| Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security In this session, Permiso’s CTO will cover: – How attackers moved from GitHub → AWS → Salesforce using stolen OAuth tokens. – Why this “all-machine” attack is a wake-up call for SaaS supply chains and NHIs. – Practical steps to detect and contain similar threats in your environment. Watch the Video Podcast |
| Sponsored by Permiso |
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Brian Maloney
OneDrive Updates - Christopher Eng at Ogmini
Trying out ALEX 2.0 – Rooted Device Support Leads to Pull Request - Forensafe
iOS Device Settings - Forensic Science International: Digital Investigation
Volume 55 - Kenneth G Hartman at Lucid Truth Technologies\
Carpenter Decision and IP-based Investigations in Digital Forensic Practice
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Aikido
- Amnesty International Security Lab
To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Andrew Skatoff at ‘DFIR TNT’
React2Shell Exploits: High-Value Detection and Threat Hunting Strategies - ASEC
- CJ Moses at AWS Security
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) - Brad Duncan at Malware Traffic Analysis
- Brian Krebs at ‘Krebs on Security’
- Censys
Using Cobalt Strike to Find (More) Cobalt Strike - CERT-AGID
- Check Point
1st December – Threat Intelligence Report - CISA
PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector and Information Technology Systems - Fabian Bador at Cloudbrothers
Conditional Access bypasses - Omer Yoachimik and Jorge Pacheco at Cloudflare
Cloudflare’s 2025 Q3 DDoS threat report — including Aisuru, the apex of botnets - David Burkett at Corelight
How to React(.js) to React2Shell & Catch the Next(.js) Big RCE | Corelight - CrowdStrike
Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary - Cybersec Sentinel
Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins - Cyble
- Cyfirma
Weekly Intelligence Report – 05 December 2025 - Darktrace
- Disconinja
Weekly Threat Infrastructure Investigation(Week48) - Dodge This Security
Sysmon Config Creation for The LOLRMM Framework - Daniel Schwalbe at DomainTools Investigations
Newsletter 11 Could Take Forever - Mandy Andress at Elastic
Navigating the Shai-Hulud Worm 2.0: Elastic’s updated response to npm supply chain compromise - Elastic Security Labs
Automating detection tuning requests with Kibana cases - Brian Sayer at F5 Labs
HashJack Attack Targets AI Browsers and Agentic AI Systems - FalconFeeds
- Digital Safe Havens: A Geopolitical Analysis of Jurisdictional Impunity and the Global Cybercrime Ecosystem
- The CTI Playbook for Election Seasons: Proactive Defense Against Hacktivism, Disinformation, and Critical Infrastructure Threats
- Cyber Spillover: When Targeted Regional Attacks Disrupt Global Digital Infrastructure
- g0njxa
Approaching stealers devs: a brief interview with Phexia - Google Cloud Threat Intelligence
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue - Noah Stone at GreyNoise
A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect - Group-IB
Hook for Gold: Inside GoldFactory’s Сampaign That Turns Apps Into Goldmines - HackTheBox
Detecting USB-based cyber attacks: A guide - Hudson Rock
- Huntress
- Infoblox
DNS Uncovers Infrastructure Used in SSO Attacks - Matthew Green at InfoGuard Labs
CLRaptor: Hunting reflected assemblies with Velociraptor - Calvin So at Kandji
Investigating Shai-Hulud: Inside the NPM Supply Chain Worm - Kevin Beaumont at DoublePulsar
- Adam Goss at Kraven Security
Unified Kill Chain: The 18-Phase Framework That Actually Models Modern Attacks - Idan Cohen at Mitiga
Scattered Lapsus$ Shiny Hunters Strikes Salesforce Again - Moonlock
Moonlock’s 2025 macOS threat report - Natto Thoughts
Knownsec: The King of Vulnerability Missed Three Vulnerabilities of Its Own - Jos Clephas at Nerium
Detecting RCE Exploits in React Applications using Host-Based Telemetry - Oleg Skulkin at ‘Know Your Adversary’
- 334. Adversaries Use Device Credential Deployment for Hiding Artifacts
