A North Korean advanced persistent threat (APT) group, Konni, has been observed launching a focused phishing campaign against Ukrainian government agencies in early 2025.
Researchers note that North Korean APT groups have typically aimed their efforts at regional and US-based organizations, so this targeting of Ukraine signals a possible strategic shift or alliance potentially aligning with Russia amid the ongoing conflict in the region.
According to detailed threat intelligence reports, the Konni group’s February 2025 attack relied on a classic social engineering approach: phishing emails cleverly disguised as Microsoft security alerts and sent from a Proton Mail account.
These emails urged recipients within Ukrainian government agencies to click on embedded links, which redirected them to credential harvesting sites.
In addition, malware was delivered through HTML attachments, further increasing the campaign’s effectiveness.
Once a user interacted with the malicious content, the attackers initiated Command and Control (C2) operations by leveraging PowerShell scripts, allowing them to maintain unauthorized access and potentially exfiltrate sensitive information.
While the full extent of the compromise is not yet confirmed, the timing of the operation is noteworthy.
Analysts speculate this activity is likely tied to North Korea’s support for Russian operations after reports surfaced of North Korean troop deployments to assist Russia in late 2024.
According to ASEC Report, this alignment may have prompted North Korean threat actors to evaluate vulnerabilities within Ukrainian agencies, either as a prelude to deeper cyber-espionage or as a means to offer actionable intelligence to their Russian partners.
Meanwhile, another North Korean APT group, TA-RedAnt (also tracked as APT37), has been active in targeting South Korean national security think tanks and organizations involved in North Korea-related activities.
In March 2025, this group leveraged spear-phishing emails constructed to appear as invitations to security-related academic events.
The emails contained ZIP files with embedded Dropbox links that, when accessed, delivered a malicious LNK shortcut file.
Upon execution, the LNK file would drop and run the RoKRAT backdoor, exploiting the CVE-2022-41128 Internet Explorer vulnerability.
The group is notable for employing the “Living off Trusted Sites” (LoTS) technique, utilizing legitimate cloud services like Dropbox as part of their Command and Control (C2) infrastructure.
This not only complicates detection efforts but also demonstrates a continual evolution in attack sophistication.
Additionally, TA-RedAnt extends its reach beyond Windows systems, targeting Android and macOS platforms with tailored malware to ensure persistent access across diverse devices used by their victims.
Equally concerning is the trend of North Korean threat actors attempting to infiltrate international organizations through unconventional means.
Recent intelligence highlights attempts to secure employment within cybersecurity and other sensitive industries by manipulating resumes with AI tools and even adopting deceptive online personas, including disguising themselves as women.
These efforts underscore a broader North Korean strategy to gain insider access and expand its global espionage footprint.
The recent activity of North Korean APT groups reflects a broadening of their operational targets and an intensification of their technical and social engineering capabilities.
Security experts insist that ongoing monitoring and dynamic defense strategies are crucial to mitigating the evolving risks posed by these increasingly versatile and determined adversaries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post North Korean APT Hackers Attack Ukrainian Government Agencies to Steal Login Credentials appeared first on Cyber Security News.
Today's links Blowtorching the frog: If I must have enemies, let them be impatient ones.…
Rev. Bernard LaFayette, speaking in November 2022 at American Baptist College. (Photo: John Partipilo/Tennessee Lookout)Rev.…
Spexi’s crowdsourced drone fleet has mapped over 5 million acres in 200 cities around Canada…
Most high-growth startups operate on a dangerous assumption: that operational discipline can wait until after product-market fit.…
The video production landscape is experiencing a seismic shift. What once required a full crew,…
Large language models (LLMs) have reached a turning point. Scale brought us here, but the…
This website uses cookies.