TA406 Pivots to the Front
Contents
What happened
In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. TA406 is a Democratic People's Republic of Korea (DPRK) state-sponsored actor that overlaps with activity publicly tracked by third parties as Opal Sleet and Konni. The group’s interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes. TA406 relies on freemail senders spoofing members of think tanks to convince the target to engage with the phishing email. The lure content is based heavily off recent events in Ukrainian domestic politics.
Malware delivery
Since at least 2019, TA406 has shown a preference for HTML and CHM files to run embedded PowerShell in the early stages of malware deployment campaigns. The lure emails observed in a February 2025 TA406 campaign …
In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. TA406 is a Democratic People's Republic of Korea (DPRK) state-sponsored actor that overlaps with activity publicly tracked by third parties as Opal Sleet and Konni. The group’s interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes. TA406 relies on freemail senders spoofing members of think tanks to convince the target to engage with the phishing email. The lure content is based heavily off recent events in Ukrainian domestic politics.
Malware delivery
Since at least 2019, TA406 has shown a preference for HTML and CHM files to run embedded PowerShell in the early stages of malware deployment campaigns. The lure emails observed in a February 2025 TA406 campaign …
IoC
http://jetmf.com
https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI
http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt
http://wersdfxcv.mygamesonline.org/view.php
http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php
https://lorica.com.ua/MFA/
http://qweasdzxc.mygamesonline.org/dn.php
[email protected]
[email protected]
[email protected]
[email protected]
2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5
28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537
58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917
https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI
http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt
http://wersdfxcv.mygamesonline.org/view.php
http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php
https://lorica.com.ua/MFA/
http://qweasdzxc.mygamesonline.org/dn.php
[email protected]
[email protected]
[email protected]
[email protected]
2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5
28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537
58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917