{
  "name": "TA406 Pivots to the Front",
  "slug": "ta406-pivots-to-the-front",
  "description": "In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting attempts and malware. Their tactics included using HTML and CHM files with embedded PowerShell for malware deployment, as well as fake Microsoft security alerts for credential theft. The malware conducted extensive reconnaissance on target hosts, gathering system information and checking for anti-virus tools. TA406's focus appears to be on collecting strategic, political intelligence to assess the ongoing conflict and potential risks to North Korean forces in the region.",
  "published": "2025-05-13T19:01:35+00:00",
  "created_at": "2025-05-13T19:01:35+00:00",
  "modified_at": "2025-05-21T17:38:25+00:00",
  "created_at_opencti": "2025-05-13T19:01:35+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-13",
    "chm files",
    "credential harvesting",
    "government targeting",
    "north korea",
    "phishing",
    "powershell",
    "reconnaissance",
    "ukraine"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI"
      },
      {
        "id": "",
        "name": "https://lorica.com.ua/MFA/\u0432\u043a\u043b\u0430\u0434\u0435\u043d\u043d\u044f.zip"
      },
      {
        "id": "",
        "name": "http://qweasdzxc.mygamesonline.org/dn.php"
      },
      {
        "id": "",
        "name": "http://wersdfxcv.mygamesonline.org/view.php"
      },
      {
        "id": "",
        "name": "http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt"
      },
      {
        "id": "",
        "name": "http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php"
      },
      {
        "id": "",
        "name": "john.dargavel.smith46@gmail.com"
      },
      {
        "id": "",
        "name": "john.smith.19880@outlook.com"
      },
      {
        "id": "",
        "name": "58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917"
      },
      {
        "id": "",
        "name": "2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5"
      },
      {
        "id": "",
        "name": "28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537"
      }
    ],
    "intrusion_sets": [
      {
        "id": "45b9c904-3fe0-46ac-88dc-bbeb2071ec76",
        "name": "TA406",
        "slug": "ta406"
      }
    ],
    "attack_patterns": [
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front",
    "https://otx.alienvault.com/pulse/6823b32f1fad0a568539c4c1"
  ]
}