Strengthen Your Identity Posture Before Attackers Find the Gaps In this cheat sheet, you’ll discover: • The four highest-risk identity categories to remediate today. • A step-by-step ISPM maturity model and 90-day implementation plan. • How to eliminate toxic permissions, enforce MFA, and remove dormant identities at scale. Download the ISPM Cheat Sheet

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Akash Patel
  Memory Forensic vs EDR — Talk
  
  
• Forensafe
  Android Application Roles
  
  
• Fortinet
  Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl
  
  
• Alex Bilz
  Bundespolizei CTF 2025 Walkthrough: Cracking the Code of Germany’s Federal Police 🚔
  
  
• Marco Neumann at ‘Be-binary 4n6’
  Samsung Core Services – Module “ai search” and its value for digital forensics analysis
  

THREAT INTELLIGENCE/HUNTING

• React2Shell
  • React2Shell exploited to deploy EtherRAT across cloud servers
  • React2Shell: How Attackers Exploited CVE-2025-55182 Within Hours
  • Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
  • React2Shell Side Quest: Tracking Down Malicious MeshCentral Nodes
  • React2Shell (CVE-2025-55182): Dissecting a Node.js RCE Against a Production Next.js App
  • PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
  • React2Shell: Decoding CVE-2025-55182 – The Silent Threat in React Server Components
  • Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors
  • It didn’t take long: CVE-2025-55182 is now under active exploitation
  • React2Shell flaw (CVE-2025-55182) exploited for remote code execution
  • EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks
  • The Anatomy of a React2Shell Compromise
  • React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182
  • React2Shell: Remote Code Execution Vulnerability (CVE-2025-55182)
    
    
• Faan Rossouw at Active Countermeasures
  Malware of the Day – TXT Record Abuse in DNS C2 (Joker Screenmate)
  
  
• AttackIQ
  • Revisiting the Versatile Qilin Ransomware
  • Response to CISA Advisory (AA25-343A): Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure
    
    
• Australian Cyber Security Centre
  Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure
  
  
• Tony Burgess at Barracuda
  Malware Brief: Android in the crosshairs — FvncBot, SeedSnatcher, ClayRat
  
  
• BI.Zone
  • Mapping and leveraging cyber threat landscape to predict attacks
  • Leveraging darknet to predict attacks
    
    
• Bitdefender
  • ClickFix: A KISS from Cybercriminals
  • Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
  • Bitdefender Threat Debrief | December 2025
    
    
• Brian Krebs at ‘Krebs on Security’
  Microsoft Patch Tuesday, December 2025 Edition
  
  
• CERT-AGID
  • Campagna malevola in atto abusa di utenze PA tramite allegati PDF e accesso a Figma
  • Sintesi riepilogativa delle campagne malevole nella settimana del 6 – 12 dicembre
    
    
• Check Point
  • 8th December – Threat Intelligence Report
  • Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits
  • Global Cyber Attacks Increase in November 2025 Driven by Ransomware Surge and GenAI Risks
    
    
• Hendrix Garcia at Cofense
  Phishers Get Creative: The NoteGPT Twist You Didn’t See Coming
  
  
• Cyfirma
  Weekly Intelligence Report – 12 December 2025
  
  
• Martin McCloskey, Christophe Tafani-Dereeper, and Julie Agnes Sparks at Datadog Security Labs
  Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users
  
  
• DebugPrivilege
  How Citrix Fixed an ESC1 Risk in Their Documentation
  
  
• Detect FYI
  • KQL Techniques for Email URL Redirect Hunting
  • Measuring Malice: When Being ‘Almost Right’ Is Exactly Wrong
  • Rethinking Benign Alerts: A New Perspective for Detection Engineering
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week49)
  
  
• DomainTools Investigations
  Chinese Malware Delivery Domains Part IV
  
  
• Erik Hjelmvik at Erik Hjelmvik at Netresec
  Latrodectus BackConnect
  
  
• Esentire
  Hackers are Celebrating the Holidays Big this Year Selling ChatGPT, Perplexity and Gemini Subscriptions for 40% to 75% Off!
  
