North Korea–Linked KONNI Group Targets Developers With AI-Generated Malware, Researchers Warn

CyberDefender 14 mins0

In a significant escalation of cybercrime tactics, the North Korea–linked threat actor KONNI has shifted its sights toward software developers and engineering teams, deploying AI-generated malware that blends sophisticated technical obfuscation with proven social engineering lures. This evolution reflects both a broadening of targets beyond geopolitical espionage and an increasingly sophisticated use of automation tools in malware creation.

From Geopolitical Espionage to Technical Targets

Historically, KONNI has been associated with attacks on diplomatic, academic, and government sectors in South Korea. Its typical modus operandi relied on spear-phishing and weaponized documents to lure victims into running malicious macros. But in the campaign documented by Check Point Research in January 2026, the group has broken from that pattern.

Instead, attackers are targeting software engineers, developers, and teams with expertise in blockchain, cryptocurrency, and related technologies. The underlying aim appears to be access-oriented: if a developer’s environment is compromised, attackers can leverage that foothold to gain access to infrastructure, APIs, code repositories, credentials, and potentially high-value assets like cryptographic keys or digital wallets.

Interestingly, samples of the malware were submitted from across the APAC region — including Japan, Australia, and India — suggesting that KONNI’s reach has expanded beyond its traditional focus.

Source : Checkpoint

The Infection Chain — Step-by-Step

The campaign uses a multi-stage infection chain that begins innocuously and gradually escalates into a fully weaponized backdoor.

1. Delivery Mechanism

Attackers host a link — often distributed via platforms like Discord — that downloads a ZIP archive. Inside this archive are two key components:

  • A PDF lure document designed to look like legitimate project documentation.
  • A Windows Shortcut (LNK) file, which acts as the initial launcher for the attack.

2. The Launcher

When the victim opens the LNK file, it launches an embedded PowerShell loader that:

  • Extracts two additional files — a DOCX lure document and a CAB archive, both encoded using a simple XOR scheme.
  • Writes these files to disk.
  • Opens the DOCX to distract the user.
  • Extracts and executes the contents of the CAB archive.

The CAB file contains:

  • The PowerShell backdoor.
  • Two batch scripts.
  • An executable used for UAC (User Account Control) bypass.

3. Persistence and Scheduling

The first batch script builds a staging directory under C:\ProgramData and moves the backdoor and one of the batch files there. It then creates a scheduled task, masquerading as a legitimate OneDrive startup task, configured to run hourly under the current user’s privileges.

This scheduled task executes a PowerShell command that:

  • Reads an XOR-encrypted backdoor script from disk.
  • Decrypts it using a single-byte key (“Q”).
  • Executes the decoded script in memory, reducing detection risk.

Afterwards, the initial batch script removes itself to hide traces of execution.

IOCs Hashes:

ZIP

  • c79ef37866b2dff0afb9ca07b4a7c381ba0b201341f969269971398b69ade5d5
  • c040756802a217abf077b2f14effb1ed68e36165fde660fef8ff0cfa2856f25d
  • f619d63aa8d09bafb13c812bf60f2b9189a8dc696c7cef2f246c6b223222e94c
  • b411fbe03d429556ced09412dd26dc972ee55cff907bfdb5594fe9e3f1c9f0b2
  • fcc9b2ac73a0ca01fb999e6aa1a8bdbd89e632939443bcc9186ae1294089123e

LNK

  • 39fdff2ea1a5e2b6151eccc89ca6d2df33b64e09145768442cec93a578f1760c
  • 26356e12aae0a2ab1fd0ec15d49208603d3dd1041d50a0b153ab577319797715
  • a1d4272ec0ce88f9c697b3e6c70624ec5f1ad9a83c9e64120b5ee21688365af9
  • 856ac810f4a00a7e3fa89aec4c94cc166ae6ccf06c3557e9694f8639223ce25d
  • e57fa2d1d3e2bff9603ce052e51a8d6ee5c6d207633765b401399b136249ca35
  • c94e58f134c26c3dc25f69e4da81d75cbf4b4235bcfb40b17754da5fe07aad0a
  • 3b67217507e0c44bd7a4cfafed0e8958d21594c98eec43a999614815a7060410

CAB

  • de75afa15029283154cf379bc9bb7459cbcd548ff9d11efe24eb2fde7552af07
  • 8647209127d998774179aa889d2fcc664153d73557e2cca5f29c261c48dd8772

