North Korean threat actor Konni used PowerShell malware generated with artificial intelligence to target developers and engineering teams in the blockchain sector in Japan, Australia and India, a technical report by Check Point Research said. The campaign relied on spear-phishing that delivered ZIP archives containing a Windows shortcut which launched a multi stage loader and a persistent remote access tool.
KEY FACTS
- Threat actor Konni
- Targets Blockchain developers and engineering teams in Japan, Australia and India
- Malware PowerShell backdoor and EndRAT delivered via LNK in ZIP archives
- Delivery Spear-phishing using ad click redirection and ZIP files hosted on WordPress or CDN
The emails masqueraded as financial notices and contained links that used ad click redirection to reach external infrastructure. ZIP files hosted on WordPress sites and on a CDN held a PDF decoy and a shortcut that began the attack chain.
The shortcut executed a PowerShell loader that extracted a Word lure and a CAB archive. The CAB unpacked a PowerShell backdoor, two batch scripts and an executable used for a User Account Control bypass. The loader established persistence with a scheduled task and staged a legitimate remote access tool for ongoing access.
The PowerShell backdoor performs anti analysis and sandbox evasion checks, profiles the host, attempts privilege elevation using the FodHelper bypass, and configures Microsoft Defender exclusions. The backdoor communicates with a command and control server that returns PowerShell code to execute.
Evidence in the backdoor such as modular structure, human readable documentation and source code comments indicates the code may have been generated with assistance from an AI tool. The attackers appear to focus on development environments to enable broader downstream access. The initial access vector remains unknown.
WHY IT MATTERS
Compromise of developer systems can expose multiple projects and produce supply chain risk. Use of AI assisted code may accelerate malware development and increase reuse of malicious components.