The North Korean state-linked hacking group Konni is conducting a campaign targeting blockchain engineers with PowerShell malware believed to be crafted with AI assistance. The attack chain begins with a Discord message containing a link to a malicious ZIP archive, which holds a PDF lure and a Windows shortcut (LNK) file. Executing the shortcut triggers a PowerShell loader that unpacks a decoy document and a CAB archive containing the core backdoor.
The malware establishes persistence by creating a scheduled task disguised as a OneDrive process and executes an obfuscated PowerShell script directly in memory. Researchers note the code’s unusually clean structure, modular design, and instructional comments—such as a note about a "permanent project UUID"—which are hallmarks of large language model-generated scripts. Before activating, the backdoor performs environment checks to evade analysis and then communicates with a command-and-control server, executing any received PowerShell commands.
Check Point attributes this activity to the Konni group based on tactical overlaps with previous operations and has published associated indicators of compromise. The campaign underscores North Korea's continued focus on cryptocurrency-related targets and its adoption of AI tools to enhance malware sophistication.
Read more...