A state-sponsored North Korean threat actor tracked as TA406 was recently observed deploying custom info-stealing malware in espionage campaigns.
The particular actor is attributed as one of several groups known as Kimsuky (aka Thallium). TA406has left traces of low-volume activity since 2018, primarily focusing on espionage, money-grabbing scams, and extortion.
However, in March and June 2021, TA406 launched two distinct malware distribution campaigns that targeted foreign policy experts, journalists, and members of NGOs (non-governmental organizations).
In a new report, researchers at Proofpoint tracked TA406, sampled their tools, and discovered the services they abuse and the phishing lures they employ.