North Korean hackers target Ukrainian government in new espionage campaign

North Korean state-backed hackers have targeted Ukrainian government entities in a new espionage campaign, likely aimed at gathering intelligence on Russia’s war efforts, researchers have found.

The group, tracked as TA406, is known for using spear-phishing attacks to target governments, research centers, think tanks, academic institutions and media organizations worldwide — particularly in Europe, Japan, Russia, South Korea and the United States.

Previously, the group focused on collecting strategic intelligence in Russia. The latest wave of activity in Ukraine suggests that Pyongyang is seeking to “better understand the appetite to continue fighting against the Russian invasion” and “the medium-term outlook of the conflict,” according to the latest report by cybersecurity firm Proofpoint.

North Korea, which started deploying troops to assist Russian forces in Ukraine in late 2024, is likely using this intelligence to assess risks to its own forces on the ground and to gauge whether Moscow will require further military support, researchers said.

TA406, also tracked under the names Opal Sleet and Konni, has used a variety of techniques in its recent campaigns in Ukraine, including impersonating think tank members to trick victims into opening phishing emails related to recent events in Ukrainian domestic politics.

During one operation in February 2025, the group spoofed a fictitious senior fellow from the Royal Institute of Strategic Studies — another fabricated entity. The phishing emails contained a link to a file hosted on a cloud storage service, which would download a password-protected archive.

If decrypted and executed, the archive would initiate a chain of infections using PowerShell, allowing the attackers to collect data on the target computer, including IP configuration, file names, disk information and installed antivirus software.

TA406 had previously attempted to harvest credentials from Ukrainian government employees by sending fake Microsoft security alert messages via Protonmail accounts. These emails warned of unusual sign-in activity and prompted recipients to verify their login attempts. While the credential harvesting page could not be recovered, the tactics align with TA406’s known activity.

Ukrainian researchers rarely speak of North Korean cyberattacks on their systems — most espionage campaigns against the country are attributed to Russian hackers. As of the time of writing, Ukraine’s computer emergency response team (CERT-UA) has not responded to a request for comment from Recorded Future News regarding TA406’s latest campaign.

According to Proofpoint, TA406’s cyber efforts in Ukraine are focused on political intelligence and strategic analysis of the ongoing war. This contrasts with the objectives of Russian hackers, who typically seek tactical intelligence related to battlefield operations.

Earlier in February, the European Union sanctioned the head of North Korea’s Reconnaissance General Bureau (RGB), Lee Chang Ho, who was allegedly involved in deploying North Korean personnel to support Russia’s war against Ukraine. He has also overseen cyber units, including those known in the West as Lazarus and Kimsuky.