DPRK-Backed TA406 Conducts Malicious Campaigns Against Ukraine

A new cyber espionage campaign has emerged, targeting Ukrainian government entities, according to recent findings from cybersecurity researchers. This operation has been linked to the North Korean state-aligned threat group TA406, also known as Opal Sleet and Konni. The campaign employs phishing emails designed to extract credentials and distribute advanced malware, representing a strategic shift in focus from Russia to Ukraine amid ongoing conflicts.

In February 2025, the group initiated multiple phishing campaigns impersonating think tank officials. These emails referenced current political issues in Ukraine and masqueraded as correspondence from a fictitious fellow at a non-existent institution called the “Royal Institute of Strategic Studies.” Recipients were lured into downloading malicious files linked through MEGA-hosted password-protected RAR archives. Once decrypted, these files utilized embedded PowerShell scripts to launch malware that performed extensive reconnaissance on the host system.

The research highlights specific tactics routinely used by TA406, including the deployment of:
– HTML and CHM files to initiate early-stage malware
– Lure content referencing notable military figures, such as former commander Valeriy Zaluzhnyi
– PowerShell commands designed to collect system data, including configurations and antivirus tools
– Autorun batch files facilitating ongoing access to the compromised systems

In addition to the aforementioned methods, another phishing strategy involved presenting HTML attachments containing a ZIP file from a Ukrainian-hosted domain. Inside the ZIP was a seemingly harmless PDF file accompanied by a shortcut labeled “Why Zelenskyy fired Zaluzhnyi.lnk.” Executing this shortcut would invoke PowerShell scripts that established a scheduled task under the guise of a Windows update, subsequently downloading a JavaScript-encoded file for executing further actions.

While Proofpoint was unable to pinpoint the ultimate payload, they noted that the scripting patterns were reminiscent of previous TA406 endeavors. Prior to these malware campaigns, TA406 had previously targeted Ukrainian officials with fake Microsoft security alerts, utilizing emails sent from ProtonMail accounts to alert recipients of alleged suspicious login activities and directing them toward compromised websites, such as jetmf[.]com. Notably, this domain has a history of involvement in credential harvesting activities.

The broader implications of TA406’s operations suggest an intention to gather intelligence on Ukraine’s political stability and its resolve against Russian advances. This intelligence likely informs decisions made by North Korean leadership regarding troop deployments and military support to Russia.

Unlike Russian actors, who are primarily focused on battlefield intelligence, TA406 prioritizes the acquisition of strategic political insights. Researchers assert that North Korea’s commitment to assist Russia, demonstrated through troop deployments in late 2024, reflects a need for reliable information to assess risks to its forces and the possibility of deeper military collaboration with Moscow.

In summary, TA406’s methods highlight a shift in tactical focus that could significantly influence geopolitical dynamics in the region. Such operations pose a continuous threat to Ukrainian entities, emphasizing the need for enhanced cybersecurity measures and awareness in the face of evolving threats.