The threat landscape in the realm of cybersecurity is rapidly evolving, and North Korean hacking group Konni has adapted by shifting its focus to blockchain engineers. Leveraging artificial intelligence to generate sophisticated malware, Konni is increasingly targeting developers in the blockchain industry. Recent reports reveal that the group is deploying AI-generated PowerShell malware, which has alarming implications for digital security.
Konni’s origins trace back to at least 2014 and are linked with notable advanced persistent threat (APT) groups, specifically APT37 and the Kimusky activity clusters. This hacker group has a proven history of infiltrating organizations across South Korea, Ukraine, Russia, and various European nations. Notably, CheckPoint researchers recently identified that the group’s most recent offensive is concentrated in the Asia Pacific region, underlining their strategic expansion into emerging tech sectors.
North Korean Konni Group Deploys AI-Generated Malware
According to research findings, the AI-generated malware has been observed arriving at its targets through unique channels. Victims typically receive a Discord link that leads them to a ZIP archive. This archive contains a PDF lure designed to entice the recipient and a malicious LNK shortcut file. Once the LNK file runs, it launches an embedded PowerShell loader that extracts further harmful components including a DOCX document and a CAB archive, which harbors the actual PowerShell backdoor and accompanying batch files.
After the shortcut file is activated, the DOCX document opens, prompting the execution of a batch file included in the CAB archive. The purpose of the lure document is to carefully cultivate the illusion of legitimacy, masking the hacker’s true intention—to compromise the development environment of the target. Successfully doing so can grant unauthorized access to sensitive assets, including infrastructure setups, API credentials, wallet access, and potentially vast digital asset holdings.
One of the batch files establishes a staging directory for the backdoor, while the other creates an hourly scheduled task that emulates OneDrive’s startup process. In this sophisticated operation, the task retrieves an XOR-encrypted PowerShell script from the victim’s disk, decrypts it, and executes it in memory. To erase all traces, the malware self-deletes after completing its nefarious tasks.
The PowerShell backdoor distinguishes itself with its heavy obfuscation techniques. It employs an arithmetic-based string encoding and constructs runtime strings, ultimately executing its logic using the “Invoked-Expression” command. This level of sophistication suggests the involvement of modern coding techniques, likely influenced by AI in its development process.
CheckPoint Researchers Provide Details on the Malware
Researchers at CheckPoint have pointed out that the malware showcases evidence indicative of AI-assisted development rather than traditional coding methods. Features such as well-structured documentation and modular layouts within the script stand out, resembling AI-generated code more than manually authored malware. Specific comments, like “# <– your permanent project UUID,” indicate a template-driven approach typical of large language models (LLMs).
Additionally, the scripts include user instructions on customizing placeholder values—another hallmark of AI-generated outputs. Before executing any malicious payload, the malware verifies the operational environment by checking the hardware, software, and user activity. Only after confirming it isn’t running in a sandbox or analysis solution does the malware proceed to generate a unique host ID and continue with its specified tasks.
Once the backdoor is fully operational on the compromised device, it establishes periodic contact with a command-and-control (C2) server. This communication not only sends metadata about the host but also polls for additional instructions. If the C2 server responds with specific PowerShell code, it executes in the background through script blocks, allowing the attacker to harness the system’s resources undetected. CheckPoint researchers have linked this activity directly to the Konni threat actors based on prior attack patterns and the structural similarities observed in the malware’s execution chain.
Moreover, researchers have documented indicators of compromise associated with this recent malicious campaign, functioning as a preventative toolkit for defenders aiming to mitigate the risks posed by the North Korean Konni operations. By identifying these signs of an attack, organizations can enhance their security postures and protect sensitive information.
Stay ahead of the latest threats in crypto and cybersecurity—join our newsletter for insights consistently sought after by the smartest minds in the industry. Join our community.
