2025年第44周数字取证与事件响应前沿技术动态汇总

Sponsored by Permiso Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security 在此次研讨会中，Permiso的首席技术官将涵盖： – 攻击者如何利用被盗的OAuth令牌，从GitHub转移到AWS，再进入Salesforce。 – 为何这种“全机器”攻击为SaaS供应链和非人类身份（NHI）敲响了警钟。 – 在您的环境中检测和遏制类似威胁的实用步骤。观看视频播客

一如既往，感谢所有给予支持的朋友们！

FORENSIC ANALYSIS

Erik Pistelli at Cerbero Memory Challenge 5: DumpMe Memory Challenge 6: Injector
Christopher Eng at Ogmini BelkaCTF 7 – AAR Metamorphosis BelkaCTF 7 – AAR Radars Homelab – Windows Answer files (unattend.xml/autounattend.xml) Windows Notepad – Windows 25H2 – Version 11.2507.26.0 Zeltser Challenge – Tenth Month Accomplishments
Forensafe Android Calendar
Adam Hachem at Hexordia Using Open Source Forensic Tools: Compiling from Code and Python Scripts
Justin De Luna at ‘The DFIR Spot’ Utilizing QELP for Rapid ESXi Analysis

THREAT INTELLIGENCE/HUNTING

0xMatheuZ Evading Elastic Security: Linux Rootkit Detection Bypass
360 Threat Intelligence Centre Recent Activity Analysis and Technological Evolution of APT-C-60 (False Hunter)
Faan Rossouw at Active Countermeasures Malware of the Day – Command and Control via Google Workspace APIs
Akash Patel Tracking Lateral Movement — Named Pipes, Scheduler, Services, Registry, and DCOM (Event IDs) Tracking Lateral Movement: PowerShell Remoting, WMIC, Explicit Credentials, NTLM Relay Attacks… Sublime Just Got Even Smarter: Automatic Calendar Event Deletion Is Here
Any.Run Major Cyber Attacks in October 2025: Phishing via Google Careers & ClickUp, Figma Abuse, LockBit 5.0, and TyKit
ASEC Analysis of Trigona Threat Actor’s Latest Attack Cases The Beast Ransomware Hidden in the GUI Analysis of Gunra Ransomware Using Vulnerable Random Number Generation Function (Distributed for Linux Environments in ELF Format) September 2025 APT Group Trends Distribution of Rhadamanthys Malware Disguised as a Game Developed with Ren’Py Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)
Australian Cyber Security Centre Don’t take BADCANDY from strangers – How your devices could be implanted and what to do about it
Maria Vasilevskaya at Auth0 8 Log Detections for Credential Stuffing and MFA Exploit Prevention
Bart Blaze Earth Estries alive and kicking
Brian Krebs at ‘Krebs on Security’ Aisuru Botnet Shifts from DDoS to Residential Proxies
CERT-AGID In corso uno smishing ai danni di Autostrade per l’Italia Sintesi riepilogativa delle campagne malevole nella settimana del 25 – 31 ottobre
Chainalysis Five Key Takeaways from MSMT’s Report on North Korean Cyber Operations
Check Point 27th October – Threat Intelligence Report Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites
Takahiro Takeda, Jordyn Dunk, James Nutland, and Michael Szeliga at Cisco’s Talos Uncovering Qilin attack methods exposed through multiple cases
Corelight No PoCs? No Problem: Hunting F5 Exploits When Details Are Sparse | Corelight Announcing Corelight Threat Intelligence with CrowdStrike | Corelight
CTF导航 APT追踪第一集：“神秘大象”APT组织攻击战术分析
Cybereason From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations
Cyble APT-C-60 Escalates SpyGlace Campaigns Targeting Japan with Evolved Malware, Advanced Evasion TTPs Hacktivist Attacks on Critical Infrastructure Surge: Cyble Report Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector
Cyfirma Weekly Intelligence Report – 31 October 2025
Darktrace Darktrace’s Analysis of Post-Exploitation Activities on CVE-2025-59287
Kennedy Toomey at Datadog Security Labs Learnings from recent npm supply chain compromises
DebugPrivilege Machines Gone Rogue
Sergio Albea at Detect FYI Threat Hunting over internal Devices via KQL Queries
Disconinja Weekly Threat Infrastructure Investigation(Week43)
DomainTools Investigations Inside the Great Firewall Part 1: The Dump
Elastic Elevating public sector cyber defense with AI-powered threat hunting | Elastic Blog
Elastic Security Labs TOR Exit Node Monitoring Overview
Aaron Walton at Expel Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
Eye Research Battling Shadow AI: Prompt Injection for the Good WSUS Deserialization Exploit in the Wild (CVE‑2025‑59287)
Flashpoint The Evolution of Data Extortion TTPs: From Exploiting Code to Exploiting People
Fortinet Stolen Credentials and Valid Account Abuse Remain Integral to Financially Motivated Intrusions Cloud Abuse at Scale
Gen Decrypted: Midnight Ransomware VibeScams: How AI website builders are shaping the internet Gen Q3/2025 Threat Report DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
Genians Qilin Ransomware 분석
Bhavesh Dhake, Will Silverstone, Matthew Hitchcock, and Aaron Fletcher at Google Cloud Threat Intelligence Keys to the Kingdom: A Defender’s Guide to Privileged Account Monitoring
Group-IB The Illusion of Wealth: Inside the Engineered Reality of Investment Scam Platforms Detecting the NPM Supply Chain Compromise Before It Spread
Paolo Coba and Lee Kirkpatrick at GuidePoint Security Finding the Master Keys: How to Hunt Malicious Client Secrets in M365
Hudson Rock Logins.zip Leverages Chromium Zero-Day: Stealthy Infostealer Builder Promises 99% Credential Theft in Under 12 Seconds Russian Authorities Bust Meduza Infostealer Developers: Young Hackers Detained in Major Cybercrime Crackdown
Hunt IO Multilingual ZIP Phishing Campaigns Targeting Financial and Government Organizations Across Asia
Intrinsec Global Group: ransomware rebranding stories
Keisuke Shikano at JPCERT/CC TSUBAME Report Overflow (Apr-Jun 2025)
David at ØSecurity A bit about timestomping
Amy L. Robertson at MITRE ATT&CK ATT&CK v18: Detection Strategies, More Adversary Insights,
Oleg Skulkin at ‘Know Your Adversary’

