñoz and Dávid Gábriš at WeLiveSecurity
  PlushDaemon compromises network devices for adversary-in-the-middle attacks
  

MISCELLANEOUS

• Cellebrite
  • Drowning in Data? The EDRM Model Is Your Lifeline
  • Building Safer Communities Through Smarter Digital Investigations 
    
    
• CISA
  CISA Releases Guide to Mitigate Risks from Bulletproof Hosting Providers
  
  
• Mike Wilkinson at Cyber Triage
  Remote Forensic Collection Tools 2025
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 11/17/25
  
  
• Djnn
  anthropic’s paper smells like bullshit
  
  
• Forensic Focus
  • Solving High-Profile Homicides With SS8 Discovery – Download The Case Study
  • Rethinking Internal Investigations: A New Era Of Digital Forensics Collaboration
  • GMDSOFT Tech Letter Vol. 16: Analysis Of AI Editing Traces On Galaxy And iPhone
  • Digital Forensics Round-Up, November 19 2025
  • Introducing Oxygen Remote Explorer 2.0
  • Amped Authenticate Makes Deepfake Detection Easier With Smart Report And Batch Processing
  • Announcing The Magnet User Summit 2026 Presentation Catalog
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: Data and metadata
  
  
• Jeffrey Appel
  Troubleshoot configured Defender AV settings with effective settings in Defender
  
  
• Kevin Beaumont at DoublePulsar
  What organisations can learn from the record breaking fine over Capita’s ransomware incident
  
  
• Magnet Forensics
  • Introducing Magnet One Mobile Case Stream: Early access now available!
  • Same app, different data: Explaining to the court why device and cloud data don’t match
  • Leveraging digital forensics to advance employee misconduct investigations
  • Magnet User Summit 2026: Here’s your presentation catalog!
    
    
• Mark Russinovich at Microsoft
  Native Sysmon functionality coming to Windows
  
  
• Osama Elnaggar
  Lightning Fast Log Enrichment Using Logstash
  
  
• Raymond Roethof
  • Microsoft Defender for Identity Recommended Actions: Built-in Active Directory Guest account is enabled
  • Microsoft Defender for Identity Recommended Actions: Change password for KRBTGT account
  • Microsoft Defender for Identity Recommended Actions: Ensure that all privileged accounts have the configuration flag
  • Microsoft Defender for Identity Recommended Actions: Change password of built-in domain Administrator account
    
    
• Salvation DATA
  Bitcoin Forensics and Cryptocurrency Forensics: A Beginner’s Guide to Blockchain Investigations
  
  
• Sandfly Security
  Deploy and Configure Sandfly Agentless Security on DigitalOcean
  
  
• Ryan McGeehan at Starting Up Security
  Malicious Insider Scenarios
  
  
• THOR Collective Dispatch
  • Purple Teaming in the Real World: When Everything Goes Off the Rails (and That’s Normal)
  • Aligning Risk Management and Threat-Informed Defense Practices (Part 2)
    
    
• Alan Sguigna at White Knight Labs
  Using MCP for Debugging, Reversing, and Threat Analysis: Part 2
  
  
• Victor M. Alvarez at YARA-X
  Look ma, no warnings
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.4.26
  
  
• Digital Sleuth
  winfor-salt v2025.14.5
  
  
• Lethal-Forensics
  MacOS-Analyzer-Suite v1.1.0
  
  
• Mandiant
  Capa v9.3.1
  
  
• MISP
  • MISP v2.5.25 – Performance Update
  • MISP v2.5.26 – released with performance improvements and interoperability fixes
    
    
• MSAB
  XRY 11.2.1: Strengthens Support for Modern Devices and OS Versions
  
  
• OpenCTI
  6.8.13
  
  
• Passmark Software
  OSForensics V11.1 build 1012 18th November 2025
  
  
• Phil Harvey
  ExifTool 13.42
  
  
• Xways
  • X-Ways Forensics 21.7 Preview 3
  • Miscellaneous
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!