网络安全与数字取证周报：40期威胁态势与技术洞见

Sponsored Content Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security 在本次会议中，Permiso公司的CTO将探讨：

攻击者如何利用窃取的OAuth令牌从GitHub移动到AWS再到Salesforce。
为何这次“全机器”攻击为SaaS供应链和NHI敲响了警钟。
在您所在环境中检测和遏制类似威胁的实用步骤。观看视频播客由Permiso赞助

一如既往，感谢那些给予支持的朋友们！

FORENSIC ANALYSIS

Brian Maloney OneDrive. Let’s take this offline
Chainalysis DPRK IT Workers: Inside North Korea’s Crypto Laundering Network
Christopher Eng at Ogmini Lifecycle of a Digital Photo on a Android Pixel 7 – Part 2 Android Forensics – Filesystem Timestamps ADB Script
Elcomsoft iPhone 17: the End of PWM Flickering? Breaking into Password Managers: from Bitwarden to Zoho Vault AI in Digital Forensics: a Tool, not an Oracle
Forensafe iOS AllTrails
Iram Jack Memory Analysis Introduction Memory Acquisition
Magnet Forensics Making media authentication easier to understand with automated analysis Magnet Forensics support for iOS 26 That One Artifact: The search history that spoke volumes
Maltego Exposing Pig Butchering Operations with Maltego
Matthew Plascencia iOS 26 is On Location With More AI Goodness iOS 26 New Artifacts II
Mattia Epifani at Zena Forensics Exploring Data Extraction from iOS Devices: What Data You Can Access and How
OSINT Team Volatility3: Navigating the SAM registry hive from memory image
The DFIR Report From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

