Security researchers have recently provided a detailed report on the malicious activities of an alleged North Korea-based threat group. Named TA406, its espionage, sextortion, and scam campaigns have been active since 2018. However, its attack volume has been rising since the beginning of this year.

Report insights

According to a Proofpoint report, the group has used everything from sextortion to legitimate services for financial gains. 
  • One of the most interesting insights is that this threat actor is targeting same individuals and reusing the same tactics multiple times.
  • It is believed to be among the groups responsible for cybercriminal activity tracked as Thallium, Kimsuky, and Konni Group.
  • The researchers strongly believe that TA406 is working with or on behalf of the North Korean government.

The targets

The group has been carrying out espionage campaigns since at least 2012 and started with financially motivated campaigns in 2018. However, its attack volume remained low till 2021.
  • As the year commenced, its activities were ramped up as journalists, foreign policy experts, and non-governmental organizations were targeted. 
  • Throughout this year, researchers have observed the group stealing credentials from multiple sectors such as research, education, or government.
  • Two of its recent campaigns this year attempted to spread malware—SANNY, KONNI, CARROTBAT, BabyShark, Amadey, and Android Moez—with the goal of gathering information. 

Generally, TA406 targets individuals in North America, Russia, and China, and they masquerade as Russian diplomats/academics, representatives of the Ministry of Foreign Affairs, human rights officials, or as Koreans.


Researchers expect that TA406 will continue its operations to target more entities in future. Moreover, the group is financially motivated and its targets are mostly aligned with North Korean interests. Sharing threat intelligence is one of the best ways to preemptively identify and prevent such attacks.

Cyware Publisher