DTI’S latest edition breaks down how state-backed actors are shifting from one-off attacks to parallel pipelines of espionage and disruption, notably detailing DPRK’s modular malware portfolio and a burn-and-replace approach that enables simultaneous espionage, revenue generation, and disruptive operations without cross-contamination.
It highlights distinct DPRK threat tracks for espionage (Kimsuky), financial operations (Lazarus Group), and disruptions (Andariel), showing a highly institutionalised, mission‑coupled ecosystem compared with peers in Russia, Iran, and the PRC. The MOIS-linked threat ecosystem is examined through Homeland Justice, Karma/KarmaBelow80, and Handala, described as interchangeable veneers that preserve underlying capabilities and enable targeting, attribution, and infrastructure reuse across phases.
A separate security feature covers the AI Frame Campaign, including a Chrome extension impersonating Google’s Authenticator, alleged to compromise over 260,000 users from 2025 to present and to deploy via a shared developer front with several related extensions. The newsletter also notes forthcoming events in Edinburgh, UK (DNS OARC, 16–17 May) and culminates with a reminder to readers to stay informed about these evolving threat‑actor tradecraft patterns.