{ "id": "58cc9478-81d0-4e81-8e30-0006979f3329", "created_at": "2026-04-06T00:15:50.257983Z", "updated_at": "2026-04-10T03:37:41.211327Z", "deleted_at": null, "sha1_hash": "6df8cf1bd9dca91d1715ad47a6ffb72df618f336", "title": "Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3023080, "plain_text": "Triple Threat: North Korea-Aligned TA406 Scams, Spies, and\r\nSteals | Proofpoint US\r\nBy November 18, 2021 Darien Huss and Selena Larson\r\nPublished: 2021-11-15 · Archived: 2026-04-05 17:12:48 UTC\r\n Download full report (PDF)\r\nKey Takeaways\r\nThroughout 2021, the North Korea-aligned threat actor TA406 conducted frequent credential theft\r\ncampaigns targeting research, education, government, media and other organizations.\r\nProofpoint considers TA406 to be one of several actors that make up the activity publicly tracked as\r\nKimsuky, Thallium and Konni Group.\r\nTA406 doesn’t usually employ malware in campaigns. However, two notable 2021 campaigns attributed to\r\nthis group attempted to distribute malware that could be used for information gathering.\r\nTA406 engages in espionage, cyber crime and sextortion.\r\nOverview\r\nThroughout 2021, Proofpoint has tracked ongoing credential theft campaigns from TA406, an actor associated\r\nwith the Democratic People’s Republic of Korea (DPRK). Our analysts have tracked TA406 campaigns targeting\r\ncustomers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January\r\n2021. From January through June 2021, Proofpoint observed almost weekly campaigns targeting foreign policy\r\nexperts, journalists and nongovernmental organizations (NGOs). \r\nIntroduction \r\nIn this report, we describe in detail many of the campaigns and behaviors associated with an actor operating on\r\nbehalf of the North Korean government: TA406. (See Figure 1.) We begin by explaining how TA406 is associated\r\nwith Kimsuky, a threat actor name broadly tracked by the threat intelligence community. We then elaborate on\r\nhow Proofpoint tracks the activity of Kimsuky as three separate threat actors—TA406, TA408 and TA427. Also,\r\nwe detail the differences between these actors, based on Proofpoint’s visibility. \r\nThis report also examines campaign timing and targeting by TA406, and it provides a look into how TA406\r\nconducts phishing campaigns, including the tools and services used.\r\nTA406 employs both malware and credential harvesting in espionage and information-gathering campaigns. This\r\nreport details several examples of each, including different types of credential collection and two implants used by\r\nTA406 that haven’t been discussed before in open-source reporting. And finally, like all other North Korean state-https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals\r\nPage 1 of 2\n\nsponsored actors that Proofpoint tracks, we provide evidence that TA406 conducts financially motivated\r\ncampaigns, including the targeting of cryptocurrency and sextortion.\r\nFigure 1. TA406 activity diagram.\r\nTo read more, download the full report.\r\nTo download indicators of compromise, head here. \r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals\r\nhttps://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals" ], "report_names": [ "triple-threat-north-korea-aligned-ta406-scams-spies-and-steals" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434550, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6df8cf1bd9dca91d1715ad47a6ffb72df618f336.pdf", "text": "https://archive.orkl.eu/6df8cf1bd9dca91d1715ad47a6ffb72df618f336.txt", "img": "https://archive.orkl.eu/6df8cf1bd9dca91d1715ad47a6ffb72df618f336.jpg" } }