Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

North Korean Cyberspies Target Govt Officials with Custom Malware

North Korean Cyberspies Target Govt Officials with Custom Malware

A state-sponsored North Korean threat actor tracked as TA406 was recently observed deploying custom info-stealing malware in espionage campaigns.

The particular actor is attributed as one of several groups known as Kimsuky (aka Thallium). TA406has left traces of low-volume activity since 2018, primarily focusing on espionage, money-grabbing scams, and extortion.

However, in March and June 2021, TA406 launched two distinct malware distribution campaigns that targeted foreign policy experts, journalists, and members of NGOs (non-governmental organizations).

In a new report, researchers at Proofpoint tracked TA406, sampled their tools, and discovered the services they abuse and the phishing lures they employ.

Also Read: How To Check Data Breach And How Can We Prevent It

A large but targeted operation

TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.

According to Proofpoint’s report, the actors work roughly from 9 a.m. to 5 p.m. (KST), seven days a week, with hacking their full-time occupation.

The targeting scope is quite broad, including North America, Russia, China, South Korea, Japan, Germany, France, the UK, South Africa, India, and more.

Overview of TA406 operations
Overview of TA406 operations
Source: Proofpoint

The phishing emails sent by TA406 commonly use lures about nuclear safety, politics, and Korean foreign policy, while targeting high-ranking elected officials.

“The recipients of that campaign included some of the highest ranking elected officials of several different governmental institutions, an employee at a consulting firm, government institutions related to defense, law enforcement, and economy and finance, and generic mailboxes for board and customer relations of a large financial institution,” explains Proofpoint’s report.

The mails are sent from compromised websites, and the sender usually impersonates real people instead of creating fake personas.

Examples include an editor at Global Asia, a professor at Yonsei University, and an adviser to President Moon Jae-in.

Real identifies assumed by TA406 for phishing email distribution
Real identifies assumed by TA406 for phishing email distribution
Source: Proofpoint

Of particular interest, when conducting phishing campaigns to harvest credentials, TA406 does not usually create elaborate landing pages to impersonate a well-known server. Instead, they use basic HTTP authentication, which displays a browser dialog requesting the user’s credentials.

Also Read: Top 8 Main PDPA Obligations To Boost And Secure Your Business

Using Basic HTTP authentication to steal credentials
Using Basic HTTP authentication to steal credentials
Source: Proofpoint

The lures are typically PDF files that require the recipient to log in to the hosting platform using their personal or corporate credentials to view them.

Custom information-stealing malware

Starting in January 2021, TA406 began dropping malware payloads via phishing emails leading to 7z archives. These archives contained an EXE file with a double extension to appear as an .HTML file.

If opened, the file would create a scheduled task named “Twitter Alarm,” which enables the actors to drop additional payloads every 15 minutes.

Upon execution, the EXE also opens a web browser to a PDF file of a legitimate NK News article hosted on the actor’s infrastructure, attempting to trick the victim into thinking they’re reading a post on a news site.

In June 2021, TA406 began deploying a custom malware named ‘FatBoy,’ which dropped as an HTML attachment on the victim’s disk.

FatBoy installation process
FatBoy installation process
Source: Proofpoint

Each of these attachments has a unique hash and features an invisible iframe to communicate with the attackers and tell them which recipient (IP address) opened the file.

FatBoy is a small first-stage malware whose purpose is to download a CAB file from the C2 every 20 minutes.

The CAB file contains a batch script (ball.bat), which executes a VBS script designed to perform reconnaissance and exfiltrate information via HTTP POST requests.

A notable TA406 malware fetched by the downloaded malware is ‘YoreKey,’ a custom Windows keylogger masquerading as MetaTrader 4 Manager, a legitimate electronic trading platform.

YoreKey ensures persistence by creating a registry key and storing its logs in plain text on the infected system.

The keylogger allows the threat actors to steal other login credentials entered by the user as they use their device.

Stealing cryptocurrency

Parallel to the above, TA406 is also engaging in crypto-stealing operations, and according to Proofpoint’s findings, has received at least 3.77 Bitcoin, worth approximately $222,000.

This is done through various methods, including posing as NGOs for donations, offering (probably fake) file decoding/deobfuscation services through a website named ‘Deioncube,’ and sextortion scams.

Deobfuscation service offered by TA406
Deobfuscation service offered by TA406
Source: Prooftpoint

It is possible that the amount of stolen cryptocurrency is much larger as the threat actors are likely using additional wallets unknown to the Proofpoint researchers.

Attacks expected to continue

With the wide range of malicious activity conducted by the TA406 and Kimsuky hackers, we should continue to see them conducting further attacks on behalf of the North Korean government.

“Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” says the Proofpoint researchers.

These attacks include further targeting of US defense contractors and nuclear research agencies to steal valuable intelligence that the North Korean government can use.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us