North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress
Summary:
In February 2025, the North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni, launched phishing campaigns targeting Ukrainian government entities with the objective of harvesting credentials and delivering malware. These operations are likely intended to collect intelligence related to the trajectory of the Russian invasion of Ukraine. TA406 has a history of targeting government entities in Russia and continues to rely on social engineering tactics, using freemail accounts to impersonate members of fictitious think tanks. The phishing lures are crafted around recent developments in Ukrainian domestic politics to increase credibility.
TA406’s malware campaigns, consistent with activity observed since 2019, frequently use HTML and CHM files to execute embedded PowerShell commands. In one campaign, a lure email impersonated a fictitious senior fellow from a fabricated organization and included a link to a MEGA file hosting service. This link led to a password-protected RAR archive. Once decrypted, the archive dropped a CHM file containing HTML pages themed around former Ukrainian military leader Valeriy Zaluzhnyi. If the victim clicked within the page, PowerShell scripts were triggered to gather host reconnaissance data such as network configuration, system information, recent file names, disk information, and installed antivirus tools. The data was Base64-encoded and exfiltrated to attacker-controlled infrastructure. TA406 used a batch file named state.bat, placed in the APPDATA folder, to ensure persistence through autorun on startup.
Security Officer Comments:
In another delivery method, TA406 embedded an HTML attachment within a phishing email. If opened, the file redirected the user to download a ZIP file from a Ukrainian site. The ZIP contained a benign PDF and a malicious LNK file titled “Why Zelenskyy fired Zaluzhnyi.” When executed, the LNK file launched Base64-encoded PowerShell that created a scheduled task named Windows Themes Update. This task used VBScript to drop and execute a JavaScript Encoded file named Themes.jse, which then checked into TA406-controlled infrastructure for further commands. Analysts were unable to retrieve the next-stage payload during the investigation.
Before initiating malware delivery campaigns, TA406 attempted credential harvesting by sending fake Microsoft security alerts to Ukrainian government entities from Proton Mail accounts. These emails claimed the target's account had experienced suspicious login activity and urged them to verify the incident by clicking a link directing them to a compromised domain. Although the credential harvesting page was not recoverable during analysis, the same domain had been previously used in TA406-attributed phishing activity against other services, suggesting continuity in tactics and targeting.
Suggested Corrections:
IOCs:
https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
Following North Korea’s deployment of troops in support of Russia in late 2024, TA406 is likely collecting information to evaluate the risks to its deployed forces and to assess the probability of further military or logistical commitments. Unlike Russian actors who focus on battlefield intelligence and targeting, TA406 specializes in broader political and strategic intelligence collection.
Link(s):
https://thehackernews.com/2025/05/north-korean-konni-apt-targets-ukraine.html
In February 2025, the North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni, launched phishing campaigns targeting Ukrainian government entities with the objective of harvesting credentials and delivering malware. These operations are likely intended to collect intelligence related to the trajectory of the Russian invasion of Ukraine. TA406 has a history of targeting government entities in Russia and continues to rely on social engineering tactics, using freemail accounts to impersonate members of fictitious think tanks. The phishing lures are crafted around recent developments in Ukrainian domestic politics to increase credibility.
TA406’s malware campaigns, consistent with activity observed since 2019, frequently use HTML and CHM files to execute embedded PowerShell commands. In one campaign, a lure email impersonated a fictitious senior fellow from a fabricated organization and included a link to a MEGA file hosting service. This link led to a password-protected RAR archive. Once decrypted, the archive dropped a CHM file containing HTML pages themed around former Ukrainian military leader Valeriy Zaluzhnyi. If the victim clicked within the page, PowerShell scripts were triggered to gather host reconnaissance data such as network configuration, system information, recent file names, disk information, and installed antivirus tools. The data was Base64-encoded and exfiltrated to attacker-controlled infrastructure. TA406 used a batch file named state.bat, placed in the APPDATA folder, to ensure persistence through autorun on startup.
Security Officer Comments:
In another delivery method, TA406 embedded an HTML attachment within a phishing email. If opened, the file redirected the user to download a ZIP file from a Ukrainian site. The ZIP contained a benign PDF and a malicious LNK file titled “Why Zelenskyy fired Zaluzhnyi.” When executed, the LNK file launched Base64-encoded PowerShell that created a scheduled task named Windows Themes Update. This task used VBScript to drop and execute a JavaScript Encoded file named Themes.jse, which then checked into TA406-controlled infrastructure for further commands. Analysts were unable to retrieve the next-stage payload during the investigation.
Before initiating malware delivery campaigns, TA406 attempted credential harvesting by sending fake Microsoft security alerts to Ukrainian government entities from Proton Mail accounts. These emails claimed the target's account had experienced suspicious login activity and urged them to verify the incident by clicking a link directing them to a compromised domain. Although the credential harvesting page was not recoverable during analysis, the same domain had been previously used in TA406-attributed phishing activity against other services, suggesting continuity in tactics and targeting.
Suggested Corrections:
IOCs:
https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
Following North Korea’s deployment of troops in support of Russia in late 2024, TA406 is likely collecting information to evaluate the risks to its deployed forces and to assess the probability of further military or logistical commitments. Unlike Russian actors who focus on battlefield intelligence and targeting, TA406 specializes in broader political and strategic intelligence collection.
Link(s):
https://thehackernews.com/2025/05/north-korean-konni-apt-targets-ukraine.html