pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA40_YAh9FO8.pdf (3 MB)

Proofpoint profiles TA406, a North Korea-aligned actor associated with the broader Kimsuky, Thallium, and Konni activity sets, as running persistent credential-theft and espionage campaigns through 2021. From January to June, Proofpoint observed almost weekly low-volume phishing against foreign policy experts, journalists, NGOs, research, education, government, media, and other organizations. TA406 usually relies on credential harvesting rather than malware, but the report highlights two 2021 campaigns that attempted to deploy information-gathering implants. Proofpoint also attributes financially motivated activity to the actor, including cryptocurrency targeting and sextortion, making the report relevant for tracking DPRK espionage and revenue-generation overlap.