The North Korea-linked menace actor often called Konni APT has been attributed to a phishing marketing campaign concentrating on authorities entities in Ukraine, indicating the menace actor’s concentrating on past Russia.
Enterprise safety agency Proofpoint stated the top objective of the marketing campaign is to gather intelligence on the “trajectory of the Russian invasion.”
“The group’s curiosity in Ukraine follows historic concentrating on of presidency entities in Russia for strategic intelligence gathering functions,” safety researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly stated in a report shared with The Hacker Information.
Konni APT, also referred to as Opal Sleet, Osmium, TA406, and Vedalia, is a cyber espionage group that has a historical past of concentrating on entities in South Korea, the USA, and Russia. It is operational since no less than 2014.
Assault chains mounted by the menace actor usually contain using phishing emails to distribute malware known as Konni RAT (aka UpDog) and redirect recipients to credential harvesting pages. Proofpoint, in an evaluation of the menace group revealed in November 2021, assessed TA406 to be one in all a number of actors that make up the exercise publicly tracked as Kimsuky, Thallium, and Konni Group.
The most recent set of assaults documented by the cybersecurity firm entails using phishing emails that impersonate a fictitious senior fellow at a assume tank known as the Royal Institute of Strategic Research, which can also be a non-existent group.
The e-mail messages comprise a hyperlink to a password-protected RAR archive that is hosted on the MEGA cloud service. Opening the RAR archive utilizing a password talked about within the message physique launches an an infection sequence that is engineered to conduct in depth reconnaissance of the compromised machines.
Particularly, current throughout the RAR archive is a CHM file that shows decoy content material associated to former Ukrainian army chief Valeriy Zaluzhnyi. Ought to the sufferer click on anyplace on the web page, a PowerShell command embedded throughout the HTML is executed to succeed in out to an exterior server and obtain a next-stage PowerShell payload.
The newly launched PowerShell script is able to executing varied instructions to collect details about the system, encode it utilizing Base64-encoding, and ship it to the identical server.
“The actor despatched a number of phishing emails on consecutive days when the goal didn’t click on the hyperlink, asking the goal if that they had acquired the prior emails and if they’d obtain the information,” the researchers stated.
Proofpoint stated it additionally noticed an HTML file being instantly distributed as an attachment to the phishing messages. On this variation of the assault, the sufferer is instructed to click on on an embedded hyperlink within the HTML file, ensuing within the obtain of a ZIP archive that features a benign PDF and a Home windows shortcut (LNK) file.
When the LNK is run, it executes Base64-encoded PowerShell to drop a Javascript Encoded file known as “Themes.jse” utilizing a Visible Fundamental Script. The JSE malware, in flip, contacts an attacker-controlled URL and runs the response from the server by way of PowerShell. The precise nature of the payload is at the moment not recognized.
Moreover, TA406 has been noticed trying to reap credentials by sending pretend Microsoft safety alert messages to Ukrainian authorities entities from ProtonMail accounts, warning them of suspicious sign-in exercise from IP addresses situated in the USA and urging them to confirm the login by visiting a hyperlink.
Whereas the credential harvesting web page has not been recovered, the identical compromised area is claimed to have been used up to now to gather Naver login data.
“These credential harvesting campaigns passed off previous to the tried malware deployments and focused a number of the identical customers later focused with the HTML supply marketing campaign,” Proofpoint stated. “TA406 could be very probably gathering intelligence to assist North Korean management decide the present danger to its forces already within the theatre, in addition to the chance that Russia will request extra troops or armaments.”
“Not like Russian teams who’ve probably been tasked with gathering tactical battlefield data and concentrating on of Ukrainian forces in situ, TA406 has usually centered on extra strategic, political intelligence assortment efforts.”
The disclosure comes because the Konni group has been linked to a complicated multi-stage malware marketing campaign concentrating on entities in South Korea with ZIP archives containing LNK information, which run PowerShell scripts to extract a CAB archive and finally ship batch script malware able to amassing delicate information and exfiltrating it to a distant server.
The findings additionally dovetail with spear-phishing campaigns orchestrated by Kimsuky to focus on authorities businesses in South Korea by delivering a stealer malware able to establishing command-and-control (C2 or C&C) communications and exfiltrating information, net browser information, and cryptocurrency pockets data.
In accordance with South Korean cybersecurity firm AhnLab, Kimsuky has additionally been noticed propagating PEBBLEDASH as a part of a multi-stage an infection sequence initiated by way of spear-phishing. The trojan was attributed by the U.S. authorities to the Lazarus Group in Could 2020.
“Whereas the Kimsuky group makes use of varied sorts of malware, within the case of PEBBLEDASH, they execute malware based mostly on an LNK file by spear-phishing within the preliminary entry stage to launch their assaults,” it stated.
“They then make the most of a PowerShell script to create a process scheduler and register it for automated execution. By way of communication with a Dropbox and TCP socket-based C&C server, the group installs a number of malware and instruments together with PEBBLEDASH.”
Konni and Kimsuky are removed from the one North Korean menace actors to deal with Seoul. As not too long ago as March 2025, South Korean entities have been discovered to be on the receiving finish of one other marketing campaign carried out by APT37, which can also be known as ScarCruft.
Dubbed Operation ToyBox Story, the spear-phishing assaults singled out a number of activists centered on North Korea, per the Genians Safety Heart (GSC). The primary noticed spear phishing assault occurred on March 8, 2025.
“The e-mail contained a Dropbox hyperlink resulting in a compressed archive that included a malicious shortcut (LNK) file,” the South Korean firm stated. “When extracted and executed, the LNK file activated further malware containing the key phrase ‘toy.'”
The LNK information are configured to launch a decoy HWP file and run PowerShell instructions, resulting in the execution of information named toy03.bat, toy02.bat, and toy01.bat (in that order), the final of which accommodates shellcode to launch RoKRAT, a staple malware related to APT37.
RokRAT is supplied to gather system data, seize screenshots, and use three totally different cloud companies, together with pCloud, Yandex, and Dropbox for C2.
“The menace actors exploited reliable cloud companies as C2 infrastructure and continued to switch shortcut (LNK) information whereas specializing in fileless assault strategies to evade detection by antivirus software program put in on course endpoints,” Genians stated.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
