This post is also available in:
עברית (Hebrew)
New findings reveal that North Korean state-sponsored hackers are conducting cyber-espionage operations against Ukrainian government institutions and affiliated organizations. But the objective is strategic rather than tactical: collecting intelligence that may influence Pyongyang’s decisions on whether to deepen its military support for Russia in the ongoing conflict.
According to cybersecurity researchers at Proofpoint, the threat group known as TA406—also tracked under aliases like Opal Sleet and Konni—has been actively targeting Ukrainian entities since early 2025. Unlike Russian cyber units, which primarily aim to disrupt operations or gather battlefield intelligence, North Korea’s operations focus on long-term political and military insights.
TA406 is leveraging socially engineered phishing campaigns designed to extract credentials and deploy malware. The attackers disguise themselves as experts from fictitious think tanks, baiting their targets with content tied to real political events. One recent campaign impersonated a “senior fellow” from the fabricated “Royal Institute of Strategic Studies,” referencing former Ukrainian military chief Valeriy Zaluzhnyi to lure recipients.
Once opened, the malicious attachments—typically HTML or CHM files—trigger PowerShell scripts that begin collecting data from the host device. These scripts extract network configurations, system details, and information on security software using commands such as ipconfig /all, systeminfo, and WMI queries.
To evade detection, the malicious files are distributed in password-protected RAR archives. In some cases, hackers also use fake Microsoft security alert messages sent from Proton Mail accounts or deliver ZIP files containing unassuming PDFs alongside malicious shortcut files (LNK) that decode and run PowerShell scripts.
Proofpoint believes the campaign is closely tied to North Korea’s ongoing military calculus. After reportedly committing troops to support Russia in late 2024, Pyongyang is likely using these cyber operations to assess the risk to its forces and anticipate whether Moscow will request additional aid.
