| Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast |
| Sponsored by Permiso |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Ahmed Moaz
ADS Forensics - Akash Patel
Streamlining BEC case and Cloud Log Analysis with Free Tools: Microsoft-Extractor-Suite and… - Belkasoft
RAM Forensics: Tools, Techniques, and Best Practices - Forensafe
Android Application Operations - Nicholas Dubois at Hexordia
Behind the Bubbles: The Privacy and Security of Apple’s iMessage Lookup - Invictus Incident Response
The story of how we almost got hacked - Magnet Forensics
When Windows takes a nap and leaves you evidence: Inside hiberfil.sys - Matthew Plascencia
Data Over the Air - ThinkDFIR
A question about arbitrary values in USB registry keys - Mark R at you sneakymonkey!
Cloud Metadata – AWS IAM Credential Abuse
THREAT INTELLIGENCE/HUNTING
- Shai-Hulud 2.0
- Shai Hulud strikes again, hitting Zapier, Ensdomains
- Shai-Hulud 2.0: Inside The Second Coming, the Most Aggressive NPM Supply Chain Attack of 2025
- The Shai-Hulud 2.0 npm worm: analysis, and what you need to know
- Shai-Hulud 2.0: over 14,000 secrets exposed
- 332. That’s How Shai-Hulud 2.0 Escalate Privileges
- Return of Shai-Hulud: The “Second Coming” of the NPM Supply Chain Compromise
- Defending Against Sha1-Hulud: The Second Coming
- SHA1-Hulud, npm supply chain incident
- Shai Hulud Strikes Again (v2)
- Return of the Shai-Hulud worm affects over 25,000 GitHub repositories
- Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems
- Shai-Hulud: When a Supply-Chain Incident Turns Into a Worm by Lucie Cardiet
- Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets
- Hitesh Duseja at Altered Security
Long Live Pass-The-Cert: Reviving the Classical Rendition of Lateral Movement across Entra ID joined Devices - Arctic Wolf
Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine - Andrea Chiarelli at Auth0
Demystifying OAuth Security: State vs. Nonce vs. PKCE - Bitdefender
- Blu Raven Academy
Detecting Cobalt Strike HTTP(S) Beacons with a Simple Method - Brian Krebs at ‘Krebs on Security’
- CERT-AGID
- Check Point
- Roshan at Confiant
Phantom Stores: Retail Impersonation Spreads Ahead of Black Friday Powered by Video Ads and Modular… - Cybersec Sentinel
- Cyfirma
Weekly Intelligence Report – 28 November 2025 - Andrea Draghetti at D3Lab
Prima campagna di phishing ai danni di Klarna rilevata in Italia - Daniel Koifman
Introducing LUMEN: Your EVTX Companion - Dark Atlas
Smishing Triad Targets Egypt’s Financial Sector and Postal Services - Darktrace
- Disconinja
Weekly Threat Infrastructure Investigation(Week47) - Malcolm Heath at F5 Labs
Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities - FalconFeeds
Threat Intelligence Briefing: Scattered LAPSUS$ Hunters (SLSH) - g0njxa
Approaching stealers devs: a brief interview with XFILES (DeerStealer) - Amirbek Kurbanov and Volen Kayo at Group-IB
Bloody Wolf: A Blunt Crowbar Threat To Justice - Intrinsec
- Isaac Dunham
Risk-Based Alerting in Microsoft Sentinel - Itsec
Tracking UNC5337: An investigative study of a persistent cyber threat actor - Kroll
Paying the Price: Enhancing the Retail Sector’s Resilience to Scattered Spider and Cl0p - Micah Babinski
Detecting Malicious ArcGIS Server Object Extensions - Idan Cohen at Mitiga
Scattered Lapsus$ Shiny Hunters Strikes Salesforce Again - Nariman Gharib
Department 40 Exposed: Inside the IRGC Unit Connecting Cyber Ops to Assassinations - Nextron Systems
- Kristof Baute at NVISO Labs
Detection Engineering: Practicing Detection-as-Code – Tuning – Part 8 - Oleg Skulkin at ‘Know Your Adversary’
- 327. Adversaries Use Shell Icon Overlay Handlers for Persistence
- 328. Adversaries Use PowerCat for Reverse Shells
- 329. Adversaries Use Blender 3D Files to Deliver Stealers
- 330. Adversaries Use Windows Event Logs for Discovery
- 331. Adversaries Keep Abusing Microsoft Management Console
- 333. Adversaries Use Multiple LOLBINs for Ingress Tool Transfer
- Picus Security
- Recorded Future
The Salesforce-Gainsight Security Incident: What You Need to Know - Red Canary
Here’s what you missed on Office Hours: November 2025 - SANS Internet Storm Center
- Thomas Roccia at SecurityBreak
GenAI x Sec Advent (2025 edition) - sentinel.blog
- Simone Kraus
Ivanti Post-Exploitation Lateral Movement — Analysis and Detection - Snyk
Snyk Log Sniffer: AI-Powered Audit Log Insights for Security Leaders - SOCRadar
- System Weakness
Digital Forensics and Incident Response- Velociraptor [MCP Compromise & Abuse Case] - Sydney Marrone at THOR Collective Dispatch
Dispatch Debrief: November 2025 - Jacob Baines at VulnCheck
The Mystery OAST Host Behind a Regionally Focused Exploit Operation - Sapir Federovsky at Wiz
