The state-backed North Korean menace group Konni (Opal Sleet, TA406) was noticed concentrating on Ukrainian authorities entities in intelligence assortment operations.
The attackers use phishing emails that impersonate assume tanks, referencing essential political occasions or navy developments to lure their targets.
Proofpoint researchers who found the exercise in February 2025 counsel that it is doubtless an effort to help the DPRK’s navy involvement alongside Russia in Ukraine and consider the political standing underpinning the battle.
“Proofpoint assesses TA406 is concentrating on Ukrainian authorities entities to raised perceive the urge for food to proceed preventing towards the Russian invasion and assess the medium-term outlook of the battle,” clarify the researchers.
“North Korea dedicated troops to help Russia within the fall of 2024, and TA406 could be very doubtless gathering intelligence to assist North Korean management decide the present threat to its forces already within the theatre, in addition to the probability that Russia will request extra troops or armaments.”
Assault chain
The malicious emails despatched to targets impersonate members of fictitious assume tanks, coping with key points like current dismissals of navy leaders or presidential elections in Ukraine.
The attackers use freemail providers like Gmail, ProtonMail, and Outlook to repeatedly ship messages to their targets, urging them to click on on the hyperlink.
Phishing e mail used within the Konni assaults
Supply: Proofpoint
Doing so takes the victims to a MEGA-hosted obtain that drops a password-protected .RAR archive (Analytical Report.rar) on their methods, containing a .CHM file with the identical identify.
Opening that triggers embedded PowerShell that downloads the next-stage PowerShell, which captures reconnaissance data from the contaminated host, and establishes persistence.
Proofpoint has additionally seen variants that make use of HTML attachments dropping ZIP archives containing benign PDFs and malicious LNK recordsdata, resulting in PowerShell and VBScript execution.
Encoded PowerShell within the LNK file
Supply: Proofpoint
Proofpoint couldn’t retrieve the ultimate payload in these assaults, which is believed to be some kind of malware/backdoor that facilitates espionage operations.
The researchers additionally famous that Konni executed preparational assaults earlier, concentrating on the identical folks and making an attempt to reap account credentials they may use to hijack accounts.
These makes an attempt concerned emails spoofing Microsoft safety alerts, claiming “uncommon sign-in exercise,” and asking the recipient to confirm their login on a phishing web site at “jetmf(.)com.”
Faux Microsoft safety alert
Supply: Proofpoint
North Korea’s concentrating on of Ukrainian authorities entities provides a brand new dimension to the nation’s already complicated cybersecurity battlefield, which has been dominated by relentless Russian state-sponsored assaults for the reason that begin of the invasion.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend towards them.
