The North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain industry.
The phishing campaign targeted Japan, Australia and India, highlighting the expansion of the adversary’s targeting reach beyond South Korea, Russia, Ukraine and European countries, Check Point Research said in a technical report released last week.
Active since at least 2014, Konni is primarily known for its targeting of organizations and individuals in South Korea. It is also tracked under the names Earth Imp, Opal Sleet, Osmium, TA406 and Vedalia.
In November 2025, the Genians Security Center (GSC) detailed the hacking group’s targeting of Android devices by leveraging Google’s asset tracking service, Find Hub, to remotely reset victims’ devices and wipe their personal data, signaling a further escalation of their trade.
Just this month, Konni was observed distributing spear phishing emails containing malicious links disguised as innocuous advertising URLs associated with Google and Naver advertising platforms to bypass security filters and deliver a remote access Trojan named EndRAT.
The campaign was dubbed Operation Poseidon by the GSC, with the attacks impersonating North Korean human rights organizations and financial institutions in South Korea. Attacks are also characterized by the use of poorly secured WordPress websites to distribute malware and for command and control (C2) infrastructure.
Email messages were found to be masquerading as financial notices, such as transaction confirmations or bank transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) designed to run an AutoIt script disguised as a PDF document. The AutoIt script is a known Konni malware called EndRAT (aka EndClient RAT).
“This attack is being analyzed as a case that effectively bypassed email security filtering and user vigilance through a spear-phishing attack vector that exploited the click-through redirection mechanism used in Google’s advertising ecosystem,” the South Korean security body said.
“It was confirmed that the attacker used the redirect URL structure of a domain used for legitimate ad click tracking (ad.doubleclick(.)net) to gradually direct users to external infrastructure where real malicious files were hosted.”
The latest campaign documented by Check Point leverages ZIP files mimicking project requirements-themed documents and hosted on Discord’s Content Delivery Network (CDN) to trigger a multi-step attack chain that executes the following sequence of actions. The exact initial access vector used in the attacks is unknown.
- The ZIP archive contains a decoy PDF and an LNK file
- The shortcut file launches a built-in PowerShell loader that extracts two additional files, a Microsoft Word decoy document and a CAB archive, and displays as a Word document as a distraction mechanism.
- The shortcut file extracts the contents of the CAB archive, which contains a PowerShell backdoor, two batch scripts, and an executable used to bypass User Account Control (UAC).
- The first batch script is used to prepare the environment, establish persistence using a scheduled task, prepare the backdoor and execute it, after which it deletes itself from disk to reduce forensic visibility.
- The PowerShell backdoor performs a series of anti-scan and sandbox escape checks, then proceeds to profile the system and attempt privilege escalation using the FodHelper UAC bypass technique.
- The backdoor cleans the previously deleted UAC bypass executable, configures the Microsoft Defender exclusion for “C:\ProgramData” and runs the second batch script to replace the previously created scheduled task with a new task capable of running with elevated privileges.
- The backdoor removes SimpleHelp, a legitimate remote monitoring and management (RMM) tool for persistent remote access, and communicates with a C2 server protected by an encryption gate intended to block non-browser traffic to periodically send metadata to the host and execute PowerShell code returned by the server.
The cybersecurity company said there were indications that the PowerShell backdoor was created with the help of an AI tool, citing its modular structure, human-readable documentation and the presence of source code comments such as “# <– your permanent project UUID."
“Instead of focusing on individual end users, the goal of the campaign appears to be to gain a foothold in development environments, where the compromise can provide broader downstream access to multiple projects and services,” Check Point said. “The introduction of AI-assisted tools suggests an effort to accelerate development and standardize code while continuing to rely on proven delivery methods and social engineering.”
These results coincide with the discovery of several campaigns carried out by North Korea that facilitate remote control and data theft.
- A spear phishing campaign that uses JavaScript-encoded (JSE) scripts imitating Hangul Word Processor (HWPX) documents and government-themed lure files to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.
- A phishing campaign that distributes LNK files masquerading as PDF documents to launch a PowerShell script that detects malware scanning and virtual environments and delivers a remote access Trojan called MoonPeak.
- A set of two cyberattacks, assessed to have been carried out by Andariel in 2025, that targeted an unnamed European entity in the legal industry to provide TigerRAT, and compromised the update mechanism of a South Korean enterprise resource planning (ERP) software vendor to distribute three new Trojans to downstream victims, including StarshellRAT, JelusRAT, and GopherRAT.
According to Finnish cybersecurity firm WithSecure, the ERP vendor’s software has been the target of similar supply chain compromises twice in the past – in 2017 and again in 2024 – to deploy malware families like HotCroissant and Xctdoor.
While JelusRAT is written in C++ and supports features to fetch plugins from C2 server, StarshellRAT is developed in C# and supports command execution, file upload/download, and screenshot capture. GopherRAT, on the other hand, is based on Golang and offers the ability to execute commands or binaries, exfiltrate files and enumerate the file system.
“Their targeting and objectives have varied over time; some campaigns aimed for financial gain, while others focused on stealing information relevant to the regime’s priority intelligence needs,” said Mohammad Kazem Hassan Nejad, researcher at WithSecure. “This variability highlights the group’s flexibility and ability to support broader strategic goals as those priorities evolve over time.”
