FlagThis

North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.

The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server.

This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape.

ImgSrc: blogger.googleu

References :

• thehackernews.com: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
• BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
• BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
• securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
• securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
• www.bleepingcomputer.com: North Korea ramps up cyberspying in Ukraine to assess war risk
• Proofpoint Threat Insight: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
• Virus Bulletin: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
• cyberriskleaders.com: North Korean Threat Actor TA406 Targets Ukraine for Intelligence Gathering
• iHLS: North Korean Hackers Target Ukraine to Gauge Russian Military Needs
• BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
• bsky.app: North Korea ramps up cyberspying in Ukraine to assess war risk
• www.csoonline.com: After helping Russia on the ground North Korea targets Ukraine with cyberespionage

Classification:

• HashTags: #APT #Ukraine #Espionage
• Company: Microsoft
• Target: Ukrainian Government
• Attacker: Konni
• Type: Espionage
• Severity: Major