- 335. Adversaries Abuse Netlify for Malware Delivery
- 336. Adversaries Keep Using Phishing to Compromise Linux Systems
- 337. Adversaries Disable Plug and Play Devices
- 338. Adversaries Change Windows Startup Folder Settings for Persistence
- 339. Hunting for MuddyWater’s UDPGangster
- 340. Adversaries Modify the Registry to Disable Two Core Windows Security Mechanisms
- 341. Adversaries Abuse NSSM for Service Execution
- Aenosh Rajora at OSINT Team
Living Off the Land(LOTL): Turning Trusted Tools into Silent Weapons | Cyber Codex - Picus Security
- EDR-Freeze: The User-Mode Attack That Puts Security into a Coma
- NotDoor Backdoor Analysis Uncovering APT28 Data Theft
- Riddle Spider Avaddon Ransomware Analysis and Technical Overview
- EtherHiding: How Web3 Infrastructure Enables Stealthy Malware Distribution
- React Flight Protocol RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
- The LockBit Comeback: How the Group Evolved After a Global Takedown
- Push Security
- Recorded Future
- SANS Internet Storm Center
- John Tuckner at Secure Annex
Glassworm stays prevalent - Securelist
Shai Hulud 2.0, now with a wiper flavor - Security Alliance
PSA: Fake Telegram Support Channels (Drainers) - Sekoia
French NGO Reporters Without Borders targeted by Calisto in recent campaign - Seqrite
Operation DupeHike : UNG0902 targets Russian employees with DUPERUNNER and AdaptixC2 - SOCRadar
Dark Web Market: B1ack’s Stash - Rajan Sanhotra at Sophos
The State of Ransomware in Manufacturing and Production 2025 - Ethan Smith at Spur
What Is a Residential Proxy? - Sysdig
Detecting React2Shell: The maximum-severity RCE Vulnerability affecting React Server Components and Next.js - System Weakness
- PowerShell Keylogger Malware Analysis LetsDefend CTF️
- Behind the scripts: chasing a clever ninja infostealer
- [Blue Team Labs Online Write-up] Zeta End (Filefix, rclone, sliver and github attachment fille…
- [Blue Team Labs Online Write-up] Rotten Cloud (Investigate hybrid cloud infra with Splunk)
- [Blue Team Labs Online Write-up] The Walking Packets (Using Arkime to investigate web intrusion)
- Terryn at chocolatecoat4n6
Learning to ADAPT | Framework for analyzing any evidence in IR - Nicholas Koken at Todyl
BECs In the Wild: When Millions of People Are Expecting the Same Email - Karl Sigler at Trustwave SpiderLabs
Sha1-Hulud: The Second Coming of The New npm GitHub Worm - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – November Update - Matthew Meltzer, Steven Adair, and Tom Lancaster at Volexity
Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks - Shay Berkovich and Rami McCarthy at Wiz
Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact - ZephrSec
UPCOMING EVENTS
- Black Hills Information Security
Talkin’ Bout [infosec] News 2025-12-08 #infosec #news - Magnet Forensics
- Silent Push
Workshop: Unwrapping Festive Fraud — Hunting and Investigating Scam Sites
PRESENTATIONS/PODCASTS
- Hexordia
Truth in Data EP19: Closing the Gap: Recruiting and Retaining the Next DFIR Talent - Adversary Universe Podcast
Defrosting Cybersecurity’s Cold Cases with CrowdStrike’s Tillmann Werner - Black Hills Information Security
Talkin’ Bout [infosec] News 2025-12-01 #infosec #news - Cellebrite
Cellebrite + Corellium: A Sit Down with CEO Tom Hogan and CTO Chris Wade - Erik Pistelli at Cerbero
Memory Challenge 10: Mellitus - Cyberwox
Cybersecurity SOC Analyst Investigation of BlackSun Ransomware with Splunk (TryHackMe Eclipse) - InfoSec_Bret
IR – SOC300 – Right-to-Left Override Detected - John Hammond
- Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Defeating ConfuserEx Anti-Analysis with Hooking - LASCON
LASCON 2025 - Magnet Forensics
- Microsoft Threat Intelligence Podcast
The Grid, a Digital Frontier: E-ISAC on Securing the Power Grid - Monolith Forensics
Creating a Task in Monolith - MSAB
#MSABMonday – XAMN Pro Case Tags - MyDFIR
- Off By One Security
Can’t Stop the ROP: Weaponizing ROP on Windows to Bypass System DLLs - Parsing the Truth: One Byte at a Time
