Eighteen Newsletters and a Dozen Roses

Published on: 
July 9, 2026

June was unusually warm here in Seattle, which for a region that claims “June-uary” as a Season, is noteworthy. We made the best of it by watching Team USA defeat the Socceroos in a 2-0 victory at our beloved “Seattle Stadium” - Did you hear we have been ranked the #1 World Cup stadium this time around?. Of course it all came to an end yesterday, when the Belgian “Red Devils” (who have claimed that name for longer than Manchester United) gave the Team USA a soccer lesson they won’t soon forget. That 4-1 defeat stung, especially since it was the last game Seattle hosted this time around. Well, there are always the Mariners.

Despite heat and soccer, we still spent the month investigating emerging threats, talking about our already emerged research, and preparing for Hacker Summer Camp. We started with an investigation into an attacker-in-the-middle credential-harvesting kit targeting Microsoft365 and EntraID identities. Next our team analyzed Russian-linked cyber operations targeting SOHO routers for DNS-hijacking and adversary-in-the-middle intelligence collection, as well as communications-layer collection from messaging platforms like Signal and WhatsApp. 

The team and I also attended SLEUTHCON in Arlington, VA; if you didn’t get a chance to say hi and grab a T-shirt, we will be in Las Vegas for Hacker Summer Camp next month with lots of swag. Ending the month, we published research on the targeting of water systems by Russian, Iranian, and PRC-aligned threat actors. As an added bonus, our friends at Dark Reading picked up the story and published their own article based on our research - I highly recommend giving it a read. I also had the pleasure of joining CyberWire’s Dave Bittner for an episode of his Research Saturday podcast talking about last month’s related research on the ZionSiphon OT malware sample. Now, let’s dive in and get you up to speed.  

Hot Off the Presses 

SecuritySnack - Hijacking Corporate Sessions

DTI researchers kicked off June with an investigation into a fully operational Adversary-in-the-Middle (AiTM) credential-harvesting kit targeting Microsoft 365 and Entra ID identities. The kit runs through a three-to-five stage funnel starting from financial, recruiting, and document related domain name themes. The funnels typically begin with an anti-analysis CAPTCHA gate to filter sandboxes, followed by a corporate email harvest stage that builds trust by dynamically rendering the victim's employer logo and filtering out personal email addresses. The final stage is a pixel-perfect, AiTM reverse proxy of the Microsoft sign-in page, which brokers the live authentication flow and successfully intercepts every credential, Multi-Factor Authentication (MFA) code (including Push, TOTP, and SMS), and post-authentication session cookie.

Read the snack here

Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations

The DTI team pivoted to an analysis of Russian-linked cyber operations targeting SOHO routers for DNS-hijacking and adversary-in-the-middle intelligence collection, as well as communications-layer collection from messaging platforms like Signal and WhatsApp. By targeting routers and bending DNS, Russian operators are able to watch traffic, steer chosen victims, and steal credentials without putting malware on the machine. Meanwhile, their work against Signal, WhatsApp, Telegram, and Microsoft 365 gives them access to messages, contacts, trusted names, and private conversations. 

Russia is increasingly treating edge infrastructure and messaging platforms as persistent intelligence-collection terrain. Router compromise provides GRU-linked operators with a passive upstream vantage point over victim traffic, while messaging-account compromise provides visibility into human networks, operational discussions, authentication workflows, and trusted social relationships. Together, these operations support long-duration intelligence collection, access persistence, credential interception, social-graph mapping, and pre-positioning for future contingency operations.

Read our full analysis here

Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026

To wrap up the month, our researchers took a deep dive into the targeting of water systems by Russian, Iranian, and PRC-aligned threat actors. Recent activity targeting water systems includes Iranian IRGC-linked targeting of exposed programmable logic controllers (PLCs), Russian and pro-Russian access to municipal water-control environments, and PRC-linked pre-positioning in U.S. critical infrastructure, including water and wastewater systems. U.S. federal agencies, including CISA, FBI, NSA, and EPA, have warned that many utilities remain exposed through internet-facing human-machine interfaces (HMIs) and PLCs, weak credentials, shared accounts, legacy devices, limited monitoring, and poor IT/OT segmentation. 

