A Democratic People’s Republic of Korea (DPRK)-linked threat actor tracked as TA406 has intensified cyber espionage efforts against Ukrainian government entities since February 2025, deploying sophisticated phishing campaigns aimed at stealing login credentials and deploying reconnaissance malware. For example, TA406’s PowerShell scripts generate a state.bat file configured to execute on system startup, ensuring prolonged access to compromised devices. Proofpoint researchers identified TA406’s use of spoofed think tank personas and compromised email services to deliver malicious links and attachments, aligning with historical DPRK strategies to exploit geopolitical tensions for intelligence collection. Clicking the CHM file triggers embedded PowerShell scripts designed to harvest system data, including network configurations, running processes, and antivirus software details. The ZIP contains an LNK file (Why Zelenskyy fired Zaluzhnyi.Ink) that executes Base64-encoded PowerShell (Figure 2), deploying a JavaScript Encoded (JSE) file for persistence. A February 2025 campaign used emails titled “Meet Valerii Zaluzhnyi, Ukraine’s former army chief who could challenge Volodymyr Zelenskyy in the presidential election” to lure targets into downloading a RAR archive. Proofpoint emphasizes that TA406’s campaigns reflect DPRK’s strategic priority to monitor Ukraine’s political stability and military readiness. The group, which overlaps with activity publicly attributed to Opal Sleet and Konni, has shifted focus to gather strategic intelligence on Ukraine’s political and military trajectory amid the ongoing Russian invasion. TA406’s campaigns impersonate fictitious organizations such as the “Royal Institute of Strategic Studies,” with emails purportedly sent by a senior fellow, Dr. The JSE file establishes a scheduled task (Windows Themes Update) to contact TA406’s C2 server (hxxp://wersdfxcv.mygamesonline[.]org) every minute. The archive’s CHM file, Analytical Report.chm, contains HTML pages with embedded PowerShell code. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once decrypted, the archive deploys a CHM (Compiled HTML Help) file disguised as a political analysis report. Proofpoint analysts noted that TA406 employs multi-stage PowerShell payloads to exfiltrate this data to actor-controlled domains, which are subsequently used to refine further attacks.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 11:15:04 +0000