Konni (Vedalia / TA406 / Opal Sleet): North Korea’s Steady Hand in Espionage Operations

Konni (Vedalia/TA406/Opal Sleet) is a North Korean state-aligned APT conducting persistent, intelligence-driven cyber-espionage against government, defense, and diplomatic targets; the report details spearphishing initial access (weaponized Office/RTF/LNK), PowerShell/VBScript/JS loaders, a small malware ecosystem (KONNI RAT, CARROTBAT, BabyShark), C2 using legitimate hosting/compromised servers, campaign history from 2017–2025, and recommended mitigations such as advanced email filtering, IOC monitoring, behavioral detection, and MFA.