While each nation uses a slightly different model for these operations, they all are used as shaping tools rather than destructive actions. Russia tends to pair infrastructure access with pressure and destabilization. Iran often blends symbolic retaliation, psychological signaling, and opportunistic disruption. In contrast, China places more emphasis on long-term pre-positioning and strategic persistence.

Read the breakdown here 

Where We’ll Be

  • ‍Hacker Summer Camp, Las Vegas, NV, 01-09 August

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/

https://infosec.exchange/@danonsecurity

Related Content

Newsletters
Eighteen Newsletters and a Dozen Roses

June’s roundup of research - from cyberattacks on water infrastructure OT and ICS to DNS hijacking and an AiTM campaign targeting Microsoft365 users. 

June was unusually warm here in Seattle, which for a region that claims “June-uary” as a Season, is noteworthy. We made the best of it by watching Team USA defeat the Socceroos in a 2-0 victory at our beloved “Seattle Stadium” - Did you hear we have been ranked the #1 World Cup stadium this time around?. Of course it all came to an end yesterday, when the Belgian “Red Devils” (who have claimed that name for longer than Manchester United) gave the Team USA a soccer lesson they won’t soon forget. That 4-1 defeat stung, especially since it was the last game Seattle hosted this time around. Well, there are always the Mariners.

Despite heat and soccer, we still spent the month investigating emerging threats, talking about our already emerged research, and preparing for Hacker Summer Camp. We started with an investigation into an attacker-in-the-middle credential-harvesting kit targeting Microsoft365 and EntraID identities. Next our team analyzed Russian-linked cyber operations targeting SOHO routers for DNS-hijacking and adversary-in-the-middle intelligence collection, as well as communications-layer collection from messaging platforms like Signal and WhatsApp. 

The team and I also attended SLEUTHCON in Arlington, VA; if you didn’t get a chance to say hi and grab a T-shirt, we will be in Las Vegas for Hacker Summer Camp next month with lots of swag. Ending the month, we published research on the targeting of water systems by Russian, Iranian, and PRC-aligned threat actors. As an added bonus, our friends at Dark Reading picked up the story and published their own article based on our research - I highly recommend giving it a read. I also had the pleasure of joining CyberWire’s Dave Bittner for an episode of his Research Saturday podcast talking about last month’s related research on the ZionSiphon OT malware sample. Now, let’s dive in and get you up to speed.  

Hot Off the Presses 

SecuritySnack - Hijacking Corporate Sessions

DTI researchers kicked off June with an investigation into a fully operational Adversary-in-the-Middle (AiTM) credential-harvesting kit targeting Microsoft 365 and Entra ID identities. The kit runs through a three-to-five stage funnel starting from financial, recruiting, and document related domain name themes. The funnels typically begin with an anti-analysis CAPTCHA gate to filter sandboxes, followed by a corporate email harvest stage that builds trust by dynamically rendering the victim's employer logo and filtering out personal email addresses. The final stage is a pixel-perfect, AiTM reverse proxy of the Microsoft sign-in page, which brokers the live authentication flow and successfully intercepts every credential, Multi-Factor Authentication (MFA) code (including Push, TOTP, and SMS), and post-authentication session cookie.

Read the snack here

Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations

The DTI team pivoted to an analysis of Russian-linked cyber operations targeting SOHO routers for DNS-hijacking and adversary-in-the-middle intelligence collection, as well as communications-layer collection from messaging platforms like Signal and WhatsApp. By targeting routers and bending DNS, Russian operators are able to watch traffic, steer chosen victims, and steal credentials without putting malware on the machine. Meanwhile, their work against Signal, WhatsApp, Telegram, and Microsoft 365 gives them access to messages, contacts, trusted names, and private conversations. 

