Cybersecurity researchers have observed the North Korea linked threat actor known as Konni deploying PowerShell based malware that appears to have been generated with the assistance of artificial intelligence tools, marking a notable shift in its operational techniques. According to findings published by Check Point Research, the campaign has targeted developers and engineering teams working in the blockchain sector across Japan, Australia, and India, reflecting an expansion beyond the group’s traditional focus on South Korea, Russia, Ukraine, and several European countries. Konni has been active since at least 2014 and is tracked under multiple aliases including Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia. The group is historically associated with long running intelligence collection operations aligned with North Korean strategic interests.
Recent activity indicates a steady escalation in both scope and sophistication. In November 2025, Genians Security Center reported that Konni had begun targeting Android devices by abusing Google’s asset tracking service Find Hub to remotely reset compromised devices and wipe personal data, signaling an aggressive evolution in tradecraft. More recently, the group has been distributing spear phishing emails containing malicious links disguised as legitimate advertising URLs linked to Google and Naver advertising platforms. This technique was used to evade security controls and deliver a remote access trojan known as EndRAT. Genians Security Center codenamed this campaign Operation Poseidon, noting that the attackers impersonated North Korean human rights organizations and South Korean financial institutions. Improperly secured WordPress websites were used both to host malicious payloads and to serve as command and control infrastructure, blending malicious traffic with routine web activity.
Analysis of the phishing messages shows that recipients were lured with emails crafted as financial notifications such as transaction confirmations or wire transfer requests. These messages directed victims to download ZIP archives hosted on WordPress sites. Each archive contained a Windows shortcut file designed to execute an AutoIt script disguised as a PDF document. This script deployed EndRAT, also known as EndClient RAT, a malware family long associated with Konni operations. Researchers concluded that the campaign successfully bypassed email filtering and user awareness by exploiting the redirection structure of legitimate advertising tracking domains such as ad.doubleclick.net, which incrementally routed users to attacker controlled infrastructure hosting the malicious files.
Check Point Research documented a parallel campaign that leverages ZIP files masquerading as project requirement documents and hosted on Discord’s content delivery network. These archives contain a decoy PDF and a malicious shortcut file that launches an embedded PowerShell loader. The loader extracts additional components including a Word lure document and a cabinet archive, displaying the document as a distraction. The extracted payloads include a PowerShell backdoor, batch scripts, and an executable used for user account control bypass. The malware establishes persistence via scheduled tasks, performs extensive anti analysis and sandbox evasion checks, profiles infected systems, and attempts privilege escalation using the FodHelper technique. It then modifies Microsoft Defender exclusions, replaces scheduled tasks to run with elevated privileges, and deploys SimpleHelp, a legitimate remote monitoring and management tool, to maintain persistent access. Communication with the command and control server is protected by an encryption gate designed to block non browser traffic while allowing the exfiltration of host metadata and execution of remote PowerShell commands.
Researchers noted indicators that the PowerShell backdoor was created with the assistance of AI tools, citing its modular design, structured documentation, and human readable source code comments. Check Point assessed that the campaign’s objective was not limited to individual users but focused on gaining footholds in development environments, where access could enable broader downstream compromise across multiple projects and services. These findings align with the discovery of several other North Korea linked campaigns involving remote access tools, supply chain compromises, and diverse malware families. According to WithSecure, Konni aligned activity has demonstrated shifting objectives over time, ranging from financial operations to intelligence gathering tied to changing strategic priorities, underscoring the group’s adaptability and sustained threat to global organizations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
