Ta406

Threat Actor updated a year ago (2024-11-29T14:12:47.582Z)
Download STIX
Preview STIX
TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gained notoriety for its sophisticated attacks, which often involve integrating malware into software installation processes. One notable instance involved the group obtaining installer packages for Statistika KZU and incorporating the Konni malware into the installation process. In June 2023, U.S. and South Korean intelligence agencies issued warnings about cyberespionage attacks by Kimsuky. These alerts were directed at news media organizations, academic entities, and think tanks, highlighting the group's broad range of targets. Additionally, the group has been observed using commodity Remote Access Trojans (RATs) with custom Gold Dragon backdoors, further demonstrating their technical capabilities and malicious intent. More recently, in February 2024, TA406 was reported to have targeted Russia, compromising an installer for software used by the Russian Ministry of Foreign Affairs. The attack involved deploying the Konni RAT backdoor, also known as UpDog, which triggered an infection sequence upon opening the trojanized installer. This incident underscores the group's ongoing threat and its ability to infiltrate high-level government systems, emphasizing the need for robust cybersecurity measures against such advanced persistent threats.
Description last updated: 2024-05-04T17:24:30.751Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
KONNI is a possible alias for Ta406. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Emba
4
Kimsuky is a possible alias for Ta406. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which
2
Thallium is a possible alias for Ta406. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi
2
Konni Group is a possible alias for Ta406. The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Ta406 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more