Russia is increasingly treating edge infrastructure and messaging platforms as persistent intelligence-collection terrain. Router compromise provides GRU-linked operators with a passive upstream vantage point over victim traffic, while messaging-account compromise provides visibility into human networks, operational discussions, authentication workflows, and trusted social relationships. Together, these operations support long-duration intelligence collection, access persistence, credential interception, social-graph mapping, and pre-positioning for future contingency operations.

Read our full analysis here

Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026

To wrap up the month, our researchers took a deep dive into the targeting of water systems by Russian, Iranian, and PRC-aligned threat actors. Recent activity targeting water systems includes Iranian IRGC-linked targeting of exposed programmable logic controllers (PLCs), Russian and pro-Russian access to municipal water-control environments, and PRC-linked pre-positioning in U.S. critical infrastructure, including water and wastewater systems. U.S. federal agencies, including CISA, FBI, NSA, and EPA, have warned that many utilities remain exposed through internet-facing human-machine interfaces (HMIs) and PLCs, weak credentials, shared accounts, legacy devices, limited monitoring, and poor IT/OT segmentation. 

While each nation uses a slightly different model for these operations, they all are used as shaping tools rather than destructive actions. Russia tends to pair infrastructure access with pressure and destabilization. Iran often blends symbolic retaliation, psychological signaling, and opportunistic disruption. In contrast, China places more emphasis on long-term pre-positioning and strategic persistence.

Read the breakdown here 

Where We’ll Be

  • ‍Hacker Summer Camp, Las Vegas, NV, 01-09 August

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/

https://infosec.exchange/@danonsecurity

Learn More
Newsletters
Edge of Seventeen (Newsletters)

We haven’t talked about the weather in Seattle for a bit. Just kidding, I ALWAYS talk about the weather here! Did you know that the Seattle Weather is officially one of the most difficult to accurately forecast? This is due (in part) to the so-called “Puget Sound Convergence Zone.” But also the fact that the area goes from sea level to 14,000 feet (4300m) within a 60 mile (97km) radius. And that we’re sandwiched between two mountain ranges and have a large patch of ocean that isn’t really the ocean because it’s a sound 🤷

In any case, today we reached 72 degrees Fahrenheit (22C), tomorrow will be 83 degrees (28C). June-uary better get here fast, I need three more weeks of gray and rain to adequately hydrate before summer starts on July 5th! But maybe the weather decided to “play along” and show the visitors that are coming to town for the FIFA World Cup a good time. Seattle is hosting four matches, including the US National Team 🇺🇸against the Socceroos 🇦🇺! And just like Matt Turner will keep close tabs on Jordan Bos and Nestory Irankunda, the DTI team has been busy keeping track of the latest threats. 

We started May (or technically ended April if we’re being specific) with a look at the DPRK’s “Contagious Interview” campaign that weaponizes legitimate hiring workflows to compromise developer environments. The rest of May was spent taking a deeper dive into the Doppelganger campaigns we covered in March and looking at their operational pipeline and strategic significance. We rounded out the month with a look at the ZionSiphon malware sample, the OT malware designed to target Israeli water facilities with some critical flaws in its programming. 

Let’s dive in and get you up to speed!  

Hot Off the Presses 

Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both?

DTI researchers analyzed the ZionSiphon malware sample (“SCADA_SecurityPatch_v8.4.exe”) that has been circulating in public sandboxes since 2025. The malware is designed to target and sabotage water treatment and desalination facilities in Israel only. In our analysis, our team identified a critical bug in the malware’s geographic validation logic that prevents the malware’s payload from activating in its intended environment. Beyond the flaw in its geographic validation logic, the malware also lacks any external communication stack or command-and-control (C2) channel. 

Based on our analysis, our team determined ZionSiphon operates entirely at the Windows host layer, using registry persistence, PowerShell-based execution, and USB-oriented propagation logic. It is a real, functioning implant in terms of execution mechanics, but the XOR bug prevents it from transitioning into an active sabotage phase, rendering it effectively non-operational as an ICS attack tool. 

