{ "id": "33b97fd9-7ea5-49e1-8041-ab3c1db245bd", "created_at": "2026-04-06T01:29:41.920639Z", "updated_at": "2026-04-10T13:12:07.376864Z", "deleted_at": null, "sha1_hash": "4dd90fca7f1d5b27f6de05ad0686e1180fa7aab3", "title": "North Korean hackers target Russian diplomats using New Year greetings", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 203729, "plain_text": "North Korean hackers target Russian diplomats using New Year\r\ngreetings\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-09 · Archived: 2026-04-06 00:59:39 UTC\r\nA North Korean cyber-espionage group has targeted Russian embassy diplomats over the winter holidays with\r\nemails carrying New Year greetings in the hopes of infecting them with malware.\r\nThe attacks have been linked to a threat actor known as Konni, and have been taking place since at least\r\nDecember 20, cybersecurity firm Cluster25 said in a report published on Monday.\r\n\"[T]hese emails used the New Year Eve 2022 festivity as decoy theme,\" Cluster25 researchers said.\r\n\"Contrary to its past actions, the North Korean APT group this time did not use malicious documents as\r\nattachments; instead, they attached a .zip file type named 'поздравление.zip', which means 'congratulation' in\r\nRussian, containing an embedded executable representing the first stage of the infection.\"\r\nAccording to Cluster25, the ZIP files contained a Windows screensaver (.scr) file that, when executed, installed a\r\nscreensaver with Russian holiday greetings, but also the Konni remote access trojan (RAT), the malware after\r\nwhich the group was named, and which granted the attacker full control over the infected systems.\r\nCluster25 said it only detected emails sent to the Russian Embassy in Indonesia but the attack most likely targeted\r\nother embassies as well.\r\nTo look as authentic as possible, Cluster25 said the emails were also spoofed using a @mid.ru account as the\r\nsender to pretend that the email came from the Russian Embassy in Serbia.\r\nThe security firm said they've been tracking recent Konni attacks targeting Russian diplomats since at least August\r\n2021, as part of a series of attacks first detected and detailed by Malwarebytes last year.\r\nhttps://therecord.media/north-korean-hackers-attack-russian-diplomats-using-new-year-greetings/\r\nPage 1 of 2\n\nAll in all, attacks using Windows screensaver files have been heavily abused by malware operations in the early\r\n2000s and might look too simplistic to work, but the reality is that non-technical users still fall for this technique,\r\nas it was the case last year with NFT creators.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/north-korean-hackers-attack-russian-diplomats-using-new-year-greetings/\r\nhttps://therecord.media/north-korean-hackers-attack-russian-diplomats-using-new-year-greetings/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/north-korean-hackers-attack-russian-diplomats-using-new-year-greetings/" ], "report_names": [ "north-korean-hackers-attack-russian-diplomats-using-new-year-greetings" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438981, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4dd90fca7f1d5b27f6de05ad0686e1180fa7aab3.pdf", "text": "https://archive.orkl.eu/4dd90fca7f1d5b27f6de05ad0686e1180fa7aab3.txt", "img": "https://archive.orkl.eu/4dd90fca7f1d5b27f6de05ad0686e1180fa7aab3.jpg" } }