  
• F5 Labs
  ShellShock Makes a Comeback and RondoDox Changes Tactics
  
  
• Agapios Tsolakis at Falcon Force
  How data science can boost your detection engineering maintenance and keep you from herding sheep
  
  
• FalconFeeds
  • Threat Actor Roleplay: When Gangs Pose as Hacktivists to Obscure True Intent
  • Threat Intel in the Age of Browser-Based Attacks: Why CTI Must Shift to the Client-Side Frontier
  • Cybercrime Localization: How Threat Actors Tailor Campaigns to Regional Cultures
    
    
• Flashpoint
  Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor
  
  
• Group-IB
  • Stranger Threats Are Coming: Group-IB Cyber Predictions for 2026 and Beyond
  • Fighting Credit Fraud in Uzbekistan: An Uphill Battle Against Social Engineering
    
    
• HP Wolf Security
  • HP Wolf Security Threat Insights Report: December 2025
  • Attackers Love Cookies: Tracing the Rise of Breaches Involving Session Cookie Theft
    
    
• Hudson Rock
  The Infostealer to APT Pipeline: How Lazarus Group Hijacked a Yemen Disinformation Network
  
  
• Huntress
  • Hardening the Hypervisor: Practical Defenses Against Ransomware Targeting ESXi
  • AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat
  • Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
    
    
• Infoblox
  The DNS Threat Landscape December 2025: A Three-month Lookback
  
  
• Pieter Arntz at Malwarebytes
  GhostFrame phishing kit fuels widespread attacks against millions
  
  
• Microsoft Security
  Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 342. Mshta – A Great Target for Hunting
  • 343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses
  • 344. Adversaries Added Another Forensic Tool to Their Arsenal
  • 345. That’s How Adversaries Remove Indicators from Compromised Systems
  • 346. Hunting for Suspicious User Accounts
  • 347. Adversaries Modify Registry to Inhibit System Recovery and Analysis
    
    
• Pepe Berba
  Decompiling run-only AppleScripts
  
  
• Picus Security
  • APT28 Cyber Threat Profile and Detailed TTPs
  • APT15 Cyber Espionage: Campaigns and TTPs Analysis
    
    
• Push Security
  • Analysing a sophisticated Google malvertising attack
  • ConsentFix: Browser-native ClickFix hijacking OAuth grants
    
    
• Recorded Future
  • GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
  • Implications of Russia-India-China Trilateral Cooperation
  • Palestine Action: Operations and Global Network
    
    
• Red Canary
  • Beyond the bomb: When adversaries bring their own virtual machine for persistence
  • Bun and done: The second coming of the Shai-Hulud worm
    
    
• Salvation DATA
  CDN Forensics: How to Reveal the Real IP Address Behind Modern Content Delivery Networks
  
  
• SANS Internet Storm Center
  • Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection), (Wed, Dec 10th)
  • Using AI Gemma 3 Locally with a Single CPU , (Wed, Dec 10th)
  • Abusing DLLs EntryPoint for the Fun, (Fri, Dec 12th)
    
    
• Valery Akulenko and Dmitry Sabadash at Securelist
  Hunting for Mythic in network traffic
  
  
• Dakota Cary at SentinelOne
  Malicious Apprentice | How Two Hackers Went From Cisco Academy to Cisco CVEs
  
  
• Mike Watson at Sysdig
  How to detect multi-stage attacks with runtime behavioral analytics
  
  
• System Weakness
  [CyberDefenders Write-up] BumbleSting (Bumblebee leads to domain compromised and Conti ransomware)
  
  
• The Raven File
  REACT2SHELL: EXPLOITATION IN THE WILD
  
  
• Maulik Maheta and Chao Sun at Trellix
  Silent Domain Hijack: Detecting DCSync with Trellix NDR
  
  
• Trend Micro
  • AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
  • The Next Phase of Cybercrime: Agentic AI and the Shift to Autonomous Criminal Operations
  • SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics
  • PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
    