Same Name, Wrong Path
Qilin Abuses Cyberduck for Exfiltration
Hunting for CVE-2025-59287 Exploitation
Hunting for Replication Through Removable Media
Adversaries Abuse Microsoft Windows Resource Leak Diagnostic Tool for Dumping Memory
BRONZE BUTLER Abuses Cloud Storage Services for Exfiltration

OSINT Team How Threat Hunters Think: The Mindset, Tools, and Methodology Fileless Loaders Explained : How Attackers Run Code in Memory MonsterV2 Malware-as-a-Service (MaaS) and the TA585 Threat Group’s Advanced ClickFix Campaigns…
Dan Green at Push Security New LinkedIn phishing campaign identified by Push Security
Qi’anxin X Lab Smoking Gun Uncovered: RPX Relay at PolarEdge’s Core Exposed
SANS Internet Storm Center Kaitai Struct WebIDE, (Sun, Oct 26th) Bytes over DNS, (Mon, Oct 27th) A phishing with invisible characters in the subject line, (Tue, Oct 28th) How to collect memory-only filesystems on Linux systems, (Wed, Oct 29th) X-Request-Purpose: Identifying “research” and bug bounty related scans?, (Thu, Oct 30th)
Sojun Ryu and Omar Amin at Securelist Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs
Sathwik Ram Prakki at Seqrite Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus
Silent Push Silent Push Unearths AdaptixC2’s Ties to Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool for Malicious Payloads
Socket 10 npm Typosquatted Packages Deploy Multi-Stage Credential Harvester Security Community Slams MIT-linked Report Claiming AI Powers 80% of Ransomware
Sophos Phake phishing: Phundamental or pholly? BRONZE BUTLER exploits Japanese asset management software vulnerability
Stephan Berger Today I learned: binfmt_misc
Symantec Enterprise Ukrainian organizations still heavily targeted by Russian attacks
System Weakness CSI: Linux — Hunting for Persistence in the Ironshade Room ️‍ Detection Engineering Training: Detecting Browser Credential Theft Attacks Anatomy of a Phish: How We Got from the “Nigerian Prince” to Modern Scams
Sydney Marrone at THOR Collective Dispatch Dispatch Debrief: October 2025
Trend Micro Ransomware Spotlight: DragonForce
Oddvar Moe at TrustedSec Hack-cessibility: When DLL Hijacks Meet Windows Helpers
Varonis Meet Atroposia: The Stealthy Feature-Packed RAT The Silent Attackers: Exploiting VPC Endpoints to Expose AWS Accounts of S3 Buckets Without a Trace
Vasilis Orlof at Cyber Intelligence Insights Intel Drops #4
Vxdb Infostealers Disguised as Free Video Game Cheats
Iván Cabrera at White Knight Labs Methodology of Reversing Vulnerable Killer Drivers
Ben Powell (Sr. Web Content Writer) at ZScaler Understanding the Threat Hunting Lifecycle
Palo Alto Networks Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28) Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems

