The North Korean hacker group Konni (Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector. Believed to be associated with APT37 and Kimsuky activity clusters, Konni has been active since at least 2014 and has been seen targeting organizations in South Korea, Russia, Ukraine, and various countries in Europe. Based on samples analyzed by Check Point researchers, the threat actor’s latest campaign focuses on targets in the Asia-Pacific region, as the malware was submitted from Japan, Australia, and India.
The attack begins with the victim receiving a Discord-hosted link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file. The LNK runs an embedded PowerShell loader that extracts a DOCX document and a CAB archive containing a PowerShell backdoor, two batch files, and a UAC bypass executable. Launching the shortcut file causes the DOCX to open and to execute one batch file included in the cabinet file.
The lure used in the phishing attack is a DOCX document that suggests that the hackers want to compromise development environments, which could provide them access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings. The first batch file creates a staging directory for the backdoor and the second batch file, and creates an hourly scheduled task masquerading as a OneDrive startup task. This task reads an XOR-encrypted PowerShell script from disk and decrypts it for in-memory execution. Finally, it deletes itself to wipe the signs of infection.
The PowerShell backdoor itself is heavily obfuscated using arithmetic-based string encoding, runtime string reconstruction, and execution of the final logic via Invoke-Expression. The researchers say that the PowerShell malware strongly indicates AI-assisted development rather than traditional operator-authored malware. The evidence leading to this conclusion includes the clear, structured documentation at the top of the script, which is unusual for malware development; its modular, clean layout; and the presence of a “# <– your permanent project UUID” comment. This phrasing is highly characteristic of LLM-generated code, where the model explicitly instructs a human user on how to customize a placeholder value, explains Check Point. Such comments are commonly observed in AI-produced scripts and tutorials. Before execution, the malware performs hardware, software, and user activity checks to ensure it is not running in analysis environments, and then generates a unique host ID. Next, depending on what execution privileges it has on the compromised host, it follows a separate path of action as shown in the following diagram. If the C2 response contains PowerShell code, it turns it into a script block and executes it asynchronously via background jobs. Check Point attributes the campaign to Konni based on launcher formats, lure filename and script name overlaps, and commonalities in the execution chain structure with earlier attacks. The researchers have published indicators of compromise (IoCs) associated with this recent campaign to help defenders protect their assets.
Leave a Reply