A new cyber espionage campaign targeting Ukrainian government entities has been uncovered by cybersecurity researchers.
According to Proofpoint, the campaign, attributed to North Korean state-aligned threat actor TA406, includes phishing emails designed to harvest credentials and deliver sophisticated malware aimed at long-term intelligence collection.
Strategic Focus and Delivery Methods
TA406, also tracked by other security firms as Opal Sleet and Konni, has shifted focus from Russia to Ukraine amid the ongoing war. The group’s operations in February 2025 involved phishing campaigns that impersonated think tank officials to entice recipients into downloading malicious files.
Email lures referenced current Ukrainian political affairs and impersonated a fictitious fellow at the non-existent “Royal Institute of Strategic Studies.” Targets received links to MEGA-hosted password-protected RAR archives. Once decrypted, the files launched malware via embedded PowerShell scripts to conduct in-depth host reconnaissance.
Researchers noted that TA406 typically used:
-
HTML and CHM files to deploy early-stage malware
-
Lure content referencing former military commander Valeriy Zaluzhnyi
-
PowerShell commands to harvest host data, such as system configurations and antivirus tools
-
Autorun batch files for persistent access
Read more on North Korea’s cyber operations: North Korea Targets Crypto Devs Through NPM Packages
Another phishing tactic involved HTML attachments delivering a ZIP file from a Ukrainian-hosted domain. Inside was a benign PDF and a LNK shortcut named “Why Zelenskyy fired Zaluzhnyi.lnk.” If launched, it triggered PowerShell scripts that installed a scheduled task posing as a Windows update and downloaded a JavaScript-encoded file for further actions.
Proofpoint could not confirm the final payload but noted that similar scripting patterns matched previous TA406 activity.
Before these malware campaigns, TA406 also targeted Ukrainian government officials with spoofed Microsoft security alerts.
The emails, sent from ProtonMail accounts, claimed suspicious login activity and directed recipients to a compromised site, jetmf[.]com.
Although no phishing page was retrieved, the domain was previously used in related credential harvesting operations, suggesting continuity in TA406’s methods.
Broader Implications
Proofpoint assesses that TA406’s cyber efforts aim to inform North Korean leadership on Ukraine’s political stability and its determination to resist Russia.
This intelligence likely supports Pyongyang’s decision-making as it commits troops and military assistance to Moscow’s efforts.
Unlike Russian actors focused on battlefield intelligence, TA406’s operations remain strategically centered on political insights.
“North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments,” Proofpoint explained.
“Unlike Russian groups who have likely been tasked with gathering tactical battlefield information and targeting of Ukrainian forces in situ, TA406 has typically focused on more strategic, political intelligence collection efforts.”
