Date: 05/14/2025
Severity: High
Summary
In February 2025, TA406 launched phishing campaigns against Ukrainian government entities, delivering both credential-harvesting tools and malware. Likely aimed at gathering intelligence related to the ongoing Russian invasion, TA406 is a DPRK state-sponsored threat group, also known as Opal Sleet or Konni. Previously focused on Russian targets, the group now leverages freemail accounts impersonating think tank members to enhance credibility. The phishing lures are crafted around recent developments in Ukrainian domestic politics.
Indicators of Compromise (IOC) List
Domains \ Urls : | jetmf.com https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php https://lorica.com.ua/MFA/вкладення.zip http://qweasdzxc.mygamesonline.org/dn.php http://wersdfxcv.mygamesonline.org/view.php |
Email : | emln0reply@protonmail.com eml-n0replypro@proton.me john.smith.19880@outlook.com john.dargavel.smith46@gmail.com |
Hash : | 58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917
28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537
2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | domainname like "jetmf.com" or url like "jetmf.com" or siteurl like "jetmf.com" or domainname like "https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI" or url like "https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI" or siteurl like "https://mega.nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI" or domainname like "http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt" or url like "http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt" or siteurl like "http://pokijhgcfsdfghnj.mywebcommunity.org/main/test.txt" or domainname like "http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php" or url like "http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php" or siteurl like "http://pokijhgcfsdfghnj.mywebcommunity.org/main/receive.php" or domainname like "https://lorica.com.ua/MFA/вкладення.zip" or url like "https://lorica.com.ua/MFA/вкладення.zip" or siteurl like "https://lorica.com.ua/MFA/вкладення.zip" or domainname like "http://qweasdzxc.mygamesonline.org/dn.php" or url like "http://qweasdzxc.mygamesonline.org/dn.php" or siteurl like "http://qweasdzxc.mygamesonline.org/dn.php" or domainname like "http://wersdfxcv.mygamesonline.org/view.php" or url like "http://wersdfxcv.mygamesonline.org/view.php" or siteurl like "http://wersdfxcv.mygamesonline.org/view.php" |
Email : | sender In ("emln0reply@protonmail.com","eml-n0replypro@proton.me","john.smith.19880@outlook.com","john.dargavel.smith46@gmail.com") |
Hash : | sha256hash IN ("58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917","28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537","2a13f273d85dc2322e05e2edfaec7d367116366d1a375b8e9863189a05a5cec5")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front