    
• Daniel Kelley at Varonis
  Spiderman Phishing Kit Mimics Top European Banks With A Few Clicks
  
  
• VirusTotal
  Introducing Saved Searches in Google Threat Intelligence (GTI) and VirusTotal (VT): Enhance Collaboration and Efficiency
  
  
• Hassan Khafaji at White Knight Labs
  From Veeam to Domain Admin: Real-World Red Team Compromise Path
  
  
• Gili Tikochinski and Yaara Shriki at Wiz
  Gogs 0-Day Exploited in the Wild
  

UPCOMING EVENTS

• Black Hills Information Security
  • Inside SOC: Triage Smarter, Not Harder w/ Tom Dejong
  • Talkin’ Bout [infosec] News 2025-12-15 #infosec #news
    
    
• Huntress
  Community Fireside Chat | The Evolution of Cyber Insurance: Rethinking Carrier Vendor Panels
  
  
• Magnet Forensics
  S3:E12 // A few of our favorite things: 12 artifacts to bring us investigative joy
  

PRESENTATIONS/PODCASTS

• Behind the Binary by Google Cloud Security
  EP20 Windows Under the Hood: Kernel Design, EDRs, and the Shift to VBS with Pavel Yosifovich
  
  
• BSides Cape Town
  BSides Cape Town 2025
  
  
• Cellebrite
  Tip Tuesday: 101 Cheat Sheets
  
  
• Cerbero
  • Memory Challenge 11: BOughT
  • Memory Challenge 12: BlackEnergy
    
    
• Cloud Security Podcast by Google
  EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking
  
  
• Huntress
  Tradecraft Tuesday | You’re the Expert: How to Survive Your Family’s Cybersecurity Q&A
  
  
• InfoSec_Bret
  IR – SOC293 – Exfiltration Over Pastebin Detected
  
  
• John Hammond
  • Infostealer Malware Logs Analyzed by… AI !?!
  • Hacking Endpoint to Identity (Microsoft 365): “ConsentFix”
    
    
• Magnet Forensics
  AI Unpacked #7: The human side of Magnet Forensics’ approach to AI
  
  
• Monolith Forensics
  Adding Evidence Photos in Monolith
  
  
• MSAB
  • #MSABMonday – XAMN Pro Deleted Artefacts
  • Forensic Fix Episode 25
    
    
• MyDFIR
  • How the MYDFIR SOC Community Taught Me to Think Like a SOC Analyst
  • SOC Alert Triaging | Day 10 of TryHackMe Advent of Cyber 2025
  • From Retail to Cybersecurity Training | Oscar’s Self-Taught Journey
    
    
• Off By One Security
  • Machine Identity & Attack Path: The Danger of Misconfigurations!
  • Machine Identity & Attack Path: The Danger of Misconfigurations! 📱
    
    
• Parsing the Truth: One Byte at a Time
  Mushroom Murders Part 4
  
  
• Permiso Security
  Non-Human Identities (NHIs) and AI – Securing The Next Era of Identities
  
  
• Proofpoint
  Ho-Ho-Hold Up—Is That Message Real? Bad Santas Are Sending Seasonal Scams
  
  
• SANS
  DFIR Summit Prague 2025
  
  
• The Cyber Mentor
  LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team
  
  
• Three Buddy Problem
  Legal corruption, React2Shell exploitation, dual-use AI risks
  

MALWARE

• Nathan Richards at Bridewell
  Converging Ransomware Tradecraft: Analysis of a Multi-Phase Attack
  
  
• Jordyn Dunk and Chetan Raghuprasad at Cisco’s Talos
  New BYOVD loader behind DeadLock ransomware attack
  
  
• CTF导航
  APT-C-26（Lazarus）组织利用WinRAR漏洞部署Blank Grabber木马的技术分析
  
  
• Andrea Draghetti at D3Lab
  Inside BTMOB: An Analytical Breakdown of a Leaked Android RAT Ecosystem
  
  
• Elastic Security Labs
  NANOREMOTE, cousin of FINALDRAFT
  
  
• G Data Software
  • Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon
  • Browser Hijacking: Three Technique Studies
    
