TA406 Pivots to the Front
2025-05-13 • Proofpoint •
https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. These credential harvesting campaigns took place prior to the attempted malware deployments and targeted some of the same users later targeted with the HTML delivery campaign mentioned above. The actor sent multiple phishing emails on consecutive days when the target did not click the link, asking the target if they had received the prior emails and if they would download the files. TA406 relies on freemail senders spoofing members of think tanks to convince the target to engage with the phishing email.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | outlook.com | 2018-09-06 | 2026-04-17 |
| HASH | 28116e434e35f76400dc473ada97aea… | 2025-05-13 | 2025-05-13 |
| HASH | 58adb6b87a3873f20d56a10ccde4574… | 2025-05-13 | 2025-05-13 |
| HASH | 2a13f273d85dc2322e05e2edfaec7d3… | 2025-05-13 | 2025-05-13 |
| [email protected] | 2025-05-13 | 2025-05-13 | |
| [email protected] | 2025-05-13 | 2025-05-13 | |
| [email protected] | 2025-05-13 | 2025-05-13 | |
| [email protected] | 2025-05-13 | 2025-05-13 | |
| URL | http://pokijhgcfsdfghnj.mywebco… | 2025-05-13 | 2025-05-13 |
| URL | http://pokijhgcfsdfghnj.mywebco… | 2025-05-13 | 2025-05-13 |
| URL | https://lorica.com.ua/MFA/ | 2025-05-13 | 2025-05-13 |
| URL | http://qweasdzxc.mygamesonline.… | 2025-05-13 | 2025-05-13 |
| URL | https://mega.nz/file/SmxUiA4K#Q… | 2025-05-13 | 2025-05-13 |
| URL | http://wersdfxcv.mygamesonline.… | 2025-05-13 | 2025-05-13 |
| DOMAIN | qweasdzxc.mygamesonline.org | 2025-05-13 | 2025-05-13 |
| DOMAIN | pokijhgcfsdfghnj.mywebcommunity… | 2025-05-13 | 2025-05-13 |
| DOMAIN | lorica.com.ua | 2025-05-13 | 2025-05-13 |
| DOMAIN | wersdfxcv.mygamesonline.org | 2025-05-13 | 2025-05-13 |
| DOMAIN | jetmf.com | 2025-05-13 | 2025-05-13 |