Read the full technical breakdown here

Threat Intelligence Report: The SDA / Structura / Doppelgänger, Influence Operations, Infrastructure, Reach, and Potential

After our first investigation into Doppelgänger in March, the DTI team took another deep dive into the Doppelgänger campaigns and their operational model. We broke down the narrative distribution model into four stages: content creation, telegram amplification, X/twitter injection, and narrative propagation. Our research determined the Doppelgänger campaign is engineered for visibility, not direct persuasion. Its architecture–feeder websites, Telegram amplification, and coordinated X/Twitter activity–prioritizes rapid distribution and repeated exposure across platforms to maximize encounter frequency. Using this analysis, our team modeled the first 72 hours of a Doppelgänger campaign during a geopolitical crisis. 

We also placed Doppelgänger in the larger doctrinal context of Russia’s “information confrontation” strategy. The operational structure of the Doppelgänger campaign demonstrates clear continuity with Soviet-era Active Measures, a category of covert influence operations. Historically, Active Measures campaigns relied on a combination of forged publications, front organizations, and intermediary actors to introduce narratives into foreign information environments. The Doppelgänger campaign represents the digital transformation of the same strategy. 

Read our full analysis here

DPRK Contagious Interview: Developer Workflow Compromise

Our team kicked off May with an analysis of the DPRK’s “Contagious Interview” campaign that weaponizes legitimate hiring workflows to induce execution of malicious code within trusted developer environments. The campaign targets software developers and technical personnel through fraudulent job interview processes conducted across platforms such as GitHub, LinkedIn, and direct messaging channels.

Read the breakdown here 

What We’re Reading 

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed! 

‍📚See the full reading list here

Where We’ll Be

  • SLEUTHCON, Arlington, VA - 05 June
  • ‍Hacker Summer Camp, Las Vegas, NV, 01-09 August

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/
https://infosec.exchange/@danonsecurity

Learn More
Newsletters
Sixteen going on Seventeen Newsletters

DPRK's modular malware portfolio, Iran's MOIS-linked Handala/Homeland Justice/Karma persona ecosystem, and a fake Authenticator Chrome extension dissected.

Who doesn’t love a good “The Sound of Music” reference! But did you know that there is a completely different movie based on the same subject matter that was filmed in Germany in 1956, a whole nine years before The Sound of Music? It’s called “Die Trapp-Familie” (or “The Trapp Family”). Unlike the American version, where the von Trapps escape to Switzerland at the end (cue Julie Andrews singing “Climb every Mountain”) - in the German version they emigrate to America, which is also what the “real” von Trapps did. And then there is also a movie sequel that captures their time living in the United States. And before you question my Super Fan status, yes I’ve visited most of the sites in and around Salzburg where “The Sound of Music” was filmed. I highly recommend it!

For those of you who came here for the weather report: April in Seattle was cold and wet. May is off to a bang with an 80 degree day already. This is totally fine. 

SPeaking of April, it’s been a high-velocity month for the team. Two weeks ago I was in Munich Germany for the FIRST CTI Conference, while the rest of the team spent most of their  time untangling the increasingly complex webs of state-sponsored modularity, from the DPRK’s institutionalized "burn-and-replace" tactics to the shifting veneers of Iranian influence operations.

In this edition, we’re breaking down how these actors are moving away from one-off attacks toward sustainable, parallel pipelines of espionage and disruption. We also take a look at some "clean" Chrome extensions that aren't nearly as helpful as they claim to be.

Let's dive into the research and get you caught up!

Hot off the Presses

DPRK Malware Modularity: Diversity and Functional Specialization

DTI analysts broke down the modular design of the DPRK’s malware ecosystem. Analysis of multiple vendor, government, academic, and secondary reporting confirmed the DPRK operates a mature portfolio model of parallel malware development and rotation pipelines aligned to discrete strategic objectives. This structure enables the DPRK to conduct simultaneous espionage, revenue generation, and disruptive operations without cross-contaminating tooling, infrastructure, or exposure. 

