Threat Report

Triple Threat: North Korea Aligned TA406 Scams, Spies, and Steals

In this report, we describe in detail many of the campaigns and behaviors associated with an actor operating on behalf of the North Korean government: TA406. We begin by explaining how TA406 is associated with the actor name Kimsuky, which is broadly tracked by the threat intelligence community. We then elaborate on how Proofpoint instead tracks this activity as three separate threat actors, TA406, TA408, and TA427, and detail the differences between those actors according to Proofpoint’s visibility.