What changed and why it matters

MSAB’s Q3 2025 release introduces BruteStorm Surge, a GPU‑accelerated brute‑force add‑on for XRY Pro that targets long/complex passcodes, alongside major suite updates: XAMN 8.3 adds cross‑app conversation threading and support for Cash App warrant returns; UNIFY 25.9 can ingest Cellebrite UFDR and GrayKey extractions; and XEC 7.15 brings role‑based access control (RBAC). These capabilities are confirmed in MSAB’s official update and the initial news brief. See MSAB’s release post and feature breakdown (MSAB Q3 2025; Forensic Focus news).

What changed on October 23, 2025

Microsoft announced general availability of a unified Microsoft Defender for Identity sensor that correlates identity and endpoint telemetry across on‑premises Active Directory, Microsoft Entra ID, and even third‑party identity providers (e.g., Okta), improving incident correlation and enabling automatic attack disruption with richer identity context. The post also signals migration guidance for existing customers in the coming months. Microsoft Security Blog, 2025‑10‑23.

Why this matters to DFIR: identity evidence that used to be scattered (AD security events, Entra sign‑ins, endpoint logons) is now designed to land in one incident and one hunting surface (Defender XDR), with contain/disable actions tied directly to identity context. That reduces dwell time and speeds attribution and scoping. Microsoft Security Blog.

Why this matters now

Forensic Focus’ Oct 22, 2025 roundup spotlights Microsoft’s new Digital Defense Report (MDDR) and a wave of DFIR-relevant updates. Microsoft reports that more than half of attacks with known motives are driven by extortion or ransomware, with 80% of investigated incidents targeting data theft for financial gain. Microsoft also processes ~100 trillion security signals daily, blocks ~4.5M new malware attempts, and analyzes 38M identity risk detections. Critically, over 97% of identity attacks are password attacks—and phishing‑resistant MFA can block >99% of them. (Forensic Focus roundup; Microsoft On the Issues article; MDDR 2025 overview). (forensicfocus.com)

What’s new

ESET documented a late‑March through mid‑2025 surge of Operation DreamJob activity attributed to North Korea–aligned Lazarus, targeting multiple European defense companies — including firms that build UAV components and UAV software — to steal proprietary designs and manufacturing know‑how. Initial access relied on classic “dream job” lures and trojanized readers/loaders; later stages delivered ScoringMathTea, a Lazarus RAT with ~40 commands. ESET links the focus on UAV know‑how to North Korea’s push to scale its domestic drone program. (ESET WeLiveSecurity). (welivesecurity.com)

Why this week matters

SANS Internet Storm Center’s Oct 24, 2025 Stormcast flags four items that should immediately shape triage and detection content across enterprise environments: an Android infostealer abusing Termux, active exploitation of Adobe Commerce/Magento “SessionReaper,” new cache-poisoning fixes for BIND and Unbound resolvers, and a released exploit for a critical WSUS deserialization RCE. Reference the minimal Stormcast entry and the full podcast summary for context (ISC diary 32418, podcast detail).

What changed this quarter and why DFIR should care

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on‑premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public‑facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post‑exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi‑actor abuse of new SharePoint bugs (CVE‑2025‑53770, CVE‑2025‑53771) related to earlier July CVEs (CVE‑2025‑49704, CVE‑2025‑49706), and stresses that only on‑prem servers are affected—not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE‑2025‑53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

What happened

On October 22, 2025, SentinelLabs documented a one‑day spearphishing operation dubbed “PhantomCaptcha” that targeted Ukraine-linked NGOs and regional government staff. The chain blends a fake Cloudflare CAPTCHA with a ClickFix/Paste‑and‑Run prompt that executes staged PowerShell, culminating in a WebSocket-based RAT using JSON tasking. The campaign’s notable indicators include lure domain zoomconference[.]app, backend C2 bsnowcommunications[.]com, an embedded XOR key, and explicit attempts to suppress PowerShell history. (SentinelLabs report). (sentinelone.com)

What happened and why DFIR teams should care

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public‑facing applications, driven largely by the ToolShell attack chain against on‑premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post‑compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.

What happened and why it matters

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in‑process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off‑the‑shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)

The Golden Scale shift: from smash-and-encrypt to data-theft extortion at scale

Unit 42’s 5‑minute read on October 20, 2025 documents three notable shifts tied to Scattered LAPSUS$ Hunters (SLSH): a formal push toward extortion‑as‑a‑service (EaaS), renewed insider recruitment, and chatter about a new ransomware brand, “SHINYSP1D3R.” Their guidance: build playbooks that handle data‑theft extortion the way many of us handle encryption‑driven ransomware today—verification, negotiation posture, and reputation impact included (Unit 42, Oct 20, 2025). (unit42.paloaltonetworks.com)