Full Report
Trends of major APT groups by country 1) North Korea The North Korean APT group has been targeting Ukrainian government agencies. This is different from the group’s typical attack targets, so further observation is required to determine whether this is a one-time attack or a strategic alliance with Russia. North Korea is […]
Analysis Summary
# Threat Actor: Konni (Associated with North Korea)
## Attribution & Identity
Attributed to North Korea. Associated with threat actor TA406 based on a source citation.
## Activity Summary
In February 2025, Konni launched a phishing campaign targeting Ukrainian government agencies to steal credentials and distribute malware. This operation is viewed as part of the North Korean regime’s strategic information-gathering efforts. The actor also employs methods to disguise personnel (e.g., using AI for resume manipulation, posing as women) to gain employment within the cybersecurity and other industries for infiltration.
## Tactics, Techniques & Procedures
- Phishing for collecting credentials (via emails disguised as Microsoft security alerts).
- Distributing malware using an HTML attachment.
- Command and Control (C2) Communication using PowerShell.
- Initial Access via spear phishing.
## Targeting
- Sectors: Government agencies.
- Geography: Ukraine.
- Victims: Ukrainian government agencies.
## Tools & Infrastructure
- Malware Families: Konni (implied malware/payload).
- Infrastructure (C2, domains, IPs): Uses Proton Mail accounts for sending phishing emails.
## Implications
The targeting of Ukrainian government agencies suggests alignment with geopolitical objectives, possibly related to Russia’s presence in Ukraine. The actor's focus on infiltration via employment indicates a long-term strategy for intelligence gathering within key sectors.
## Mitigations
- Enhance email filtering for suspicious attachments and links, especially those disguised as security alerts.
- Implement robust credential protection mechanisms.
- Scrutinize recruitment processes for indicators of compromised or deceptive employment attempts (e.g., AI-manipulated resumes).
***
# Threat Actor: TA-RedAnt (Associated with North Korea)
## Attribution & Identity
Threat actor associated with North Korean activities. Referenced in analysis concerning APT37 (though not explicitly named APT37 itself).
## Activity Summary
In March 2025, TA-RedAnt distributed RoKRAT malware via spear-phishing attacks disguised as invitations to an academic event hosted by a South Korean security think tank. The actor utilizes Living off Trusted Sites (LoTS) techniques.
## Tactics, Techniques & Procedures
- Spear phishing.
- Malicious LNK file execution delivered via a ZIP compressed file containing a Dropbox link.
- Exploited CVE-2022-41128 (Internet Explorer Vulnerability).
- Utilized Living off Trusted Sites (LoTS) by employing legitimate cloud services (Dropbox) as C2 channels.
- Targets Windows, Android (APKs), and macOS users.
## Targeting
- Sectors: National security, think tanks related to North Korea.
- Geography: South Korea.
- Victims: Organizations involved in South Korean national security strategy.
## Tools & Infrastructure
- Malware Families: RoKRAT.
- Infrastructure (C2, domains, IPs): Dropbox (used for hosting malicious files/C2 communication).
## Implications
TA-RedAnt exhibits multi-platform targeting maturity (Windows, Android, macOS) and leverages LoTS to evade detection by blending malicious activity within trusted cloud services.
## Mitigations
- Patch vulnerabilities, especially those affecting older software like Internet Explorer (CVE-2022-41128).
- Restrict the execution of files from temporary or downloaded archives, particularly LNK files.
- Implement network monitoring to detect unusual outbound traffic to legitimate cloud storage services used for C2.
***
# Threat Actor: APT41 (Associated with China)
## Attribution & Identity
Chinese Advanced Persistent Threat (APT) group, also tracked as BRONZE OVERLORD.
## Activity Summary
APT41 was active in October 2024, targeting organizations across multiple critical industries. They used spear-phishing to distribute malicious ZIP files and leveraged Google Calendar as a novel C2 mechanism, potentially exploiting zero-day vulnerabilities in SaaS platforms.
## Tactics, Techniques & Procedures
- Spear-phishing via emails delivering malicious ZIP files.
- Using Google Calendar as a C2 channel.
- Executing payload in memory.
- Encryption and compression of data/payloads.
- Process Hollowing.
- Control flow obfuscation.
## Targeting
- Sectors: Government agencies, global maritime, logistics, media, entertainment, technology, and automotive industry organizations.
- Geography: Global (Implied by broad industry targeting).
- Victims: Various organizations across the mentioned sectors.
## Tools & Infrastructure
- Malware Families: TOUGHPROGRESS, PLUSDROP.
- Infrastructure (C2, domains, IPs): Google Calendar.
## Implications
APT41 demonstrates advanced, innovative techniques, specifically abusing legitimate SaaS platforms (Google Calendar) for C2 communication, making detection based on traditional C2 indicators extremely difficult. Their broad industry targeting suggests expansive economic and geopolitical objectives.
## Mitigations
- Deploy application controls to restrict process hollowing and memory execution techniques.
- Increase scrutiny of communication channels, including legitimate services like Google Calendar, for potential C2 signaling or data exfiltration.
- Implement defense-in-depth for email gateways to block spear-phishing attempts carrying archives.