Strengthen Your Identity Posture Before Attackers Find the Gaps In this cheat sheet, you’ll discover: • The four highest-risk identity categories to remediate today. • A step-by-step ISPM maturity model and 90-day implementation plan. • How to eliminate toxic permissions, enforce MFA, and remove dormant identities at scale. Download the ISPM Cheat Sheet

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Jessica Hyde at Hexordia
  Mobile Device Acquisitions: Why Immediate Action is Critical for Digital Evidence
  
  
• ThinkDFIR
  Examining the IconCache database
  
  
• Christopher Eng at DFIR Review
  Is that Windows Notepad window really empty?
  
  
• Forensafe
  iOS Bumble
  
  
• Kenneth G Hartman at Lucid Truth Technologies
  What Can Law Enforcement Find On Your iPhone
  
  
• Surya Teja
  • Uncovering Threats Through WAF Logs: A Threat Hunter’s Lens
  • Threat Hunting AWS CloudTrail: From Threat Intelligence to Proactive Risk Reduction
  • When MFA Wasn’t Enough: Review of a Real AiTM Incident
  • DFIR Report: TamperedChef Malware via Malvertising and Trojanized Utility
    

THREAT INTELLIGENCE/HUNTING

• ASEC
  GeoServer, Where Various CoinMiner Attacks Occur
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2025-12-11: SmartApeSG ClickFix activity using finger command
  • 2025-12-17: Mirai activity (Linux traffic)
  • 2025-12-22: StealC from files impersonating cracked versions of popular software
  • 2025-12-11: Kongtuke ClickFix activity using finger command
  • 2025-12-23: MacSync Stealer infection
    
    
• CERT-AGID
  Vulnerabilità critica in n8n. Rischio elevato per istanze esposte in rete
  
  
• Check Point
  • 22nd December – Threat Intelligence Report
  • Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection
    
    
• Jhon Astronomo at Cofense
  From Email to Exfiltration: How Threat Actors Steal ADP Login and Personal Data
  
  
• Allen Marin at Corelight
  Detecting Lateral Movement & Evasion Inside Your Network | Corelight
  
  
• CyberBoo
  Microsoft Defender for Endpoint – Part 6: Advanced Threat Hunting & KQL in Action
  
  
• Cyfirma
  Weekly Intelligence Report – 26 December 2025
  
  
• D3Lab
  • Finta promozione Conad: come funziona la nuova campagna di Scam che sfrutta i punti fedeltà
  • Attenzione al nuovo portale fake di Fineco: la trappola scatta dopo il Captcha
    
    
• DebugPrivilege
  Hunting CVE-2025-59287 in Memory Dumps
  
  
• Detect FYI
  • Threat Hunting with Osquery Manager
  • Forensic Insights into an EDR Freeze Attack
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week51)
  
  
• DomainTools Investigations
  B2B2C Supply Chain Attack: Hotel’s Booking Accounts Compromised to Target Customers
  
  
• Eric Capuano
  Hunting MongoBleed (CVE-2025-14847)
  
  
• FalconFeeds
  • Strategic Threat Assessment: The Qilin Ransomware Cartel (2022–2026)
  • The Lazarus Constellation: A Comprehensive Intelligence Dossier on the DPRK’s Cyber Warfare Apparatus (2009–2026)
    
    
• Flare
  • Cryptomining Supply-Chain Abuse on Docker Hub: Hiding Malware in Plain Sight
  • Investigating Cybercrime in the Crypto Underground
    
    
• Flashpoint
  The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion
  
  
• GreyNoise Labs
  ColdFusion++ Christmas Campaign: Catching a Coordinated Callback Calamity
  
  
• Group-IB
  Empty Promises in MENA: How Online Quick Cash Schemes Exploit the Gig Economy
  
  
• Huntress
  • Trial, Error, and Typos: Why Some Malware Attacks Aren’t as ‘Sophisticated’ as You Think
  • Tradecraft Tuesday Recap: React2Shell, ClickFix, and the Rise of AI Scams
    
    
• Ruben Madar at Intrinsec
  Mapping “Fly”, a threat actor with links to Russian Market’s infrastructure
  
  
• Sunny Chau at JUMPSEC Labs
  TokenFlare: Serverless AiTM Phishing in Under 60 Seconds
  
  
• Kevin Beaumont at DoublePulsar
  Merry Christmas Day! Have a MongoDB security incident.
  
