Strengthen Your Identity Posture Before Attackers Find the Gaps In this cheat sheet, you’ll discover: • The four highest-risk identity categories to remediate today. • A step-by-step ISPM maturity model and 90-day implementation plan. • How to eliminate toxic permissions, enforce MFA, and remove dormant identities at scale. Download the ISPM Cheat Sheet

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Kahng An at Cofense
  Windows Persistence Explained: Techniques, Risks, and What Defenders Should Know
  
  
• Emanuele De Lucia
  Safetensors Forensics: It’s “Safe”… Right?
  
  
• Forensafe
  Apple Data Usage
  
  
• InfoSec Write-ups
  Digital Forensics-[Ali Hadi — Mystery Hacked System Case]
  
  
• Julien Houry
  How are Prefetch created?
  
  
• Husam Shbib
  The Problem with Parsing Linux-Based Memory Dumps
  
  
• System Weakness
  • [CyberDefenders Write-up] Malicious PyPi (From pip to Sliver and Aurora stealer)
  • [CyberDefenders Write-up] Midnight RDP (Rouge RDP to Cobalt Strike beacon and Domain Compromise)
  • Design your first Windows Forensics Lab, as a defensive content engineer
    

THREAT INTELLIGENCE/HUNTING

• ASEC
  • Threats Behind the Mask of Gentlemen Ransomware
  • November 2025 APT Attack Trends Report (South Korea)
  • November 2025 Infostealer Trend Report
  • November 2025 Security Issues in Korean and Global Financial Sector
  • November 2025 APT Group Trends
  • November 2025 Trends Report on Phishing Emails
  • November 2025 Threat Trend Report on Ransomware
  • Distribution of EtherRAT Malware Exploiting React2Shell Vulnerability (CVE-2025-55182)
    
    
• Francis Guibernau at AttackIQ
  Ransom Tales: Volume VI — Throwback Edition! Emulating Ryuk, Conti, and BlackCat Ransomware
  
  
• AWS Security
  • Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure
  • What AWS Security learned from responding to recent npm supply chain threat campaigns
  • GuardDuty Extended Threat Detection uncovers cryptomining campaign on Amazon EC2 and Amazon ECS
    
    
• Black Hills Information Security, Inc.
  The Curious Case of the Comburglar
  
  
• Brian Krebs at ‘Krebs on Security’
  Most Parked Domains Now Serving Malicious Content
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 dicembre
  
  
• Check Point
  • 15th December – Threat Intelligence Report
  • Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
  • GachiLoader: Defeating Node.js Malware with API Tracing
    
    
• Cisco’s Talos
  UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
  
  
• David Burkett at Corelight
  Detecting CVE-2025-20393 on Cisco Email Gateways | Corelight
  
  
• Cyb3rhawk
  From Abstract to Acumen — Anatomy of a Modern BEC Attack
  
  
• Cyfirma
  Weekly Intelligence Report – 19 December 2025
  
  
• Datadog Security Labs
  Introducing Pathfinding.cloud
  
  
• Detect FYI
  In-the-Wild Threat Hunting Using Composite Scoring and VirusTotal Telemetry
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week50)
  
  
• DomainTools Investigations
  The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation
  
  
• Dzianis Skliar
  Beyond Credentials: The Hidden Ecosystem of InfoStealers and the Log Economy
  
  
• Flare
  • Phishing Kits: An Interactive Deepdive
  • Hunting for Live Phishing Infrastructure Based on Cybercrime Intelligence
    
    
• Gen
  • GhostPairing Attacks: from phone number to full access in WhatsApp
  • Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers
    
    
• GreyNoise
  • Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways
  • There’s Payloads, And Then There’s pAIloads: A Look At Selected Opportunistic (And Possibly AI-“Enhanced”) React2Shell Probes and Attacks
    
    
• Group-IB
  Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan
  
  
• HackTheBox
  Eek, a GodRAT: A step-by-step breakdown of a financial sector attack
  
  
• Hunt IO
  Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
  
  
• Huntress
  • The OID Problem: Writing LDAP Detections That Actually Work
  • A Series of Unfortunate (RMM) Events
    
