Hackers from the TA406 group, linked to the North Korean government, have launched a series of phishing attacks on Ukrainian government institutions in an attempt to gain strategic intelligence on Ukraine’s readiness to resist and determine Russia’s needs for further military support.
The attacks began in February 2025, when attackers, posing as employees of fictional think tanks, sent phishing emails with HTML and CHM files attached. These files contained malicious PowerShell scripts that launched the collection of system information, file lists, antivirus protection data, and installed backdoors for permanent access. The emails were about political events, in particular, the dismissal of General Zaluzhny.
TA406 also used fake Microsoft emails and fake ZIP archives to steal credentials, indicating a multi-layered campaign. The collected information was transmitted to servers owned by TA406 via encrypted communication channels.
In 2024, North Korea sent troops to assist Russia in its war against Ukraine. Since then, TA406 — also known as Konni, Opal Sleet — has shifted its focus from Russia to intensive intelligence gathering in Ukraine. This means a shift from tactical to strategic intelligence focused on political will to resist, military resources, and potential escalation.
TA406’s attacks are not just a cyber threat, but part of a larger geopolitical game. They demonstrate that North Korea is no longer just an observer, but an active participant, using Ukraine as a platform to analyze the risks of its actions on the side of Russia. Ukraine’s cyber defense must take into account a new type of adversary – a strategically motivated ally of the enemy.