THREAT INTELLIGENCE/HUNTING

Faan Rossouw at Active Countermeasures Malware of the Day – Agent-to-Agent Communication via SMB (AdaptixC2)
Adam at Hexacorn Using .LNK files as lolbins
ASEC XiebroC2 Identified in MS-SQL Server Attack Cases
Ayelen Torello at AttackIQ Ransom Tales: Volume IV – Emulating Rhysida, Charon and Dire Wolf Ransomware
Chi Tran, Charlie Bacon, and Nirali Desai at AWS Security Defending against supply chain attacks like Chalk/Debug and the Shai-Hulud worm
BI.Zone Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks
c-APT-ure Using NetBIOS names for pivoting and threat clustering
CERT Ukraine Бекдор CABINETRAT використовується UAC-0245 для цільових кібератак у відношенні СОУ (CERT-UA#17479)
CERT-AGID Sintesi riepilogativa delle campagne malevole nella settimana del 27 settembre – 3 ottobre
Check Point 29th September – Threat Intelligence Report
Joey Chen at Cisco’s Talos UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
codetodeploy Inside the VMware CVE Cluster: Enumeration, Escalation, and Exposure
Ben Reardon at Corelight Hunting GTPDOOR at Black Hat USA 2025 | Corelight
CyberBoo Microsoft Defender for Identity Deep Dive: Part 1
Cyberdom Unlocking Microsoft Sentinel MCP
Cyfirma Weekly Intelligence Report – 3 October 2025
Dark Atlas Threat Profile: Conti Ransomware Group
Darktrace Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace
Detect FYI The missing link in MDR. Spoiler, it starts with a Detection Engineering framework. Threat Hunting sessions via AuthenticationProcessingDetails on AADSignInEventsBeta Use KQL to Surface Non-Recommended TLS Parameters (IANA-based)
Disconinja Weekly Threat Infrastructure Investigation(Week39)
DomainTools Investigations SecuritySnack: 18+E-Crime
Paul Asadoorian at Eclypsium The Hunt for RedNovember: A Depth Charge Against Network Edge Devices
Elastic Security Labs FlipSwitch: a Novel Syscall Hooking Technique WARMCOOKIE One Year Later: New Features and Fresh Insights
FalconFeeds Digital Fault Lines: The Weaponization of Ethnic and Religious Tensions in Regional Cyber Conflicts Proxy Wars in Cyberspace: Tracking Nation-State Influence Through Threat Actor Alliances
Guillaume Valadon and Carole Winqwist at GitGuardian Red Hat GitLab Breach: The Crimson Collective’s Attack
Omar ElAhdan, Matthew McWhirt, Michael Rudden, Aswad Robinson, Bhavesh Dhake, and Laith Al at Google Cloud Threat Intelligence Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations
GreyNoise Coordinated Grafana Exploitation Attempts on 28 September Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
HackTheBox Sandworm unleashed: Inside APT44’s Dune-inspired cyber destruction
Hunt IO Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia
Huntress Don’t Sweat the ClickFix Techniques: Variants & Detection Evolution Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
Infoblox Detour Dog: DNS Malware Powers Strela Stealer Campaigns
Kijo Ninja at Kijo Ninja Rclone C2 data exfiltration technique
Adam Goss at Kraven Security Stop Drowning in Data: Build Your Own CTI Aggregator for Free
Doug Olenick at LevelBlue SpiderLabs Ransomware Tracker Update September 2025: Qilin, Akira Top Ransomware Attackers
Idan Cohen at Mitiga ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches
Netscout Keymous+ Threat Actor Profile
NVISO Labs You name it, VMware elevates it (CVE-2025-41244) Lunar Spider Expands their Web via FakeCaptcha What Did the Attacker Read? MailItemAccessed Tells You
Oleg Skulkin at ‘Know Your Adversary’ 271. Does an Adversary Need to Install an RMM? 272. Here’s Another Interesting Staging Folder You Can Use for Hunting 273. That’s How PDB Paths Help to Uncover Malicious Files 274. That’s How Phantom Taurus Abuses Exchange Management Shell 275. Hunting for Suspicious URLs 276. Hunting for Suspicious IIS Modules 277. Adversaries Abuse a Free Request Logging Service as C2 278. Hunting for Suspicious XLL Files
Palo Alto Networks Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite The Case for Multidomain Visibility
Art Ukshini at Permiso P0LR Espresso – Pulling Shots of Cloud Live Response & Advanced Analysis
Picus Security Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact Blue Report 2025: How to Act on 16M Attack Simulation Findings RomCom Threat Actor Evolution (2023–2025)
Resecurity ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
Ashlee Benge at ReversingLabs Hunting SharpHounds with Spectra Analyze
Sandfly Security Sandfly 5.5.4 – Chinese Rootkit Decloaking
SANS Hunting SaaS Threats: Insights from the FOR589 Course on Cybercriminal Campaigns Log for Normal to Find Evil: Lessons from Real Crimes and Cyberattacks
SANS Internet Storm Center Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400), (Mon, Sep 29th) [Guest Diary] Comparing Honeypot Passwords with HIBP, (Wed, Oct 1st) “user=admin”. Sometimes you don’t even need to log in., (Tue, Sep 30th) More .well-known Scans, (Thu, Oct 2nd)
Cristian Souza at Securelist Forensic journey: hunting evil within AmCache
Ayush Anand at Securityinbits Discovery using nltest, net and whoami
Jeremy Scion and Marc N. at Sekoia Silent Smishing : The Hidden Abuse of Cellular Router APIs
Seqrite Exploiting Legitimate Remote Access Tools in Ransomware Campaigns
Shantaciak Investigating Email Threats: Why the Inbox Is Still the Front Door
Siddhant Mishra Kimsuky/APT43 Phishing Infrastructure: A Technical Evolution
SOCRadar Dark Web Profile: Scattered Lapsus$ Hunters
Claudia Preciado at Stairwell Building on CISA’s Salt Typhoon YARA Rules: Stairwell finds 637 New Variants
Brandon Webster and Bryan Campbell at Sublime Security Impersonated Evite and Punchbowl invitations used for credential phishing and malware distribution
Kyle Knight at Sucuri Enhancing File Transfer Security with SSH Key Authentication
System Weakness Windows Credential Theft Detection Logs Fundamentals | TryHackMe Write-Up Introduction to SIEM | TryHackMe Write-Up Reverse Engineering Session 2 by KK TAN ~ Real-world study CVE-2025–8088 [Experience Sharing] HTB Holmes CTF Writeup: The Card SOC127 — SQL Injection Detected — LetsDefend — Solution
THOR Collective Dispatch Ask-a-Thrunt3r: September 2025 Recap Agentic Threat Hunting, Part 2: Starting a Hunt Repo
Niranjan Hegde and Sijo Jacob at Trellix XWorm V6: Exploring Pivotal Plugins
Richard Grainger at Triskele Labs Qilin on the rise: what Australian organisations need to know
Jean-Francois Gobin at Truesec She Sells Web Shells by the Seashore (Part I)
Elliot Roe at Valdin Introducing YARA Rules: Search and Monitor the Internet’s Infrastructure with YARA
Joseliyo Sánchez at VirusTotal Advanced Threat Hunting: Automating Large-Scale Operations with LLMs
Vishal Thakur Introducing TLP:Black — A New Layer of Confidentiality

UPCOMING EVENTS

Cellebrite Exploited Online, Trapped Offline: Scam Compounds and Human Trafficking in APAC
Cyber Social Hub What is Changing at Cyber Social Hub
Magnet Forensics Learn tips and best practices for reviewing and analyzing media evidence from leading media forensics experts Cyber Unpacked S2:E4 // Voices from the field: Trends, challenges, and what’s next in DFIR
Simply Defensive Hands-On Defense: Markus Schober on DFIR, Labs, and Building Better Blue Teamers | S5 E1