    
• Infoblox
  Parked Domains Become Weapons with Direct Search Advertising
  
  
• Jonathan Johnson
  RAG, ICL, and Windows Events: Building a Human-Guided Security Analyst
  
  
• Adam Goss at Kraven Security
  FlowViz: Turn 40-Page Threat Reports into Visual Attack Flows in Under a Minute
  
  
• Microsoft Security
  Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components
  
  
• Austin Bollinger at Mitiga
  Now You See Me: GitHub Logs
  
  
• Natto Thoughts
  The Many Arms of the MSS: Why Provincial Bureaus Matter in China’s Cyber Operations
  
  
• Nebulock
  • CVE-2025-55182: Finding Behaviors That Give Away React Server Components RCE
  • The Agentic Threat Hunting Framework
    
    
• Nextron Systems
  Say hello to Nextron’s RuneAI
  
  
• NVISO Labs
  • The Detection & Response Chronicles: Exploring Telegram Abuse
  • Integrating Abuse Case Scenarios to Improve Authorization Testing
    
    
• Oleg Skulkin at ‘Know Your Adversary’
  • 348. Adversaries Hide Malicious Scripts Inside Subtitle Files
  • 349. Adversaries Masquerade Legitimate Executables as Documents to Enable DLL Side-Loading
  • 350. Threat Actors Leveraged the Discord API as Their C2 Channel
  • 351. Adversaries Abuse Telegram for Payload Execution Notification
  • 352. That’s How Ink Dragon Downgrades Security Controls
  • 353. Adversaries Abuse Fastly for C2 Infrastructure
  • 354. Adversaries Modify Registry to Make the Console Window Appear Off-Screen
    
    
• Rizqi Setyo Kusprihantanto at OSINT Team
  Digging Into LockBit 5.0: A Casual Review Insight
  
  
• Picus Security
  • How NoName057(16) Uses DDoSia to Attack NATO Targets
  • FunkSec RaaS Operations: Hacktivism Meets Cybercrime
  • HardBit 4.0 Ransomware Analysis
    
    
• Seojun Kim at Plainbit
  Remote Collection Using CrowdStrike RTR(Real-Time Response)
  
  
• Proofpoint
  Access granted: phishing with device code authorization for account takeover
  
  
• Grace Chi at Pulsedive
  2025 In Review
  
  
• Qi’anxin X Lab
  Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices
  
  
• Recorded Future
  • BlueDelta’s Persistent Campaign Against UKR.NET
  • The $0 Transaction That Signaled a Nation-State Cyberattack
    
    
• Red Canary
  • KPop Malware Hunters: 2025’s takedowns
  • Intelligence Insights: December 2025
    
    
• Ryan Hausknecht
  Azure Storage Account Attacks and Detections
  
  
• S-RM
  React2Shell used as initial access vector for Weaxor ransomware deployment
  
  
• SANS Internet Storm Center
  • More React2Shell Exploits CVE-2025-55182, (Mon, Dec 15th)
  • Positive trends related to public IP ranges from the year 2025, (Thu, Dec 18th)
  • Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)
  • DLLs & TLS Callbacks, (Fri, Dec 19th)
    
    
• Sansec
  Critical backdoor found in MGT Varnish extension
  
  
• Securelist
  • Frogblight threatens you with a court case: a new Android banker targets Turkish users
  • Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports
  • Yet another DCOM object for lateral movement
  • Cloud Atlas activity in the first half of 2025: what changed
    
    
• Nitish Singh, Nikhil Kumar Chadha, and Tanmay Kumar at Securonix
  Securonix Threat Labs Monthly Intelligence Insights – November 2025
  
  
• Gabriel Bernadett-Shapiro, Jim Walter & Alex Delamotte at SentinelOne
  LLMs & Ransomware | An Operational Accelerator, Not a Revolution
  
  
• Siddhant Mishra
  The $200K Missile Problem: Using Radar’s Micro-Doppler Effect for Sub-Second C2 Precision
  
  
• Silent Push
  Shining a Light on the Global Bulletproof Hosting Ecosystem
  
  
• Lauren Stemler and Ryan Fetterman at Splunk
  Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends
  