UPCOMING EVENTS

Black Hills Information Security Talkin’ Bout [infosec] News 2025-11-03 #infosec #news
Brett Shavers Fighting City Hall: DF/IR Lessons from a Pro Se Plaintiff. One judgment, two years saved, half a million reasons it was worth it.
Cellebrite Cellebrite + Corellium: Where Digital Forensics Meets Mobile Security
Cybersecurity mentors podcast Lessons Learned From the Australian National University Breach w/Suthagar Seevaratnam P2 | CMP S5 E4
Simply Defensive Balancing Education and Real-World Cybersecurity with a SOC Analyst Student | Simply Defensive S5 E4
Magnet Forensics Legal Unpacked E2: Beyond the app icon: Drafting mobile device warrants that reflect how data is really stored Smarter mobile investigations: Tools for today’s forensic service providers
SANS SANS Difference Makers Awards 2025
Silent Push Workshop – Detection Strengthening Integrations for Preemptive Cyber Defense: SIEM Edition Webinar – Unlocking the Power of Domain Search & PADNS-based Preemptive Detection – Silent Push
Sygnia Surviving the Breach: Lessons Learned From Past Breaches

PRESENTATIONS/PODCASTS

AhmedS Kasmani Cobalt Strike Loader Internals: From Loader to Shellcode Execution
Alexis Brignoni Digital Forensics Now Podcast S3 – 1
Cloud Security Podcast by Google EP249 Data First: What Really Makes Your SOC ‘AI Ready’?
Cyber Social Hub A.I. vs. Human Intuition
InfoSec_Bret Challenge – Hidden Backdoor
John Dwyer Malware analysis walkthrough – JavaScript Infostealer
Kevin Pagano at Stark 4N6 Truth in Data Podcast Feature – CTFs
Magnet Forensics Mobile Unpacked S3:E10 // Picking apart the passcodes: Determining the method of unlock on devices
Monolith Forensics Adding a Contact to a Case in Monolith
MSAB #MSABMonday – XAMN Pro Context
MyDFIR SOC Alert Triage Explained: What Most Beginners Get Wrong
Off By One Security ReVault! Compromised by your Secure SoC with Philippe Laulheret Scaling LLM-Based Vulnerability Research via Static Analysis and Document Ranking
Parsing the Truth: One Byte at a Time More with Larry on the Thing About Pam
Permiso Security Permiso Demo Webinar | October 30th, 2025
Richard Davis at 13Cubed The Easy Way to Analyze Linux Memory
SANS Cloud Security 2025 SANS CloudSecNext Summit
Security BSides Dublin Security BSides Dublin 2025
The Cyber Mentor LIVE: HTB Sherlocks! | Cybersecurity | Blue Team Intro to PowerShell: Hunting Network Activity.
Three Buddy Problem OpenAI’s Dave Aitel talks Aardvark, economics of bug-hunting with LLMs