  
• Level Blue
  A 2025 Threat Trends Analysis
  
  
• Magic Sword
  POORTRY Still Active in 2025: The Microsoft Signing Crisis That Won’t Go Away
  
  
• Matthew Plascencia
  Velciraptor 102
  
  
• Oleg Skulkin at ‘Know Your Adversary’
  • 355. Hunting for ESXCLI Abuse
  • 356. Adversaries Abuse Archive.org to Store Maicious PNG Files
  • 357. That’s Why I’m Talking About It That Often!
  • 358. Adversaries Abuse GoToHTTP for Redundant Access
  • 359. Hunting for Suspicious File Deletion Events
  • 360. That’s How Valley RAT Modifies Registry to Store Plugins
  • 361. That’s How Adversaries Manipulate Volume Shadow Copy Service
  • 362. Ransomware Gangs Use This Tool for Discovery
    
    
• Qi’anxin X Lab
  Dataset available for download: Real HTTP traffic with CVE tags
  
  
• Securelist
  • Assessing SIEM effectiveness
  • Evasive Panda APT poisons DNS requests to deliver MgBot
  • Threat landscape for industrial automation systems in Q3 2025
    
    
• Seqrite
  • UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel
  • Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
    
    
• Socket
  • Malicious Chrome Extensions “Phantom Shuttle” Masquerade as a VPN to Intercept Traffic and Exfiltrate Credentials
  • 2025 Report: Destructive Malware in Open Source Packages
  • Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
    
    
• Marco A. De Felice aka amvinfe at SuspectFile
  Anubis Ransomware: Inside the Mindset and Methods of a Modern Ransomware Group
  
  
• The Raven File
  REVISITING MEDUSA LOCKER RANSOMWARE
  
  
• Vasilis Orlof at Cyber Intelligence Insights
  Christmas Tycoon
  
  
• Chris Kelvin at Блог Solar 4RAYS
  Вскрываем Bincrypter
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Big Launch- Study Paths and FREE Labs- Pwndora
  
  
• ArcPoint Forensics
  • 12 Days of DFIRmas – Season 3, Episode 6: Keith Lockhart
  • 12 Days of DFIRmas – Season 3, Episode 7: Jessa Jones
  • 12 Days of DFIRmas – Season 3, Episode 8: Sam Brothers
    
    
• Black Hat
  Keynote: Inside the Ransomware Machine
  
  
• BSidesFrankfurt
  BSidesFrankfurt 2025
  
  
• Cellebrite
  Tip Tuesday: Training Opportunities at the C2C User Summit
  
  
• InfoSec_Bret
  SA – SOC153 EventID: 238 – Suspicious Powershell Script Executed
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – RenPy game, finding malware code in 2956 files, Beginner friendly
  
  
• Marcus Hutchins
  This Job Interview’s “Take-Home Test” Is Malware
  
  
• Monolith Forensics
  Case Stat Widgets in Monolith
  
  
• MSAB
  #MSABMonday – XRY iOS Screen Captures
  
  
• MyDFIR
  He Got Hired as a SOC Analyst – Here’s What Worked
  
  
• Parsing the Truth: One Byte at a Time
  Will Emojis Keep You Safe?
  
  
• Three Buddy Problem
  Quiet Wins, Loud Failures: A Year-End Cybersecurity Reckoning
  

MALWARE

• Charlie Eriksen at Aikido
  First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson
  
  
• CloudSEK
  Silver Fox Targeting India Using Tax Themed Phishing Lures
  
  
• Genians
  Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
  
  
• Jamf
  From ClickFix to code signed: the quiet shift of MacSync Stealer malware
  
  
• Tuval Admoni at Koi Security
  NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
  
  
• John Tuckner at Secure Annex
  Stayfocusd
  
  
• Pierre Le Bourhis and Jeremy Scion at Sekoia
  Advent Of Configuration Extraction – Part 4: Turning capa Into A Configuration Extractor For TinyShell variant
  
  
• Shubho57
  Analysis of a malicious Linux Script
  
  
• Zhassulan Zhussupov
  Malware development trick 55: enum process via NtQuerySystemInformation. Simple C example.
  

MISCELLANEOUS

• Yulia Samoteykina at Atola
  2025. Year in Review
  
  
• Brett Shavers
  DFIR (as we use it) started as a hashtag.
  
  
• Cellebrite
  The Corellium Mobile Security Playbook
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 12/22/25
  
  
• Elcomsoft
  Introducing free forensic tools
  
  
• Forensic Focus
  • SS8 Whitepaper Shows How Investigators Uncover Trade-Based Money Laundering
  • Si And Desi’s Holiday Special 2025
  • Forensic Focus and Northumbria University Launch International Well-Being Study for Digital Forensic Investigators
  • S21 VisionX Spotlight: Week 4 – Advanced Insight, Collaboration And Court-Ready Results
    
    
• Josh Brunty
  Bridging Academia and Industry: My Forcepoint Podcast on Cybersecurity Training & Recruitment
  
  
• Salvation DATA
  Factory Reset and Data Security: Is Your Phone Truly Clean?
  

SOFTWARE UPDATES

• Crowdstrike
  Falconpy Version 1.5.5
  
  
• Martin Korman
  Regipy 6.1.0
  
  
• Metaspike
  Forensic Email Intelligence 2.2.658 Release Notes
  
  
• MISP
  MISP v2.5.31 released – Stability, Synchronization Improvements & Year-End Knowledge Base Refresh
  
  
• OpenCTI
  6.9.4
  
  
• Phil Harvey
  ExifTool 13.45
  
  
• Xways
  X-Ways Forensics 21.7 Preview 6
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!