Hacktivist Hoaxes, DPRK Zoom Exploits, and Defending with AI

Show Notes

This week on Dragon News Bites, Eli Woodward and Ben Archie cut through the noise of inflated hacktivist claims and break down the relentless evolution of state-sponsored operations. From a critical look at the Wall Street panic surrounding Anthropic's new AI model to the latest social engineering playbooks utilized by North Korean threat actors, the team explores how adversaries are adapting and how defenders can use data to maintain the high ground.
‍

Topics & References
‍

Part 1: The Data Advantage & The Mythos Panic

• The Data Ocean Problem: Identifying crucial insights within massive datasets is a historic problem, noted even in CIA memos from the 1980s. Today, practitioners are using Python and API enrichment to prioritize threats and bring large volumes of data down into usable pieces of information.
• The Mythos Model Panic: Anthropic recently released a new model called Mythos, causing misplaced panic on Wall Street over the future of cybersecurity.
• Project Glasswing: The primary concern is that this model will enable the rapid identification and exploitation of unknown vulnerabilities in mass. Project Glasswing aims to give certain vendors and researchers a head start on defending against this before it becomes publicly and commercially available.

Part 2: Geopolitics & Exaggerated Claims

• Iranian Hacktivist Bounties: The Department of State's Rewards for Justice program placed a five million dollar bounty on information leading to the identification or arrest of individuals associated with Iranian groups Handala and Parjyan Afsar Reha Borna.
• Exaggerated UAE Breaches: Handala claimed to breach three major UAE organizations: the Dubai courts, the Dubai Land Department, and the Dubai Roads and Transport Authority. In reality, these claims are often highly exaggerated, typically resulting from the compromise of a shared file server rather than the core infrastructure of the targeted organizations.
• Zion Siphon on VirusTotal: Darktrace reported a new malware dubbed "Zion Siphon" targeting Israeli water treatment and desalination plants. In a massive operational security failure, the actors uploaded the highly targeted script directly to VirusTotal.

Part 3: DPRK IT Workers & Fake Recruiters

• Stolen Identities & Evolving OPSEC: U.S. nationals were recently sentenced for helping North Korean IT workers pose as U.S.-based employees to steal identities and secure jobs at over a hundred American companies. These actors are also pivoting to South American platforms like Workana, masquerading as Colombian contractors with Spanish language skills.
• Sapphire Sleet Targeting Crypto: Microsoft reported on a North Korean cluster dubbed Sapphire Sleet (overlapping with APT 38) targeting crypto and finance workers on macOS devices via LinkedIn.
• The Fake Zoom SDK: During the fake interview process, the DPRK recruiters send a bogus Zoom SDK update on the day of the call to gain access to the victim's system.

Events & Community

• RISEx Sydney: May 6 in Sydney, Australia‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026

• RISEx Frankfurt: May 28th in Frankfurt, Germany‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026

• RISEx Chicago: June 3rd in Chicago, IL‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026
• RISEx New York: June 16 in New York City, US‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026

• RISEx DC: June 11 in Washington DC, US

• Underground Economy: September 7th -9th in Strasbourg, France‍
  
  • 🔗 to register: https://www.team-cymru.com/events/underground-economy-2026

Connect with Us:

Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru

Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.