PRESENTATIONS/PODCASTS

Alexis Brignoni DIgital Forensics Now Podcast S3 – E0
Behind the Binary by Google Cloud Security EP16 The Machine Learning Revolution in Reverse Engineering with Hahna Kane Latonick
Patterson Cake at Black Hills Information Security Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2)
Cellebrite Tip Tuesday: Final Call for Papers for the C2C User Summit
Erik Pistelli at Cerbero Memory Challenge 1: Reveal
Cyber Social Hub The FTK Imager Pro Game-Changer
InfoSec_BretSA – SOC211-161 – Utilman.exe Winlogon Exploit Attempt
John Hammond reverse engineering for beginners
Magnet Forensics Legal Unpacked E1: Search warrants for digital evidence: The data-driven approach
Monolith Forensics Sharing Files & Reports with Relay Users Case Details in Monolith
MSAB XAMN Early Access
MyDFIR SOC Automation Project 2.0: How To Use AI in Your SOC Workflow
Parsing the Truth: One Byte at a Time Business Email Compromise
The Cyber Mentor Intro to PowerShell: Investigating Windows Processes
Three Buddy Problem Oracle cl0p ransomware crisis, EU drone sightings, Cisco bootkit fallout

MALWARE

Mauro Eldritch at Any.Run FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware
hasherezade at Check Point Rhadamanthys 0.9.x – walk through the updates
Cleafy Klopatra: exposing a new Android banking trojan operation with roots in Turkey
Dr Josh Stroschein IDA Pro Basics – Collapsing Function Folders, the Easy Way
Dr. Web Doctor Web’s Q3 2025 virus activity review Doctor Web’s Q3 2025 review of virus activity on mobile devices
Cara Lin at Fortinet Confucius Espionage: From Stealer to Backdoor
Nicole Fishbein at Intezer Beginner’s guide to malware analysis and reverse engineering
Uma Madasamy at K7 Labs Breakingdown of Patchwork APT
Marc Messer and Dave Truman at Kroll FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook
OSINT Team Opened a Can of XWorms
Shubho57 Analysis of a javascript file leads to Koi Loader Stealer
Puja Srivastava at Sucuri Malvertising Campaign Hides in Plain Sight on WordPress Websites
ThreatFabric Datzbro: RAT Hiding Behind Senior Travel Scams
Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon at Trend Micro Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
Daniel Kelley at Varonis MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments
Шифровальщики-вымогатели The Digest “Crypto-Ransomware” Lamia

MISCELLANEOUS

CyberCX A case for expeditious investigations
Belkasoft [ON-DEMAND COURSE] BelkaGPT: Effective Artificial Intelligence in DFIR
Djordje Lukic at Binalyze Why Detecting Browser-Stored Passwords Strengthens Cyber Resilience
Cyber Codex A Deep Dive into the Ransomware Timeline and Its Shadow Empire | Cyber Codex
Dr. Brian Carrier at Cyber Triage AI Principles for Digital Forensics and Investigations (DFIR)
Josibel Mendoza at DFIR Dominican DFIR Jobs Update – 09/29/25
Elan at DFIR Diva Techno Security & Digital Forensics Conference: October 27-29, 2025
Forensic Focus Oxygen Analytic Center v.1.6: Smarter, Faster, More Secure Investigations Digital Forensics Jobs Round-Up, September 29 2025 Inside The Fight Against Child Exploitation – Leadership And Wellness Lessons From Debbie Garner
Howard Oakley at ‘The Eclectic Light Company’ Inside the Unified Log 3: Log storage and attrition Explainer: inodes and inode numbers
Kenneth G. Hartman at Lucid Truth Technologies Defending Criminals: Are Defense Attorneys, Investigators, and Experts Working for the Dark Side?
Magnet Forensics What does the State of Enterprise DFIR look like today? Share your insights in our survey!
Passware All About PDF Decryption
Sandfly Security Sandfly Now Available On Microsoft Azure Marketplace

SOFTWARE UPDATES

Datadog Security Labs GuardDog v2.7.0
Digital Sleuth winfor-salt v2025.11.0
Elcomsoft Elcomsoft Distributed Password Recovery adds support for 8 password management apps
Google Timesketch 20250929
MALCAT 0.9.11 is out: ARM and MachO analysis
Metaspike Forensic Email Collector (FEC) Changelog – 4.2.579.104 Forensic Email Intelligence – 2.2.579
Microsoft msticpy – OAuth v2.0 fix for Defender
MISP MISP 2.5.22 released with improvements and bugs fixes
MSAB Q3 2025 Major Release is now available
OpenCTI 6.8.2
Phil Harvey ExifTool 13.38
radare2 6.0.4
Sigma Release r2025-10-01
WithSecure Labs Chainsaw v2.13.0

以上就是本周的全部内容！如果您认为我遗漏了什么，或者希望我专门报道某些内容，请通过联系页面或社交媒体与我联系！使用代码 PM15 或点击此链接享受您下一节Hexordia课程15%的折扣跟我一起上课吧！使用折扣码 thisweekin4n6 在 Cyber5w 享受任意课程 15% 的折扣。