June was unusually warm here in Seattle, which for a region that claims “June-uary” as a Season, is noteworthy. We made the best of it by watching Team USA defeat the Socceroos in a 2-0 victory at our beloved “Seattle Stadium” - Did you hear we have been ranked the #1 World Cup stadium this time around?. Of course it all came to an end yesterday, when the Belgian “Red Devils” (who have claimed that name for longer than Manchester United) gave the Team USA a soccer lesson they won’t soon forget. That 4-1 defeat stung, especially since it was the last game Seattle hosted this time around. Well, there are always the Mariners.
Despite heat and soccer, we still spent the month investigating emerging threats, talking about our already emerged research, and preparing for Hacker Summer Camp. We started with an investigation into an attacker-in-the-middle credential-harvesting kit targeting Microsoft365 and EntraID identities. Next our team analyzed Russian-linked cyber operations targeting SOHO routers for DNS-hijacking and adversary-in-the-middle intelligence collection, as well as communications-layer collection from messaging platforms like Signal and WhatsApp.
The team and I also attended SLEUTHCON in Arlington, VA; if you didn’t get a chance to say hi and grab a T-shirt, we will be in Las Vegas for Hacker Summer Camp next month with lots of swag. Ending the month, we published research on the targeting of water systems by Russian, Iranian, and PRC-aligned threat actors. As an added bonus, our friends at Dark Reading picked up the story and published their own article based on our research - I highly recommend giving it a read. I also had the pleasure of joining CyberWire’s Dave Bittner for an episode of his Research Saturday podcast talking about last month’s related research on the ZionSiphon OT malware sample. Now, let’s dive in and get you up to speed.
Hot Off the Presses
SecuritySnack - Hijacking Corporate Sessions
DTI researchers kicked off June with an investigation into a fully operational Adversary-in-the-Middle (AiTM) credential-harvesting kit targeting Microsoft 365 and Entra ID identities. The kit runs through a three-to-five stage funnel starting from financial, recruiting, and document related domain name themes. The funnels typically begin with an anti-analysis CAPTCHA gate to filter sandboxes, followed by a corporate email harvest stage that builds trust by dynamically rendering the victim's employer logo and filtering out personal email addresses. The final stage is a pixel-perfect, AiTM reverse proxy of the Microsoft sign-in page, which brokers the live authentication flow and successfully intercepts every credential, Multi-Factor Authentication (MFA) code (including Push, TOTP, and SMS), and post-authentication session cookie.

Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations
The DTI team pivoted to an analysis of Russian-linked cyber operations targeting SOHO routers for DNS-hijacking and adversary-in-the-middle intelligence collection, as well as communications-layer collection from messaging platforms like Signal and WhatsApp. By targeting routers and bending DNS, Russian operators are able to watch traffic, steer chosen victims, and steal credentials without putting malware on the machine. Meanwhile, their work against Signal, WhatsApp, Telegram, and Microsoft 365 gives them access to messages, contacts, trusted names, and private conversations.
Russia is increasingly treating edge infrastructure and messaging platforms as persistent intelligence-collection terrain. Router compromise provides GRU-linked operators with a passive upstream vantage point over victim traffic, while messaging-account compromise provides visibility into human networks, operational discussions, authentication workflows, and trusted social relationships. Together, these operations support long-duration intelligence collection, access persistence, credential interception, social-graph mapping, and pre-positioning for future contingency operations.

Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026
To wrap up the month, our researchers took a deep dive into the targeting of water systems by Russian, Iranian, and PRC-aligned threat actors. Recent activity targeting water systems includes Iranian IRGC-linked targeting of exposed programmable logic controllers (PLCs), Russian and pro-Russian access to municipal water-control environments, and PRC-linked pre-positioning in U.S. critical infrastructure, including water and wastewater systems. U.S. federal agencies, including CISA, FBI, NSA, and EPA, have warned that many utilities remain exposed through internet-facing human-machine interfaces (HMIs) and PLCs, weak credentials, shared accounts, legacy devices, limited monitoring, and poor IT/OT segmentation.
While each nation uses a slightly different model for these operations, they all are used as shaping tools rather than destructive actions. Russia tends to pair infrastructure access with pressure and destabilization. Iran often blends symbolic retaliation, psychological signaling, and opportunistic disruption. In contrast, China places more emphasis on long-term pre-positioning and strategic persistence.

Where We’ll Be
- Hacker Summer Camp, Las Vegas, NV, 01-09 August
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!
We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.
If you missed last month's content, here are some quick links:
- Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both?
- Threat Intelligence Report: The SDA/Structura/Doppelgänger, Influence Operations, Infrastructure, Reach, and Potential
- DPRK Contagious Interview: Developer Workflow Compromise
Thanks for reading & see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe/
https://infosec.exchange/@danonsecurity