What distinguishes the DPRK cyber program is not the existence of malware rotation itself, but how completely burn-and-replace logic is integrated into program design.Across the DPRK’s malware ecosystem, different DPRK threat actors are identified with specific malware tracks: espionage (Kimsuky), financial operations (Lazarus Group), and disruptions and coercion (Andariel). While the burn-and-replace model operated by the DPRK is not unique among nation-state threat actors, the degree of institutionalization and mission coupling seen in DPRK operations is unusually pronounced compared to their counterparts in Russia, Iran, and the PRC. 

🔍Read the full investigation here

Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment 

DTI spent a lot of April analyzing cyber threats resulting from the conflict in Iran. Our researchers took a deep dive into the threat actor personas aligned with Iran’s Ministry of Intelligence and Security (MOIS; وزارت اطلاعات جمهوری اسلامی ایران). Specifically, the activity attributed to Homeland Justice, Karma/KarmaBelow80, and Handala was assessed as a single, coordinated cyber influence ecosystem aligned with the MOIS. These personas function as interchangeable operational veneers applied to a consistent underlying capability. Their purpose is not to reflect organizational separation, but to enable segmentation of messaging, targeting, and attribution while preserving continuity of infrastructure and tradecraft.

Across all observed phases, the actors exhibit clear temporal continuity, shared infrastructure patterns, and a repeatable operational workflow. The persistence of these elements, despite rebranding, indicates centralized direction and capability management. 

🔗Learn more here

MOIS Linked MOIST GRASSHOPPER/ Homeland Justice/ KarmaBelwo80/ Handala Hackers/ Campaigns and Evolution 

As part of our team’s research into the MOIS cyber influence ecosystem, we examined evidence spanning U.S. government reporting, private-sector threat intelligence research, passive DNS and infrastructure enrichment, and longitudinal review of archived web and Telegram content to build a comprehensive analysis of the campaigns and operational evolution of the Handala/Homeland Justice/ Karma personas. Across these personas, the actors consistently employ a repeatable pattern of intrusion, data exfiltration, disruptive or destructive action, and rapid public disclosure through controlled infrastructure. This is reinforced by shared or cross-referenced domains, persistent use of Telegram for amplification and coordination, and common hosting and obfuscation strategies. The personas also exhibit consistent rhetorical framing, target selection logic, and methods of psychological coercion. 

The campaign demonstrates a progression from discrete, high-impact destructive events into a modular and adaptive operational toolkit capable of supporting a wide range of objectives across multiple target sets. Early activity, particularly during the Albania operations, was centered on singular, coordinated events in which long-term access culminated in ransomware-style encryption, wiping, and public attribution. Over time, however, these capabilities were not abandoned; instead, they were retained and integrated into a broader operational framework that supports espionage, surveillance, disruption, influence operations, and destructive capabilities in parallel, culminating in the attack on Stryker in March 2026. 

🔗Read the technical deep dive here

SecuritySnack - The AI Frame Campaign Continues

DTI analysts identified a Chrome extension impersonating Google's Authenticator application as part of an ongoing malicious campaign active since at least early 2026. The extension appears to use Chrome's localization system and skeleton code to bypass security reviews. Despite its functional appearance, it requests broad, unnecessary permissions and contains "dormant infrastructure”. This suggests a staged deployment model using a deploy clean, update dirty strategy, where the extension remains trustworthy on the surface while maintaining the architectural groundwork to deliver a malicious update without requiring further permission approvals from the user or the store.

This extension is linked to at least six others through a shared developer front, two of which already carry fully operational malicious payloads. These extensions utilize hidden iframes to inject attacker-controlled content into every webpage, deploy fraudulent paywalls for free services, and maintain bidirectional communication with C2 servers. The infrastructure maps directly to the AiFrame campaign, which reportedly compromised over 260,000 users from 2025 to present.

🔗Learn more

📚What We’re Reading 

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed! 

📚See the full reading list here

Where We’ll Be 

- DNS OARC, Edinburgh, UK - 16-17 May

- SLEUTHCON, Arlington, VA - 05 June

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/

https://infosec.exchange/@danonsecurity

Learn More