    
• Idan Dardikman at Koi Security
  The VS Code Malware That Captures Your Screen
  
  
• Hiroaki Hara at Palo Alto Networks
  01flip: Multi-Platform Ransomware Written in Rust
  
  
• Petar Kirhmajer at ReversingLabs
  VS Code extensions use fake image containing a trojan
  
  
• Pierre Le Bourhis and Jeremy Scion at Sekoia
  Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration
  
  
• Jim Walter at SentinelOne
  CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
  
  
• Seqrite
  • Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia
  • Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware
  • Operation MoneyMount-ISO — Deploying Phantom Stealer via ISO-Mounted Executables
    
    
• Shubho57
  Analysis of an unknown sample which is attributed to Mysterious Elephant
  
  
• Sophos
  GOLD SALEM tradecraft for deploying Warlock ransomware
  
  
• Puja Srivastava at Sucuri
  WordPress Auto-Login Backdoor Disguised as JavaScript Data File
  
  
• Gladis Brinda R and Ashwathi Sasi at ZScaler
  Technical Analysis of the BlackForce Phishing Kit
  

MISCELLANEOUS

• Adam Hachem at Hexordia
  Announcing Evanole Virtual Machine
  
  
• Belkasoft
  Preventing Data Leaks: Offline-First DFIR with Belkasoft X
  
  
• Brett Shavers at DFIR.Training
  A Bootable Forensic OS is not a Virtual Machine
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 12/08/25
  
  
• Forensic Focus
  • Digital Forensics Jobs Round-Up, December 08 2025
  • SYTECH Director Calls For More Funding To Improve Early Intervention In Gateway Crimes
  • Safeguarding Digital Evidence: Best Practices And The Critical Role Of ISO/IEC 17025
  • Picture The Proof: Powering Investigations With Exterro Imager Pro
  • S21 VisionX Spotlight: Week 2 – Automation, Prioritisation And Faster Evidence Discovery
  • Digital Forensics Round-Up, December 10 2025
  • From Extraction To Analysis: MSAB’s Q4 2025 Innovations For Faster & Smarter Investigations
  • The Idaho Murders: From Behavioural Clues To AI’s Role In Digital Forensics
  • Cellebrite Completes Acquisition Of Corellium, Unveiling The Industry’s Most Advanced AI-Powered Digital Investigation Portfolio
  • Oxygen Remote Explorer v.2.0.1 Is Here!
  • Forensic Focus Digest, December 12 2025
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Who decides to quarantine files?
  
  
• LockBoxx
  Course Review: Certified CyberDefender – Incident Response Optional Module
  
  
• Magnet Forensics
  • Preserving evidence in the age of inactivity timers: When time becomes the threat
  • What the work leaves behind — and why I still fight for it
    
    
• Tryfon Skandamis at NVISO Labs
  Managing SIEM Log Collectors at Scale with Ansible and GitHub Actions – Part 1
  
  
• OSINT Team
  The best digital forensics frameworks
  
  
• TobyG at sentinel.blog
  Finding and Writing KQL Queries with the Model Context Protocol
  
  
• VMRay
  Discover the Best Incident Response Tools: A Comprehensive Guide for 2026
  

SOFTWARE UPDATES

• MISP
  MISP v2.5.30 and v2.5.29 released: Beta UI/UX Mode, New Workflow modules and Performance Enhancements
  
  
• MSAB
  Q4 2025 Major Release is now available
  
  
• MuSecTech
  Appending an Embedded Toolkit in AChoirX
  
  
• OpenCTI
  6.9.0
  
  
• Xways
  • X-Ways Forensics 21.3 SR-13
  • X-Ways Forensics 21.4 SR-9
  • X-Ways Forensics 21.5 SR-11
  • X-Ways Forensics 21.6 SR-3
  • Miscellaneous
  • X-Ways Forensics 21.7 Preview 5
    
    
• Yogesh Khatri
  • mac_apt 20251206
  • spotlight_parser v1.0.4
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!