Threat Watch

North Korean Hackers Target Russian Diplomats Using New Year Greetings

A North Korean cyber-espionage group has targeted Russian embassy diplomats over the winter holidays with emails carrying New Year greetings in the hopes of infecting them with malware. The attacks have been linked to a threat actor known as Konni, and have been taking place since at least December 20, cybersecurity firm Cluster25 said in a report published on Monday. “These emails used the New Year Eve 2022 festivity as decoy theme,” Cluster25 researchers said. “Contrary to its past actions, the North Korean APT group this time did not use malicious documents as attachments; instead, they attached a .zip file type named ‘поздравление.zip’, which means ‘congratulation’ in Russian, containing an embedded executable representing the first stage of the infection.” According to Cluster25, the ZIP files contained a Windows screensaver (.scr) file that, when executed, installed a screensaver with Russian holiday greetings, but also the Konni remote access trojan (RAT), the malware after which the group was named, and which granted the attacker full control over the infected systems.

ANALYST NOTES