MALWARE

Arctic Wolf UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
Bobby Rauch Breaking Down a Google Drive Phishing Scam — Total Security or Total Scam?
Abdallah Elnoty at eln0ty SpyNote C2 Emulator
ReversingLabs Evaluating YARA Rules for macOS Malware Hunting in Spectra Analyze Tracking an evolving Discord-based RAT family
John Tuckner at Secure Annex Who’s that Pokemon? It’s Monero! John Tuckner at Secure Annex SleepyDuck malware invades Cursor through Open VSX
Security Onion Spooky malware analysis!
Shubho57 Analysis of Latrodectus variant(msi installer)
The Reverser’s Draft The PEB Walk Anatomy
ThreatFabric New Android Malware Herodotus Mimics Human Behaviour to Evade Detection
Jeffrey Francis Bonaobra, Joe Soares, and Emmanuel Panopio at Trend Micro Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
Wordfence 100,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress Plugin Rogue WordPress Plugin Conceals Multi-Tiered Credit Card Skimmers in Fake PNG Files Attackers Actively Exploiting Critical Vulnerability in WP Freeio Plugin
YUCA Malops Challenge 9:Katz Stealer Write Up

MISCELLANEOUS

Cellebrite Actor, Host, Artist and Anti-Human Trafficking Advocate Terry Crews to Headline Cellebrite C2C User Summit 2026 Find Your Investigative Path Sharing is Caring: Shifting the Paradigm of Digital Investigations Workflows Unlock the Strategic Advantage of AI in Digital Investigations Endpoint Inspector: A Modern, Flexible and User-Friendly Solution for Your Organization
CyberBoo Microsoft Defender for Endpoint Part 3: Alert Management & Investigation Fundamentals Microsoft Defender for Endpoint Part 4: Incident Management & Attack Story Analysis
Josibel Mendoza at DFIR Dominican DFIR Jobs Update – 10/27/25
Forensic Focus Digital Forensics Jobs Round-Up, October 27 2025 Oxygen Tech Bytes In September 2025 Digital Forensics Round-Up, October 29 2025 MSAB Whitepaper – Investigating RAM In A Mobile Device GMDSOFT Tech Letter Vol 15. Analyzing Anti-Forensic Traces Left By Location Spoofing Apps
HackTheBox Scattered Spider: A 90-day recovery plan to build better resilience
Iram Jack Intro to Cold System Forensics
Lykos Defence Whitepaper: From Chaos to Capability
Magnet Forensics Simplified start and export in Magnet Witness 1.10 From seizure to verdict: Strengthening prosecutions with clear, admissible digital evidence When the lab never sleeps Protecting sensitive media evidence with cloud security you can verify New! Magnet Certification Preparation
Patrick Siewert at ‘The Philosophy of DFIR’ Selling the Science: Marketing of DF/IR Services
Raymond Roethof Microsoft Defender for Identity Recommended Actions: GPO can be modified by unprivileged accounts

SOFTWARE UPDATES

Arkime v5.8.2
Arsenal Recon Quick Tour Of New Features In Arsenal Image Mounter v3.12.331
Didier Stevens Update: dnsresolver.py Version 0.0.4
Digital Detective NetAnalysis® v4.1 – Decrypting Firefox v144
Digital Sleuth winfor-salt v2025.12.1
Maxim Suhanov dfir_ntfs file system parser 1.1.20
OpenCTI 6.8.10
Sigmar 2025-11-01
Vound Intella 3.0.1 Release Notes
Xways X-Ways Forensics 21.7 Preview X-Ways Forensics 21.6 SR-1 X-Ways Forensics 21.5 SR-10 Viewer Component
YARA YARA v4.5.5

本周内容到此结束！如果您认为我遗漏了什么，或者希望我专门报道某些内容，请通过联系页面或在社交媒体上与我联系！使用代码 PM15 或点击此链接，在您的下一节Hexordia课程中获得15%的折扣！使用折扣码 thisweekin4n6，在 Cyber5w 的任何课程中获得15%的折扣。