3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs - Palo Alto Networks
UPCOMING EVENTS
- Magnet Forensics
PRESENTATIONS/PODCASTS
- Black Hills Information Security
Talkin’ Bout [infosec] News 2025-11-24 #infosec #news - Hunter Wade at Black Hills Information Security
Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation - Cellebrite
Tip Tuesday: Single Applications - Erik Pistelli at Cerbero
Memory Challenge 9: BankingTroubles - Gerald Auger at Simply Cyber
How I Got SOC Analyst Experience Without a Job (Actual Resume Bullets Inside) - InfoSec_Bret
IR – SOC344 – EDR Tampering Attempt via EDR-Freeze - John Hammond
- Magnet Forensics
- Monolith Forensics
Case File System Overview - MSAB
#MSABMonday – XAMN Pro Deep Dive - MyDFIR
- Off By One Security
Emulating APTs: Building and Deploying Bootkits & Rootkits - Parsing the Truth: One Byte at a Time
Mushroom Murders Part 2 - Sandfly Security
- SANS Cloud Security
Beyond the Basics: What Cloud Defenders Need to Know - SentinelOne
LABScon25 Replay | Simulation Meets Reality: How China’s Cyber Ranges Fuel Cyber Operations - THE Security Insights Show
THE Security Insights Show Episode 280: Turkey-Day Trojans - Three Buddy Problem
Shai-Hulud 2.0, Russia GRU Intrusions, and Microsoft’s Regulatory Capture
MALWARE
- 0day in {REA_TEAM}
[Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc - Adam at Hexacorn
Enter Sandbox 31: Web Shells - Any.Run
Major Cyber Attacks in November 2025: XWorm, JSGuLdr Loader, Phoenix Backdoor, Mobile Threats, and More - Cyble
RelayNFC: The New NFC Relay Malware Targeting Brazil - Dexpose
Inside Valkyrie Stealer: Capabilities, Evasion Techniques, and Operator Profile - Fortinet
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab - hasherezade’s 1001 nights
Flare-On 12 – Task 8 - Ben Folland and Anna Pham at Huntress
ClickFix Gets Creative: Malware Buried in Images - Jamf
FlexibleFerret malware continues to strike - Shmuel Uzan at Morphisec
Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files - Patrick Wardle at Objective-See
Restoring Reflective Code Loading on macOS (Part II) - Securelist
- Ayush Anand at Securityinbits
How to set up Sigma rules for Elasticsearch SIEM - Shubho57
Analysis of APT28 Variant (Muddywater) - Socket
- Jason Reaves at Walmart
Utilizing ChatGPT for Decoding Astaroth Strings - Suraj Mundalik at ZScaler
Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack - بانک اطلاعات تهدیدات بدافزاری پادویش
Hacktool.Win32.Nimplant
MISCELLANEOUS
- Adam at Hexacorn
- Belkasoft
Belkasoft Customer Survey 2025 - Steven Alexander at Cybersecurity Oversight
Adversaries keep getting faster - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 11/24/25 - Elan at DFIR Diva
- Oleg Afonin at Elcomsoft
- Michael Karsyan at Event Log Explorer blog
Improving Event Log Filtering in PowerShell - Forensic Focus
- Inside FTK Imager Pro: Vendor-Neutral Forensics, Smarter AI, And Exterro’s Forensic Vision
- Digital Forensics Jobs Round-Up, November 24 2025
- Detego Global Launches Purpose-Built Case Management Platform For Digital Forensics And Incident Response Teams
- UPCOMING WEBINAR – S21 VisionX Launch
- Techno Security & Digital Forensics Conference West Wrap-Up
- Oxygen Review Center: A Faster, Smarter Way To Review Digital Evidence
- Digital Forensics Round-Up, November 26 2025
- The Journey Of Brute Forcing: From GPU Dominance To CPU Workhorses And Back
- What’s Cool In Oxygen Forensic KeyScout?
- Full Access, Free Training, Big Savings: Semantics 21 Reveals Black Friday Package
- Forensic Focus Digest, November 28 2025
- Atola Introduces ZFS And LDAP Support In TaskForce 2025.11
- GreyNoise
Your IP Address Might Be Someone Else’s Problem (And Here’s How to Find Out) - Howard Oakley at ‘The Eclectic Light Company’
Inside the Unified Log 8: Find the error - Doug Metz at Magnet Forensics
Bridging cybersecurity & forensics: Why DFIR belongs inside the modern SOC - Siddhant Mishra
Get Your SOC Out of the CHAOS ZONE - Studio d’Informatica Forense
SOFTWARE UPDATES
- Sergiy Pasyuta at Atola
TaskForce 2025.11 update: ZFS support + LDAP authentication - Ahmed K. Ali
Seshat EVTX Analyzer - Amped
Amped Replay Update 39248: Enter the Realm of Assisted Video Redaction! - Cwrw
CommandHunter - Digital Sleuth
winfor-salt v2025.14.7 - hasherezade
tiny_tracer 3.2 - IsoBuster
IsoBuster 5.7 released - MISP
MISP v2.5.27 – released with new features and various fixes - OpenCTI
6.8.14 - Passmark Software
OSForensics V11.1 build 1013 25th November 2025 - radare2
6.0.7 - Sigma
r2025-12-01 - SigmaHQ
pySigma v1.0.1 - Tsurugi Linux
24 November 2025 (release 25.11) - XingTuLab
Recopilot 0.2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 