TA406 Pivots to the Front

May 21, 2025, 7:38 p.m.

Description

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting attempts and malware. Their tactics included using HTML and CHM files with embedded PowerShell for malware deployment, as well as fake Microsoft security alerts for credential theft. The malware conducted extensive reconnaissance on target hosts, gathering system information and checking for anti-virus tools. TA406's focus appears to be on collecting strategic, political intelligence to assess the ongoing conflict and potential risks to North Korean forces in the region.

External References

https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
https://otx.alienvault.com/pulse/6823b32f1fad0a568539c4c1
Tags
phishing
north korea
powershell
ukraine
credential harvesting
reconnaissance
2025-05-13
government targeting
chm files

Date

  • Created: May 13, 2025, 9:01 p.m.
  • Published: May 13, 2025, 9:01 p.m.
  • Modified: May 21, 2025, 7:38 p.m.

Indicators

  • 58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917
  • 2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5
  • 28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537
  • https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI
  • https://lorica.com.ua/MFA/вкладення.zip
  • http://qweasdzxc.mygamesonline.org/dn.php
  • http://wersdfxcv.mygamesonline.org/view.php
  • http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt
  • http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php
  • john.dargavel.smith46@gmail.com
  • john.smith.19880@outlook.com
Download all indicators here!

Attack Patterns

  • TA406

Additional Informations

  • Government
  • Ukraine
  • Russian Federation