We haven’t talked about the weather in Seattle for a bit. Just kidding, I ALWAYS talk about the weather here! Did you know that the Seattle Weather is officially one of the most difficult to accurately forecast? This is due (in part) to the so-called “Puget Sound Convergence Zone.” But also the fact that the area goes from sea level to 14,000 feet (4300m) within a 60 mile (97km) radius. And that we’re sandwiched between two mountain ranges and have a large patch of ocean that isn’t really the ocean because it’s a sound 🤷
In any case, today we reached 72 degrees Fahrenheit (22C), tomorrow will be 83 degrees (28C). June-uary better get here fast, I need three more weeks of gray and rain to adequately hydrate before summer starts on July 5th! But maybe the weather decided to “play along” and show the visitors that are coming to town for the FIFA World Cup a good time. Seattle is hosting four matches, including the US National Team 🇺🇸against the Socceroos 🇦🇺! And just like Matt Turner will keep close tabs on Jordan Bos and Nestory Irankunda, the DTI team has been busy keeping track of the latest threats.
We started May (or technically ended April if we’re being specific) with a look at the DPRK’s “Contagious Interview” campaign that weaponizes legitimate hiring workflows to compromise developer environments. The rest of May was spent taking a deeper dive into the Doppelganger campaigns we covered in March and looking at their operational pipeline and strategic significance. We rounded out the month with a look at the ZionSiphon malware sample, the OT malware designed to target Israeli water facilities with some critical flaws in its programming.
Let’s dive in and get you up to speed!
Hot Off the Presses
Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both?
DTI researchers analyzed the ZionSiphon malware sample (“SCADA_SecurityPatch_v8.4.exe”) that has been circulating in public sandboxes since 2025. The malware is designed to target and sabotage water treatment and desalination facilities in Israel only. In our analysis, our team identified a critical bug in the malware’s geographic validation logic that prevents the malware’s payload from activating in its intended environment. Beyond the flaw in its geographic validation logic, the malware also lacks any external communication stack or command-and-control (C2) channel.
Based on our analysis, our team determined ZionSiphon operates entirely at the Windows host layer, using registry persistence, PowerShell-based execution, and USB-oriented propagation logic. It is a real, functioning implant in terms of execution mechanics, but the XOR bug prevents it from transitioning into an active sabotage phase, rendering it effectively non-operational as an ICS attack tool.
Threat Intelligence Report: The SDA / Structura / Doppelgänger, Influence Operations, Infrastructure, Reach, and Potential
After our first investigation into Doppelgänger in March, the DTI team took another deep dive into the Doppelgänger campaigns and their operational model. We broke down the narrative distribution model into four stages: content creation, telegram amplification, X/twitter injection, and narrative propagation. Our research determined the Doppelgänger campaign is engineered for visibility, not direct persuasion. Its architecture–feeder websites, Telegram amplification, and coordinated X/Twitter activity–prioritizes rapid distribution and repeated exposure across platforms to maximize encounter frequency. Using this analysis, our team modeled the first 72 hours of a Doppelgänger campaign during a geopolitical crisis.
We also placed Doppelgänger in the larger doctrinal context of Russia’s “information confrontation” strategy. The operational structure of the Doppelgänger campaign demonstrates clear continuity with Soviet-era Active Measures, a category of covert influence operations. Historically, Active Measures campaigns relied on a combination of forged publications, front organizations, and intermediary actors to introduce narratives into foreign information environments. The Doppelgänger campaign represents the digital transformation of the same strategy.
DPRK Contagious Interview: Developer Workflow Compromise
Our team kicked off May with an analysis of the DPRK’s “Contagious Interview” campaign that weaponizes legitimate hiring workflows to induce execution of malicious code within trusted developer environments. The campaign targets software developers and technical personnel through fraudulent job interview processes conducted across platforms such as GitHub, LinkedIn, and direct messaging channels.
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!
- The top article for the month: Spycloud - ShinyHunters, Supply CHAINS$ & Sketchy New Criminal Forums
- The top research for the month: Verizon - 2026 Data Breach Investigations Report
📚See the full reading list here
Where We’ll Be
- SLEUTHCON, Arlington, VA - 05 June
- Hacker Summer Camp, Las Vegas, NV, 01-09 August
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!
We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.
If you missed last month's content, here are some quick links:
- The AI Frame Campaign Continues
- MOIS Linked MOIST GRASSHOPPER / Homeland Justice / KarmaBelow80 / Handala Hackers / Campaigns and Evolution
- Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment
- DPRK Malware Modularity: Diversity and Functional Specialization
Thanks for reading & see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe/
https://infosec.exchange/@danonsecurity
