Strengthen Your Identity Posture Before Attackers Find the Gaps In this cheat sheet, you’ll discover: • The four highest-risk identity categories to remediate today. • A step-by-step ISPM maturity model and 90-day implementation plan. • How to eliminate toxic permissions, enforce MFA, and remove dormant identities at scale. Download the ISPM Cheat Sheet

Sponsored by Permiso

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Damien Attoe
  The Realm Files – Vol 3 – The Realm Header
  
  
• Ross Donnelly at DFIR Review
  Word Documents – What Changed?
  
  
• Forensafe
  iOS Sharing Information
  
  
• Patrick Siewert at ‘The Philosophy of DFIR’
  It’s (Not) Just A Text Message!”
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Beyond good ol’ Run key, Part 149 – update
  • Beyond good ol’ Run key, Part 152
  • Beyond good ol’ Run key, Part 154
  • Beyond good ol’ Run key, Part 156
  • Beyond good ol’ Run key, Part 155
    
    
• Axelarator
  Cobalt Strike Beacon Analysis
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2025-12-28: Ten days of scans and probes and web traffic hitting my web server
  • 2025-12-07: Seven days of scans and probes and web traffic hitting my web server
  • 2025-12-29: ClickFix activity leads to NetSupport RAT
  • 2025-12-30: Lumma Stealer infection with follow-up malware
  • 2026-01-01: Lumma Stealer infection with follow-up malware
    
    
• Brian Krebs at ‘Krebs on Security’
  The Kimwolf Botnet is Stalking Your Local Network
  
  
• Check Point
  29th December – Threat Intelligence Report
  
  
• CloudSEK
  RondoDoX Botnet Weaponizes React2Shell
  
  
• Deceptiq
  Registry Writes Without Registry Callbacks
  
  
• Disconinja
  Weekly Threat Infrastructure Investigation(Week52)
  
  
• Erez
  More than 50% of Qilin’s “Victims” Never Get Leaked, and I Think That’s an Affiliate Verification Problem
  
  
• Exaforce
  • Detecting and interrupting a sophisticated Google Workspace intrusion with agentic AI security
  • When trusted third parties behave like threat actors
    
    
• Hudson Rock
  • The Industrialization of “ClickFix”: Inside ErrTraffic
  • From Victim to Vector: How Infostealers Turn Legitimate Businesses into Malware Hosts
    
    
• Huntress
  • The LDAP Whitespace Problem: Making Sigma Rules Work in Production
  • Rogue ScreenConnect: Common Social Engineering Tactics We Saw in 2025
    
    
• Oleg Skulkin at ‘Know Your Adversary’
  • 363. That’s How Arcane Werewolf Abuses Conhost
  • 364. Another RMM in a Ransomware Affiliate’s Toolkit
  • 365. The Zeltser Challenge Completed
  • 366. Adversaries Started to Abuse Controlio
    
    
• Deborah Donoghue at Salesforce Engineering
  How Agentforce Enabled Incident Response Automation to Cut Common Resolution Time by 70 – 80%
  
  
• SANS Internet Storm Center
  • Debugging DNS response times with tshark, (Fri, Jan 2nd)
  • Cryptocurrency Scam Emails and Web Pages As We Enter 2026, (Sun, Jan 4th)
    
    
• Ayush Anand at Securityinbits
  wbadmin NTDS.dit dump detection for Domain Controllers
  
  
• Brian Baskin at Sublime Security
  5 email security trends from 2025 · Blog · Sublime Security
  
  
• Surya Teja
  • Continuing the Hunt: What PUT, DELETE, and PATCH Reveal in WAF Logs
  • From WAF Logs to Cloud Metadata: Reconstructing a Real Spring Boot Actuator Breach
    
    
• System Weakness
  YARA Rules — YARA mean one! — Writeup(DAY 13— Advent of Cyber TryHackMe 2025)
  
  
• THOR Collective Dispatch
  • Ask-a-Thrunt3r: December 2025 – DEcember 🐏
  • 80 Posts Later
    