Scripts

  • b958d4d6ce65d1c081800fc14e558c34daff3b28cdd45323d05b8d40c4146c3c
  • b15f95d0f269bc1edce0e07635681d7dd478c0daa82c6bfd50c551435eba10ff
  • c2ec24dea46273085daa82e83c1c38f3921c718a61f617a66e8b715d1dcc0f57
  • fb9f16a8900bae93dd93b5d059a0d2997c1db7198acf731f3acf1696a19eeead
  • c3c8d6ea686ad87ca2c6fcb5d76da582078779ed77c7544b4095ecd7616ba39d
  • af8ca986a52e312fb85f97b235e4b406d665d7ac09cbdb5e25662d4c508ebad4
  • ec8c191ad171cf40461dc870b02f5c4e9904f9fec1191174d524b1fb3cbde47f
  • 738637fcb82920f418111c0cd83d74d9a0807972a73abfbdc71b7446e5bd6a9d
  • 159f81fc57399186503190562f28b2dd430d8cc07303e15e2ec60aee6bca798c
  • eec55e9a7f27f2ecaba71735fbd636679783ff60d9019eabf8216beebd47300b
  • 20e61936144822399149e651da665eb67b16e90ec824dac3d9eec8a4da42fdd2
  • 851695cb3807a693aae25c8b9ade20a90eaea6802bc619c1d19d121a92aef7a0
  • 1ebc4542905c8d4fd8ac6f6d9fadeef51698e5916f6ce1bcc61dcfdea02758ec
  • 48585baa9f1c2b721bb8c4fbd88eff65f8fa580a662aadcd143bc4fda6590156

Executable

  • f8e86693916be2178b948418228d116a8f73c7856e11c1f4470b8c413268c6c8
  • 64e6a852fc2e4d3e357222692eefbf445c2bd9ba654b83e64fe9913f2bb115cc
  • 26a01ffa237241e31a59f1ff4d62a063f55c97598732d55855cce18b8b27b2d6

Domains & IPs:

  • filetrasfer.wuaze[.]com
  • goldenftp.rf[.]gd
  • plaza.xo[.]je
  • gabber.42web[.]io
  • humimianserver.kesug[.]com
  • drone.ct[.]ws
  • 46.4.112[.]56
  • 192.144.34[.]77
  • 192.144.34[.]40
  • 34.203.111[.]164
  • 223.16.184[.]105

Deep Dive into the PowerShell Backdoor

Once executed, the backdoor carries out several actions designed to evade analysis and establish persistent, stealthy control.

Anti-Analysis and Evasion Checks

Before doing anything substantive, the script performs:

  • Hardware checks to ensure it’s not running in a virtualized analysis environment.
  • Monitoring for analysis tools such as IDA, Wireshark, and Procmon.
  • User interaction requirements, ensuring a minimum amount of mouse activity before progressing.

If these checks fail, the malware terminates, thwarting sandbox and automated analysis tools.

Ensuring Single Execution

The backdoor uses a global mutex (named Global\SysInfoProject_<projectUUID>) to ensure only one instance runs at a time. The UUID is hardcoded (in analyzed samples) as f7d77a6d-36e0-4fcb-bae7-5f4b3b723f61.

Host Fingerprinting

It fingerprints the victim’s machine by querying Windows Management Instrumentation (WMI) for the motherboard serial number and system UUID. These details are hashed with SHA-256, producing a unique host identifier used in communications with the command-and-control (C2) server.

Privilege Escalation and UAC Bypass

The script branches based on privilege level:

  • If running with standard user rights, it employs a UAC bypass technique using fodhelper.exe. This abuse of auto-elevated Windows binaries lets the attackers elevate without prompting the victim. Once elevated, a helper executable (rKXujm.exe) disables UAC prompts by modifying registry settings.
  • In Admin mode, the backdoor creates a defender exclusion for C:\ProgramData and runs an elevated batch script to ensure persistence.
  • Under SYSTEM level privileges, the malware deploys SimpleHelp, a legitimate remote management tool, providing interactive remote access beyond the PowerShell implant.

C2 Communication and Execution

To communicate with its C2 endpoint:

  1. The backdoor first performs a JavaScript challenge emulation to get a session cookie required by the server.
  2. It then sends periodic HTTP requests with host metadata, including the hashed identifier, privilege level, local IP, and username.
  3. The server can respond with PowerShell tasks to be executed asynchronously, allowing remote command execution at random intervals.

The C2 infrastructure uses client-side AES protections to block non-browser traffic, requiring the backdoor to reconstruct and emulate browser logic to authenticate — another sign of sophisticated engineering.

Implications and Emerging Trends

This campaign represents a striking evolution in the cybercrime landscape:

  • AI-generated malware is no longer hypothetical — it’s operational.
  • Threat actors like KONNI are not just improving delivery but automating malware development.
  • Targeting developers — particularly those tied to blockchain and cloud — reflects a pivot toward access that can be monetized or leveraged for further compromise.

Defenders must treat development environments with the same vigilance as production infrastructure, implementing layered endpoint protection, rigorous authentication, and behavior-based detection capable of identifying advanced malware patterns.

CyberDefender