Ddos 
In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by targeting Ukrainian government entities with phishing and malware designed to gather sensitive political and strategic intelligence. The campaign, observed by the Proofpoint Threat Research Team in February 2025, coincides with North Korea’s growing military support for Russia amid the ongoing war in Ukraine.
“The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion,” Proofpoint analysts noted.
TA406, which overlaps with threat actor labels such as Opal Sleet and Konni, has historically focused on intelligence gathering. Its interest in Ukraine mirrors past campaigns targeting Russian government agencies, likely aiming to understand geopolitical developments and inform North Korean leadership.
“Unlike Russian groups who have likely been tasked with gathering tactical battlefield information… TA406 has typically focused on more strategic, political intelligence collection efforts,” the report explains.
TA406’s February 2025 campaign relied heavily on social engineering via freemail accounts, impersonating members of fictitious think tanks such as the “Royal Institute of Strategic Studies.” Emails were laced with lure content based on current Ukrainian political events, particularly surrounding former military leader Valeriy Zaluzhnyi.
- Primary delivery method: Password-protected RAR files hosted on MEGA, which contain .CHM files with embedded PowerShell scripts.
- Initial infection vector: HTML files or LNK shortcuts like “Why Zelenskyy fired Zaluzhnyi.lnk”, often bundled with benign PDFs to increase legitimacy.
- Execution: PowerShell scripts gather host details using commands like ipconfig /all, systeminfo, and WMI queries. Collected data is Base64-encoded and sent to pokijhgcfsdfghnj.mywebcommunity[.]org.
“The batch file is then installed as an autorun file for persistence and runs upon machine start up,” Proofpoint revealed.
A notable technique involves dropping a JSE (JavaScript Encoded) file via VBScript, which is then executed through a scheduled task named “Windows Themes Update”, further demonstrating the group’s layered obfuscation and persistence strategies.
Before deploying malware, TA406 reportedly engaged in credential harvesting operations. These attacks involved fake Microsoft security alerts sent from ProtonMail accounts, urging targets to verify suspicious login attempts.
“The messages claim the target’s account had unusual sign-in activity… and request the target verify the login attempt via a link to the compromised domain jetmf[.]com,” the report details.
Although the credential harvesting page was unavailable at the time of analysis, the reuse of known TA406-linked infrastructure suggests a coordinated campaign.
This campaign is seen as a clear indication of North Korea’s growing operational interest in Ukraine—not just through battlefield deployments, but also through cyber intelligence collection. Proofpoint assesses that TA406 is focused on:
- Assessing Ukrainian resolve and military posture
- Evaluating risks to North Korean troops deployed in support of Russia
- Determining the likelihood of additional aid requests from Moscow
“TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre,” according to the report.
Related Posts:
- Chinese Threat Groups Leverage Ransomware for Political Gain
- Hackers use three malware simultaneously in cyber espionage against Ukraine
- APT29 Strikes German Politics with WINELOADER Malware Assault
- Expert: North Korean hackers harvest 11,000 Bitcoins in 2017
- APT29 Strikes German Politics with WINELOADER Malware Assault
Donate