    
• Wiz
  • MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know
  • Snipping the Long Tail of Shai-Hulud 2.0
    

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  2025 Wrapped: Updates on This Year’s Hottest Topics
  
  
• Archan Choudhury at BlackPerl
  Alert Triaging for SOC Analysts | Vulnerability Detected- Suplunk & Tenable
  
  
• Cellebrite
  Tip Tuesday: Decoding Engine Release
  
  
• DEFCON
  DEF CON 33 Recon Village
  
  
• InfoSec_Bret
  Challenge – WordPress Web Forensics
  
  
• Monolith Forensics
  Adding an E-signature to Your User Profile in Monolith
  
  
• MyDFIR
  Try Working On This For Your Next CTF
  
  
• Parsing The Truth: One Byte at a Time Podcast
  • S1 E32: Will Emojis Keep You Safe?
  • S1 E33: Digital Crumbs: Finding the final crumb to find Ricky Saxton’s Murderer
    
    
• Proofpoint
  Operation EndOfYear: New Malware, Popular Tactics, and Where AI Is Taking Us
  
  
• Sandfly Security
  • Sandfly Operation – Scheduling Agentless Linux Threat Detection
  • Sandfly Operation – Viewing and Understanding Linux Threat Alerts
  • Sandfly Operation – Scanning Linux Hosts for Threats with Sandfly
    
    
• The DFIR Journal
  How Attackers Steal an Entire Mailbox in Minutes
  
  
• THE Security Insights Show
  Cert till it Hurts!
  
  
• Threat Forest
  Uuden vuoden antispesiaali
  
  
• Three Buddy Problem
  A special mailbag episode with book recommendations
  

MALWARE

• Any.Run
  Malware Trends Q4 2025: Inside ANY.RUN’s Latest Threat Landscape Report 
  
  
• Chamindu Pushpika at ChamX
  Complete PAM Backdoor Malware Analysis – A Detailed Walkthrough
  
  
• Cyfirma
  APT36 : Multi-Stage LNK Malware Campaign Targeting Indian Government Entities
  
  
• Gal Hachamov at Koi Security
  GlassWorm Goes Mac: Fresh Infrastructure, New Tricks
  
  
• Pranay Kumar Chhaparwal and Lee Wei Yeong at Palo Alto Networks
  VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
  
  
• John Tuckner at Secure Annex
  Prompt poaching runs rampant in extensions
  
  
• Noushin Shabab at Securelist
  The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor
  
  
• Shubho57
  Analysis of Makop Ransomware Variant
  

MISCELLANEOUS

• Derek Eiri
  Reflecting on 2025
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 12/29/25
  
  
• Josh Brunty
  Merry Christmas: A Gift of Code 🎁
  
  
• LockBoxx
  Course Review: Certified CyberDefender (CCD)
  
  
• Mat Fuchs
  When the Pager Goes Off at 3 AM: What Incident Response Can Learn from the Back of an Ambulance and…
  
  
• MISP
  • Empowering the Ecosystem: MISP’s 2025 Progress and the Open Source Future
  • NGSOTI: Building an Integrated Threat-Intelligence and Information Sharing Ecosystem for the Next Generation of SOC Analysts
    
    
• Oxygen Forensics
  Oxygen Forensics TechHub Mobile App: Your Central Connection to Oxygen Forensics
  
  
• Simone Kraus
  Resilience Without Illusions
  

SOFTWARE UPDATES

• Crowdstrike
  Falconpy Version 1.6.0
  
  
• Digital Sleuth
  winfor-salt v2026.0.0
  
  
• Elcomsoft
  Introducing Elcomsoft Quick Triage
  
  
• IntelOwl
  v6.5.0
  
  
• Martin Korman
  Regipy 6.2.0: New Plugins
  
  
• PuffyCid
  Artemis v0.17.0 – Released!
  
  
• radare2
  6.0.8
  
  
• Rapid7
  Velociraptor v0.75.6
  
  
• Serviço de Perícias em Informática
  IPED Major Release
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!