The Mushroom Murders Part 3 - Richard Davis at 13Cubed
13Cubed AMA – Answering Your Questions! - The Cyber Mentor
Why Baselining Helps Incident Response - THE Security Insights Show
THE Security Insights Show Episode 281: Jingle Hack ’25: Elves on the Shelf (Watching Your Wi-Fi) - The Weekly Purple Team
Can you get Cobalt Strike past EDR/XDR in 2025? - Three Buddy Problem
APTs pounce on React2Shell; BRICKSTORM backdoors; .gov surveillance
MALWARE
- Any.Run
- Barracuda
Threat Spotlight: Introducing GhostFrame, a new super stealthy phishing kit - CISA
BRICKSTORM Backdoor - Deep Instinct
DIANNA Explains 4: Nimbus Manticore—Monstrous Malware - Dr Josh Stroschein
Buffer Overflow Basics: Using pattern_create and pattern_offset to Find EIP - Fortinet
- Banu Ramakrishnan at G Data Software
Arkanix Stealer: Newly discovered short term profit malware - Hunt IO
Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT - Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee at Securonix
JS#SMUGGLER: Multi-Stage – Hidden iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery - Shantaciak
Ultimate Daily Static Malware Analysis Practice Guide - Shubho57
Analysis of a malicious executable - Socket
- Malicious Rust Crate evm-units Serves Cross-Platform Payloads for Silent Execution
- npm Sees Surge of Auto-Generated “elf-stats” Packages Published Every Two Minutes
- Malicious Go Packages Impersonate Google’s UUID Library and Exfiltrate Data
- Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency
- Sophos
- Teoderick Contreras at Splunk
Behind the Walls: Techniques and Tactics in Castle RAT Client Malware - Sarah Pearl Camiling, Junestherry Dela Cruz, Jacob Santos, Sophia Nilette Robles, Maristel Policarpio, and Raymart Yambot at Trend Micro
ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading - Jason Reaves at Walmart
Decoding Brickstorms Garble strings - WeLiveSecurity
MuddyWater: Snakes by the riverbank - ZScaler
MISCELLANEOUS
- Magnet Forensics
Magnet Virtual Summit 2026 Capture the Flag - Melissa Lauro at Black Hills Information Security
Inside the BHIS SOC: A Conversation with Hayden Covington - Cellebrite
Cellebrite Completes Acquisition of Corellium, Unveiling the Industry’s Most Advanced AI-Powered Digital Investigation Portfolio - Decrypting a Defense
Signal Group Infiltration, Surveillance Advent Calendar, NYC FOIL Bill Passes, Facial Recognition When Traveling & More - Josibel Mendoza at DFIR Dominican
DFIR Jobs Update – 12/01/25 - Doug Metz at Baker Street Forensics
2025 Year in Review: Open Source DFIR Tools and Malware Analysis Projects - Forensic Focus
- Daren Greener, Managing Director, SYTECH
- Struggling With CSAM Investigations? There’s A Smarter Way
- Digital Forensics Round-Up, December 03 2025
- What’s New In Oxygen Forensic® Detective v18.1
- Detego Global Smashes Forensic Imaging Speed Records With Ballistic Imager
- Passware Kit Mobile 2026 v1 Decrypts Samsung S10 And Other Exynos 9820/9825 Devices
- Registration Is Open For Magnet Virtual Summit 2026!
- UPCOMING WEBINAR – Spot Deepfakes And Stop Manually Describing CSAM
- Kevin Pagano at Stark 4N6
Forensics StartMe Updates (December 2025) - N00b_H@ck3r
INE’s Certified Threat Hunting Professional (eCTHP) Certification Exam Review – Passed (11/2025) - Patrick Siewert at ‘The Philosophy of DFIR’
A Major Flaw In The System
SOFTWARE UPDATES
- Adam at Hexacorn
DeXRAY v2.36 - Akhil Dara
Google Drive Forensics Suite - Amped
Amped DVRConv and Engine Update 39376 - Arkime
v5.8.3 - Binary Ninja
5.2 Release 2 - Erik Pistelli at Cerbero
Memory Analysis Package 0.7.6 - Digital Sleuth
- Erik Hjelmvik at Netresec
NetworkMiner 3.1 Released - Joshua Hickman at ‘The Binary Hick’
Endtroducing…Lost Apples - Manabu Niseki
Mihari v8.3.0 - OpenCTI
6.8.15 - Passware
Passware Kit Mobile 2026 v1 Now Available - Phil Harvey
ExifTool 13.43 - SigmaHQ
pySigma v1.0.2 - Xways
X-Ways Forensics 21.7 Preview 4
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 