Full Report
The North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations, Check
Analysis Summary
# Threat Actor: Konni
## Attribution & Identity
**Attribution:** North Korean threat actor.
**Aliases:** Earth Imp, Opal Sleet, Osmium, TA406, Vedalia.
**Known Associations:** Tracked by Genians Security Center (GSC) and Check Point Research.
## Activity Summary
Konni has been active since at least 2014, primarily targeting South Korea. Recent activity shows an expansion in targeting scope and novel use of technology. A recent spear-phishing campaign targeted developers and engineering teams in the **blockchain sector** across **Japan, Australia, and India**. This expansion is noted beyond their historical focus on South Korea, Russia, Ukraine, and European nations.
Previous notable activities include:
* Exploiting Google's asset tracking service, Find Hub, via targeting Android devices to remotely reset them (November 2025).
* Distributing malware via spear-phishing emails disguised using legitimate Google/Naver advertising URLs to deliver the EndRAT remote access trojan (as part of Operation Poseidon, impersonating North Korean human rights organizations and financial institutions).
* Using improperly secured WordPress sites for malware distribution and C2 infrastructure, often delivering LNK files via ZIP archives masquerading as financial notices.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing utilizing novel delivery mechanisms like links disguised as legitimate advertising URLs (Google/Naver ecosystem) and hosting payloads on Discord's CDN within ZIP archives.
- **Delivery:** Payload delivery via multi-stage chain involving ZIP files containing a PDF decoy and an LNK file.
- **Execution:** LNK file executes an embedded PowerShell loader.
- **Obfuscation/Evasion:** Use of AI-generated PowerShell malware; LNK executes an AutoIt script (used previously).
- **Payload Delivery:** The loader extracts a Word document lure (as distraction) and a CAB archive containing the PowerShell Backdoor, batch scripts, and a UAC bypass executable.
- **Persistence:** Establishing persistence via a scheduled task using one of the batch scripts.
- **Defense Evasion:** The primary PowerShell backdoor conducts anti-analysis/sandbox evasion checks, deletes its initial batch script, and configures a Microsoft Defender exclusion for `"C:\ProgramData"`.
- **Privilege Escalation:** Utilizes an executable for User Account Control (UAC) bypass.
- **C2/Malware:** Deployment of a PowerShell Backdoor; historical use of EndRAT (EndClient RAT).
## Targeting
- **Sectors:** Blockchain sector (developers and engineering teams).
- **Geography:** Recently observed active in **Japan, Australia, and India**. Historically targeted South Korea, Russia, Ukraine, and European nations.
- **Victims:** Developers and engineering teams within the blockchain industry.
## Tools & Infrastructure
- **Malware families used:** AI-generated PowerShell Backdoor, EndRAT (EndClient RAT), AutoIt script, PowerShell loader, UAC bypass executable.
- **Infrastructure (C2, domains, IPs):**
- Discord's Content Delivery Network (CDN) for hosting initial ZIP payloads.
- Previously used improperly secured WordPress websites for malware distribution and C2.
- Utilized redirection URL structures mimicking legitimate ad tracking domains (e.g., ad[.]doubleclick[.]net) to stage final payloads.
## Implications
Konni demonstrates rapid adaptation and technological adoption by leveraging Artificial Intelligence (AI) to generate malware components, specifically PowerShell backdoors. Their expansion into the high-value blockchain sector outside of their traditional geographic focus indicates a strategic broadening of objectives, potentially seeking greater financial gain or intellectual property related to cryptocurrency technology. The sophisticated multi-stage delivery chain and focus on defense evasion suggest a mature and persistent adversary.
## Mitigations
- Implement behavioral monitoring for PowerShell execution chains initiated from LNK files within unexpected archives.
- Scrutinize file execution originating from archived contents (ZIP/CAB) that contain LNK and scripts, especially those masquerading as documents.
- Maintain vigilance over advertisements and sponsored links leading to unfamiliar infrastructure, as Konni exploits ad redirection mechanisms for initial payload staging.
- Ensure that Microsoft Defender configurations are robust and that exclusions are reviewed, particularly the `"C:\ProgramData"` directory, as this is a location used by the actor for staging and persistence components.
- Focus security training on identifying social engineering lures related to financial notices or project requirements, especially when payloads involve document lures alongside executable components.