TA406 Pivots to the Front
Essential information
- Published
- 13/05/2025 21:01
- Modified
- 21/05/2025 19:38
- Tags
- 2025-05-13 chm files credential harvesting government targeting north korea phishing powershell reconnaissance ukraine
- Related entities
- 11 observables, 1 intrusion sets (apt), 10 techniques (mitre), 3 others
Description
In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting attempts and malware. Their tactics included using HTML and CHM files with embedded PowerShell for malware deployment, as well as fake Microsoft security alerts for credential theft. The malware conducted extensive reconnaissance on target hosts, gathering system information and checking for anti-virus tools. TA406's focus appears to be on collecting strategic, political intelligence to assess the ongoing conflict and potential risks to North Korean forces in the region.