A North Korean threat actor known as Konni has recently been detected employing PowerShell malware crafted through artificial intelligence (AI) tools to target developers and engineering teams within the blockchain industry.
This phishing campaign has specifically targeted countries such as Japan, Australia, and India, indicating an expanding reach that goes beyond its usual focus on South Korea, Russia, Ukraine, and various European nations. This information was shared by Check Point Research in a technical report released last week.
Active since at least 2014, Konni is mainly recognized for its focus on organizations and individuals within South Korea. Other aliases for this group include Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.
In November 2025, the Genians Security Center (GSC) reported that the hacking group had begun targeting Android devices by exploiting Google’s Find Hub asset tracking service, allowing them to remotely reset devices and erase personal data, marking a significant escalation in their tactics.
This month, Konni has been seen distributing spear-phishing emails containing malicious links designed to look like innocuous advertisements, utilizing platforms like Google and Naver to bypass security measures and deliver a remote access trojan named EndRAT.
Referred to as Operation Poseidon by the GSC, the campaign has involved impersonating North Korean human rights organizations and financial institutions in South Korea. Additionally, the attackers have exploited inadequately secured WordPress websites for both malware distribution and command-and-control (C2) functionality.
The phishing emails disguise themselves as financial notices, such as transaction confirmations or wire transfer requests, tricking recipients into downloading ZIP files hosted on WordPress sites. These zip files contain a Windows shortcut (LNK) designed to execute an AutoIt script masquerading as a PDF document. Known as EndRAT (or EndClient RAT), this script is linked to Konni.
The South Korean security team highlighted that, “This attack represents a successful evasion of email security measures and user awareness, utilizing a spear-phishing attack vector that takes advantage of the ad click redirection mechanism in the Google advertising framework.”
They confirmed that the attacker employed the redirection URL structure of a legitimate ad click tracking domain (ad.doubleclick[.]net) to gradually direct users to external servers where the malicious files were hosted.
Check Point’s recent findings detail how this campaign utilizes ZIP files that mimic project requirement documents, hosted on Discord’s content delivery network (CDN), initiating a complex multi-stage attack sequence. The exact initial access method remains unknown.
- The ZIP file comprises a decoy PDF and an LNK file
- The LNK file activates a PowerShell loader embedded within that extracts two further files—a Microsoft Word lure and a CAB archive, presenting the Word document as a distraction
- The LNK file also extracts contents from the CAB archive, which houses a PowerShell backdoor, two batch scripts, and an executable for User Account Control (UAC) bypass
- Initially, the batch script prepares the environment, establishes persistence through a scheduled task, stages the backdoor, executes it, and subsequently deletes itself to enhance stealth
- The PowerShell backdoor executes various anti-analysis checks, updates the system profile, and attempts to elevate privileges using the FodHelper UAC bypass method
- The backdoor cleans up any UAC bypass executables previously dropped, configures Microsoft Defender exclusions for “C:\ProgramData,” and runs a second batch script to replace the earlier scheduled task with one that has elevated privilege capabilities
- It then installs SimpleHelp, a legitimate Remote Monitoring and Management (RMM) tool, enabling persistent remote access, while communicating with a C2 server protected by an encryption gate that filters non-browser traffic, allowing host data and PowerShell command execution.
The cybersecurity firm noted that there is evidence the PowerShell backdoor was developed with the help of AI tools, given its modular design, comprehensible documentation, and the presence of source code comments, indicating a structured approach.
Check Point stated, “Rather than focusing on individual users, this campaign seems aimed at compromising development environments, which could lead to broader access to multiple projects and services. The integration of AI-assisted tools implies a need for accelerated development and a push for standardization, while continuing to leverage traditional social engineering techniques.”
These findings correlate with the emergence of various North Korea-led campaigns aimed at facilitating remote control and data theft, including:
- A spear-phishing initiative that utilizes JavaScript Encoded (JSE) scripts that resemble Hangul Word Processor (HWPX) documents and government-themed decoy files to deploy a Visual Studio Code (VS Code) tunnel for remote access
- A phishing campaign disseminating LNK files that masquerade as PDF documents, launching a PowerShell script to identify virtual or malware analysis environments and deploy a remote access trojan known as MoonPeak
- A duo of cyber attacks, attributed to Andariel in 2025, that affected an unnamed European entity within the legal sector to deliver TigerRAT and compromised a South Korean Enterprise Resource Planning (ERP) software vendor’s update mechanism to distribute three new trojans: StarshellRAT, JelusRAT, and GopherRAT
According to Finnish cybersecurity firm WithSecure, this ERP vendor has faced similar supply chain attacks twice before—in 2017 and again in 2024—resulting in the deployment of malware families such as HotCroissant and Xctdoor.
While JelusRAT is developed in C++ and can retrieve plugins from its C2 server, StarshellRAT is built in C# and supports command execution, file uploads/downloads, and screenshot captures. GopherRAT, crafted using Golang, offers functionalities to execute commands or binaries, exfiltrate files, and enumerate the file system.
According to WithSecure researcher Mohammad Kazem Hassan Nejad, “The objectives and targeting of these campaigns have evolved; some aimed for financial gain, while others sought to acquire information aligned with the regime’s priority intelligence needs. This adaptability highlights the group’s flexibility in supporting broader strategic goals as priorities shift over time.”