  
• Joe Metzler at Spur
  How to Address Proxy-Based Attacks and Meet MITRE D3FEND Recommendations Using IP and Session Intelligence
  
  
• Strikeready
  Russian APT actor phishes the Baltics and the Balkans
  
  
• SuspectFile
  Securotrop: from affiliation to independence, the evolution of a young ransomware group
  
  
• Team Cymru
  The Indictment Is the IOC: Using Legal Records to Hunt DPRK Remote Workers
  
  
• Trellix
  • The Fake Domain Controller You Didn’t See Coming: Detecting DCShadow Attacks Using Trellix NDR
  • Amadey Exploiting Self-Hosted GitLab to Distribute StealC
    
    
• WeLiveSecurity
  • ESET Threat Report H2 2025
  • LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
    
    
• YLabs
  In depth analysis of the alleged Qilin, DragonForce and LockBit alliance
  

UPCOMING EVENTS

• Arctic Wolf
  2026 Threat Report
  
  
• Black Hills Information Security
  • Talkin’ Bout [infosec] News 2026-01-05 #infosec #news
  • Zero to Zeek: Build a Network Sensor Fast and Easy w/ Troy Wojewoda
    
    
• Magnet Forensics
  Leveraging grants to power digital investigations
  
  
• SANS
  • Stay Ahead of Ransomware – The AI Arms Race: When Both Sides Have Copilots
  • AI-Powered Ransomware: How Threat Actors Weaponize AI Across the Attack Lifecycle
    

PRESENTATIONS/PODCASTS

• Hexordia
  Truth in Data EP20: Breaking Down Silos: How to Foster Cooperation
  
  
• Adversary Universe Podcast
  Is This Endgame? How Takedowns Are Reshaping eCrime
  
  
• ArcPoint Forensics
  • 12 Days of DFIRmas – Season 3, Episode 1: Brett Shavers
  • 12 Days of DFIRmas – Season 3, Episode 2: Josh Hickman
  • 12 Days of DFIRmas – Season 3, Episode 2: Manny Kressel
  • 12 Days of DFIRmas – Season 3, Episode 4: Becky Passmore & Stacy Eldridge
  • 12 Days of DFIRmas – Season 3, Episode 5: Jeremy McBroom
    
    
• BSides Cape Town
  From Impersonation to Exploitation: A look at Mobile Malware Campaigns – Brent Shaw & Dr Roboto
  
  
• Erik Pistelli at Cerbero
  • Memory Challenge 13: TeamSpy
  • Memory Challenge 14: RogueOne
    
    
• InfoSec_Bret
  IR – SOC293 – Exfiltration Over Pastebin Detected
  
  
• Magnet Forensics
  S3:E12 // A few of our favorite things: 12 artifacts to bring us investigative joy
  
  
• Marcus Hutchins
  North Korean Spies Hacked Thousands Of Developers
  
  
• Meet and Confer with Kelly Twigger
  From “We Can’t” to “Here’s How” — A Practical Discussion on Hyperlinked Files in Discovery
  
  
• Microsoft Threat Intelligence Podcast
  Whisper Leak: How Threat Actors Can See What You Talk to AI About
  
  
• Monolith Forensics
  Creating a Child Evidence Item in Monolith
  
  
• MSAB
  #MSABMonday – MSAB Digital Summit 2026
  
  
• MyDFIR
  Cybersecurity SOC Analyst Lab – LLMNR Poisoning (Poisoned Credentials)
  
  
• Parsing the Truth: One Byte at a Time
  12 Days of DFIR
  
  
• The Weekly Purple Team
  🚨 Zero-Day NTLMv2 Hash Leak via Microsoft Photos URI Scheme
  
  
• Three Buddy Problem
  What’s behind US gov push to ‘privatize’ cyber operations?
  
