Good morning. This is your security briefing for Sunday, October 12, 2025, covering 9 articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
Researchers Andrew Gan and Zahra Ghodsi present Sentry on arxiv.org, a GPU-based framework that authenticates machine learning artifacts to prevent supply chain attacks. The system uses cryptographic signing and GPU-accelerated Merkle trees to detect poisoned datasets and models during artifact loading, before deployment.
SJDC published a technical guide on collecting iPhone Unified Logs through MacOS for digital forensics investigations. The article details methods to preserve up to 30 days of volatile iOS logging data and references the open-source UFADE tool, noting that some major mobile extraction tools delete these logs during acquisition.
Microsoft published security configuration guidance for Intune focused on implementing Windows LAPS to protect against credential theft and lateral movement. The guidance addresses scenarios where attackers exploit static local administrator passwords, ensuring unique and regularly rotated passwords on corporate Windows devices.
Google researchers demonstrate adversarial attacks against Gmail's Magika ML-based file-type identification system, achieving 90% evasion by modifying just 13 bytes of malware samples. The research also presents defensive mitigations that reduce attack success to 20% even when adversaries can modify 50 bytes.
Security researcher Zero Salarium at Two Seven One Three demonstrates a code injection technique targeting antivirus software processes to evade detection. The technique exploits the fact that antivirus processes are self-protected and exempted from their own monitoring, allowing injected code to perform normally-blocked actions like writing backdoors to antivirus folders.
Researcher Md. Abdullah Al Mamun reports that a Russian threat actor dubbed UNC-RUS-ZIC has been conducting attacks since September 2025, primarily targeting APAC countries including Indonesia, Japan, Thailand, Bangladesh, and India. The group operates in three teams exploiting SQL injection and multiple CVEs, coordinating through Telegram channels and dark web forums with evidence of automated AI tools.
IrpiMedia reports that Paragon spyware has been used to target high-profile individuals including the CEO of UniCredit bank. This represents a continued campaign using commercial surveillance technology against prominent business and political figures in sophisticated cyber-espionage operations.
Digital forensics researcher Andy Maloney documents how OneDrive's Quick Access feature stores user activity data locally in the Microsoft.FileUsageSync.db database. The research shows investigators can reconstruct recently accessed files, pinned items, and site metadata when offline mode is enabled, providing valuable forensic artifacts.
The Spanish Civil Guard dismantled a banking phishing network and arrested the main developer of credential-stealing kits operating in Spain. This operation targeted cybercriminals creating and distributing phishing tools designed to steal banking credentials, representing significant law enforcement action against phishing infrastructure developers.