A state-sponsored hacking group linked to North Korea, known as TA406, has launched a targeted cyber campaign against Ukrainian government entities, according to new findings by cybersecurity firm Proofpoint. The campaign, which began in February 2025, aims to collect sensitive political and military intelligence, potentially to inform North Korean decision-making around its support for Russia in the ongoing invasion of Ukraine.
TA406, also tracked by researchers under aliases such as “Opal Sleet” and “Konni,” has a history of cyber-espionage operations focused on intelligence collection. The group is believed to be acting on behalf of the Democratic People’s Republic of Korea (DPRK). This latest campaign appears to align with North Korea’s strategic interest in gauging Ukraine’s resilience and political trajectory amid the conflict with Russia.
Phishing Lures Tied to Ukrainian Politics
The group’s recent phishing emails impersonate a fictitious senior fellow from a fabricated think tank called the Royal Institute of Strategic Studies. These emails are crafted to look like legitimate correspondence from geopolitical experts and are sent using freemail services to increase credibility. The messages contain lures related to current Ukrainian political events, including developments involving former military leader Valeriy Zaluzhnyi.
Victims who follow the phishing links are directed to download a password-protected archive from the file-sharing platform MEGA. Once decrypted, the archive drops a CHM (Compiled HTML Help) file that, when opened, executes PowerShell scripts designed to perform detailed reconnaissance on the infected machine. These scripts collect system information, recent file data, antivirus software status, and more, before exfiltrating the data to attacker-controlled infrastructure.
Persistent and Multi-Stage Infection Tactics
In cases where initial phishing attempts failed, TA406 followed up with additional emails over consecutive days, asking targets to verify receipt and encouraging them to download the files. This persistent approach demonstrates the group’s focus on successfully infiltrating specific high-value targets.
Another variant of the attack delivered an HTML attachment directly in the phishing email. If opened, it triggered a download of a ZIP archive containing a PDF and a malicious shortcut file titled Why Zelenskyy fired Zaluzhnyi.lnk. Executing the shortcut launched a chain of PowerShell commands designed to establish persistence through scheduled tasks and encoded scripts. These scripts eventually dropped a JavaScript Encoded (JSE) file that checked in with TA406’s command-and-control server for further instructions. Proofpoint analysts were unable to retrieve the subsequent payloads during their investigation.
Before launching its malware-laden campaigns, TA406 also attempted to collect credentials from Ukrainian government officials. These phishing attempts impersonated Microsoft security alerts, warning recipients of suspicious sign-in activity. Victims were prompted to verify their accounts via links to a compromised domain previously associated with credential theft. Although the phishing pages were no longer active at the time of analysis, the tactics and infrastructure used closely matched known TA406 operations.
Proofpoint analysts believe TA406’s primary objective is to gather strategic intelligence about Ukraine’s political stance and willingness to continue resisting Russian aggression. With North Korean troops deployed to support Russia since late 2024, the DPRK is likely using TA406 to assess both the risks to its forces and the possibility of future military commitments.
Unlike Russian cyber units that focus on tactical battlefield support, TA406’s activities are aimed at collecting higher-level political and strategic insights—information that could be instrumental for Pyongyang’s foreign policy and military planning.
Conclusion
This campaign highlights the widening scope of the cyber front in the Russia-Ukraine conflict, drawing in actors like North Korea who have vested interests in the outcome. TA406’s targeted, persistent, and technically sophisticated efforts underscore the importance of vigilance and resilience among Ukraine’s government institutions, as cyber threats evolve in lockstep with the geopolitical crisis.
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
