A North Korean threat actor known as Konni has been observed targeting developers and engineering teams in the blockchain space using PowerShell malware generated using artificial intelligence (AI) tools.
Check Point Research said in a technical report released last week that the phishing campaign targeted Japan, Australia and India, highlighting the expansion of adversaries’ targeting beyond South Korea, Russia, Ukraine and European countries.
Konni has been active since at least 2014 and is known to primarily target organizations and individuals in South Korea. Also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.
In November 2025, the Genians Security Center (GSC) revealed a new escalation in the hacking group’s use of Google’s asset tracking service, Find Hub, to target Android devices by remotely resetting victims’ devices and erasing personal data from them.
As recently as this month, Konni was observed distributing spear-phishing emails containing malicious links disguised as benign ad URLs related to Google and Naver advertising platforms, bypassing security filters and delivering a remote access Trojan codenamed EndRAT.
The attack, which impersonated a North Korean human rights organization and a South Korean financial institution, was codenamed “Operation Poseidon” by the GSC. This attack also features the use of improperly secured WordPress websites for malware distribution and command-and-control (C2) infrastructure.
The email message was found to be disguised as a financial notification, such as a transaction confirmation or wire transfer request, to trick the recipient into downloading a ZIP archive hosted on a WordPress site. The ZIP file comes with a Windows shortcut (LNK) designed to run an AutoIt script disguised as a PDF document. The AutoIt script is a known Konni malware called EndRAT (also known as EndClient RAT).
“This attack has been analyzed as an incident that effectively bypassed email security filtering and user vigilance through a spear-phishing attack vector that exploited the ad click redirection mechanism used within Google’s advertising ecosystem,” the South Korean security group said.
“We observed that the attacker leveraged the redirect URL structure (ad.doubleclick) of a domain used for legitimate ad click tracking.[.]net) to gradually lure the user to the external infrastructure where the actual malicious file is hosted. ”
The latest campaign documented by Check Point mimics a document themed around project requirements and leverages a ZIP file hosted on Discord’s Content Delivery Network (CDN) to unleash a multi-stage attack chain that performs the following series of actions: The exact initial access vector used in the attack is unknown.
The ZIP archive contains a PDF decoy and an LNK file. The shortcut file launches an embedded PowerShell loader that extracts two additional files, a Microsoft Word lure document and a CAB archive, and displays them as Word documents as a distraction mechanism. The shortcut file extracts the contents of a CAB archive that contains a PowerShell backdoor, two batch scripts, and an executable file used for User Account Control (UAC) bypass. The first batch script is used to prepare the environment and establish persistence using a scheduled schedule. The backdoor performs its tasks, stages the backdoor for execution, and then removes itself from disk to reduce forensic visibility. The PowerShell backdoor runs a series of anti-analysis and sandbox evasion checks, proceeds to profile the system, and attempts to escalate privileges using FodHelper UAC bypass techniques. The backdoor performs a cleanup of previously removed UAC bypass executables, configures Microsoft Defender exclusions for ‘C:\ProgramData’, and executes a second batch. The backdoor drops SimpleHelp, a legitimate remote monitoring and management (RMM) tool for persistent remote access, communicates with a C2 server protected by a cryptographic gate intended to block non-browser traffic, periodically sends host metadata, and executes PowerShell code returned by the server.
The cybersecurity firm said there are indications that the PowerShell backdoor was created with the help of AI tools, citing its modular structure, human-readable documentation, and the presence of source code comments like “# <– Persistent Project UUID."
“Rather than focusing on individual end users, the goal of the campaign was to establish a foothold in the development environment, with the compromise providing broader downstream access across multiple projects and services,” Check Point said. “The introduction of AI-assisted tools signals an effort to accelerate development and standardize code while continuing to rely on proven delivery methods and social engineering.”
This finding is consistent with the discovery of multiple North Korean-led campaigns facilitating remote control and data theft.
A spear phishing campaign that uses a JavaScript encoded (JSE) script that mimics a Hangul Word Processor (HWPX) document and a government-themed decoy file to deploy a Visual Studio Code (VS Code) tunnel to establish remote access A phishing campaign that distributes LNK files disguised as PDF documents to detect virtual and malware analysis environments and launch a PowerShell script that delivers a remote access Trojan called MoonPeak Campaign The campaign, which is believed to have been carried out by Andariel in 2025, targeted an anonymous European entity in the legal sector to deliver TigerRAT, as well as compromise the update mechanism of a South Korean enterprise resource planning (ERP) software vendor to distribute three new Trojans to downstream victims, including StarshellRAT, JelusRAT, and GopherRAT.
According to Finnish cybersecurity company WithSecure, the ERP vendor’s software has been targeted in similar supply chain breaches twice in the past (in 2017 and again in 2024) to deploy malware families such as HotCroissant and Xctdoor.
JelusRAT is written in C++ and supports the ability to retrieve plugins from a C2 server, while StarshellRAT is developed in C# and supports running commands, uploading/downloading files, and capturing screenshots. GopherRAT, on the other hand, is based on Golang and has the ability to run commands or binaries, extract files, and enumerate file systems.
“Their targets and objectives have changed over time, with some campaigns pursuing financial gain, while others focused on stealing information in line with the regime’s priority intelligence needs,” said Mohammad Kazem Hassan Nejad, a researcher at WithSecure. “This volatility highlights the group’s flexibility and ability to support broader strategic objectives as priorities change over time.”
Source link