  
• Yaniv Hoffman
  How Malware Really Works (What Most People Miss)
  

MALWARE

• BI.Zone
  Arcane Werewolf revamps its arsenal with Loki 2.1 implant
  
  
• Cyble
  Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns
  
  
• Rahul Ramesh at Howler Cell
  From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader
  
  
• Lalu Raynaldi Pratama Putra at Intellibron
  Lua-JIT SmartLoader: Analyzing the GitHub Campaign Delivering Stealer
  
  
• Nicole Fishbein at Intezer
  Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs
  
  
• Debmalya Datta at K7 Labs
  Phantom 3.5: Initial Vector Analysis & Forensics
  
  
• Koi Security
  • 8 Million Users’ AI Conversations Sold for Profit by “Privacy” Extensions
  • Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users
    
    
• Anmol Maurya and Jingwen Shi at Palo Alto Networks
  From Linear to Complex: An Upgrade in RansomHouse Encryption
  
  
• Milan Spinka at Rapid7
  SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums
  
  
• Petar Kirhmajer at ReversingLabs
  NuGet malware targets Nethereum tools
  
  
• Sekoia
  Advent of Configuration Extraction – Part 3: Mapping GOT/PLT and Disassembling the SNOWLIGHT Loader
  
  
• Shubho57
  Analysis of an Autocolor Backdoor variant
  
  
• Kirill Boychenko at Socket
  Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords
  
  
• Sophos
  I am not a robot: ClickFix used to deploy StealC and Qilin
  
  
• Squiblydoo.blog
  SolarMarker: Actions-On-Target
  
  
• Sysdig
  EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2
  
  
• ZScaler
  • BlindEagle Targets Colombian Government Agency with Caminho and DCRAT
  • Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign
    

MISCELLANEOUS

• Atola Technology
  Voices of DFIR: 8 Professionals You Should Follow
  
  
• Manny Kressel at Bitmindz
  The Xeon Fallacy: Your Forensic Workstation Is Slower and More Expensive
  
  
• Brett Shavers
  Your DF/IR Tool Can’t Tell You Who Did It. FACT Tells You When You’re Allowed To.
  
  
• Cellebrite
  • Master Mobile Data for Legal Success
  • Navigate the Data Deluge in Investigations
  • A Powerful Partnership to Transform Mobile Data in eDiscovery
    
    
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 12/15/25
  
  
• Jorn Pieterse at Eye Research
  AitM Block: Preventing Modern M365 Phishing Attacks
  
  
• Forensic Focus
  • Patchy Progress: How UK Police Forces Are Responding To The Oscar Kilo Enhanced Occupational Health Standards
  • Exterro INFORM 2025: A Global Webinar Series For DFIR Practitioners
  • GMDSOFT Tech Letter Vol 17. Detecting Hotspot Connection Evidence On Suspect Devices
  • S21 VisionX Spotlight: Week 3 – Specialist Tools For Real-World Investigations
  • Digital Forensics Round-Up, December 17 2025
  • Passware Kit 2026v1: Decrypt BitLocker On AMD-Based Desktops
  • Oxygen Forensics On Smarter, Faster Remote DFIR Collections
    
    
• Google Workspace
  Google Workspace audit log API enhancements now available
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Which extended attributes does macOS Tahoe preserve?
  
  
• Magnet Forensics
  Magnet Nexus now supports Targeted Locations (and more!)
  
  
• Matthew Plascencia
  Velociraptor 101
  
  
• Pyae Heinn Kyaw
  GX-FA Exam Review
  
  
• Blake Newton at The Metadata Perspective
  My First Certification: A Week Inside the Berla Vehicle Forensics Course
  

SOFTWARE UPDATES

• Berla
  iVe Software v4.14 Release
  
  
• Canadian Centre for Cyber Security
  Assemblyline 4.6.1.1
  
  
• Didier Stevens
  Update: pecheck.py Version 0.7.19
  
  
• Digital Sleuth
  winfor-salt v2025.14.14
  
  
• Google
  Timesketch 20251219
  
  
• Metaspike
  • Forensic Email Collector (FEC) Changelog – 4.3.654.1288
  • Forensic Email Intelligence – 2.2.658
    
    
• OpenCTI
  6.9.3
  
  
• Passmark Software
  OSForensics V11.1 build 1014 17th December 2025
  
  
• Passware
  Passware Kit 2026 v1 Now Available
  
  
• Phil Harvey
  ExifTool 13.44 (production release)
  
  
• Security Onion
  Security Onion 2.4.200 now available with Major Improvements for our Onion AI Assistant!
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!