#CheckPoint Research identified an ongoing #phishing campaign associated with #KONNI, a North Korean–linked threat actor active since at least 2014. The campaign targets software developers and engineering teams across the Asia-Pacific region, including Japan, Australia, and India, using blockchain-themed lures to prompt interaction and deliver malicious content. In observed activity, the threat actor deploys AI-generated #PowerShell #backdoors.

https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/

#Konni hackers target #blockchain engineers with #AI-built #malware

https://www.bleepingcomputer.com/news/security/konni-hackers-target-blockchain-engineers-with-ai-built-malware/

#cybersecurity #NorthKorea

North Korea–linked #KONNI uses #AI to build stealthy #malware tooling
https://securityaffairs.com/187317/apt/north-korea-linked-konni-uses-ai-to-build-stealthy-malware-tooling.html
#securityaffairs #hacking

AI-Generated Malware Targets Blockchain Sector

The threat group Konni is targeting blockchain developers and engineers
using AI generated malware delivered through social engineering.

Pulse ID: 697556980d7cb28d19682fd8
Pulse Link: https://otx.alienvault.com/pulse/697556980d7cb28d19682fd8
Pulse Author: cryptocti
Created: 2026-01-24 23:32:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #InfoSec #Konni #Malware #OTX #OpenThreatExchange #RAT #SocialEngineering #bot #developers #cryptocti

KONNI Adopts AI to Generate PowerShell Backdoors
#Konni
https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/

KONNI Adopts AI to Generate PowerShell Backdoors

Pulse ID: 6972f6c4cf85ed8ad3923afb
Pulse Link: https://otx.alienvault.com/pulse/6972f6c4cf85ed8ad3923afb
Pulse Author: Tr1sa111
Created: 2026-01-23 04:19:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Konni #OTX #OpenThreatExchange #PowerShell #RAT #bot #Tr1sa111

KONNI Adopts AI to Generate PowerShell Backdoors

A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.

Pulse ID: 69726ae65cfcf0a192c03c35
Pulse Link: https://otx.alienvault.com/pulse/69726ae65cfcf0a192c03c35
Pulse Author: AlienVault
Created: 2026-01-22 18:22:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #BackDoor #BlockChain #CyberSecurity #Discord #ICS #InfoSec #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #RAT #ZIP #bot #developers #AlienVault

📰 North Korean 'Konni' APT Weaponizes Google Ads to Deliver EndRAT Malware

North Korean APT 'Konni' is weaponizing Google Ads URLs in 'Operation Poseidon' to bypass security and deliver the EndRAT malware. The attack uses clever evasion techniques to beat AI filters. ⚠️ #Konni #APT #Malware #EndRAT #ThreatIntel

🔗 https://cyber.netsecops.io/articles/north-korean-apt-konni-abuses-google-ads-in-operation-poseidon/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms

Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.

Pulse ID: 696d289962926b96a6584416
Pulse Link: https://otx.alienvault.com/pulse/696d289962926b96a6584416
Pulse Author: AlienVault
Created: 2026-01-18 18:38:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #CyberSecurity #DRat #Email #Google #GoogleAds #ICS #InfoSec #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #PDF #Phishing #RAT #RDP #SMS #SocialEngineering #SpearPhishing #Word #Wordpress #bot #AlienVault

🪝 North Korea-linked #KONNI hackers used KakaoTalk and Google Find Hub to spy on victims and remotely wipe #Android devices in a targeted phishing campaign.

Read: https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/

#CyberSecurity #NorthKorea #SouthKorea #Spyware #KakaoTalk

State-Sponsored Remote Wipe Tactics Targeting Android Devices
#Konni
https://www.genians.co.kr/en/blog/threat_intelligence/android

North Korea-linked #Konni #APT used #Google Find Hub to erase data and spy on defectors
https://securityaffairs.com/184474/intelligence/north-korea-konni-apt-used-google-find-hub-to-erase-data-and-spy-on-defectors.html
#securityaffairs #hacking

North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.

https://thedefendopsdiaries.com/konni-activity-cluster-north-korean-apts-exploit-google-find-hub-for-advanced-cyber-espionage/

#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec

"주적 북한 해킹 단체 코니(Konni)에서 제작한 악성코드-자금출처명세서.lnk(2025.5.28)" published by Sakai. #Konni, #LNK, #DPRK, #CTI https://wezard4u.tistory.com/429544

"북한 APT 그룹 공격 사례 분석" published by ENKI. #AsyncRAT, #LNK, #Slides, #Kimsuky, #Konni, #Lazarus, #DPRK, #CTI https://github.com/codeengn/codeengn-conference/blob/master/21/2025%20CodeEngn%20Conference%2021%2C%20%EB%B6%81%ED%95%9C%20APT%20%EA%B7%B8%EB%A3%B9%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80%20%EB%B6%84%EC%84%9D%20%5B%EC%B2%9C%ED%98%B8%EC%A7%84%5D.pdf

"북한 코니(Konni)에서 제작한 것으로 추측 되는 악성코드 우리은행 사용자 노린 악성코드 WooriCard_20231108.html.lnk(2025.5.19)" published by Sakai. #Konni, #LNK, #DPRK, #CTI https://wezard4u.tistory.com/429529

"May 2025 APT Group Trends" published by Ahnlab. #Konni, #TA-RedAnt, #DPRK, #CTI https://asec.ahnlab.com/en/88473/

"북한 해킹 단체 코니(Konni) 에서 만든 악성코드-가상자산 관련 외부평가위원 위촉 안내.hwp(2025.5.2)" published by Sakai. #Konni, #LNK, #DPRK, #CTI https://wezard4u.tistory.com/429498

"북한 코니(Konni)KB국민은행 외국환거래 소명자료 제출서 위장한 악성코드-소명자료 제출 안내서(2025.5.13)" published by Sakai. #Konni, #LNK, #DPRK, #CTI https://wezard4u.tistory.com/429495

"2025년 4월 APT 그룹 동향 보고서" published by Ahnlab. #Konni, #Lazarus, #SyncHole, #Trend, #DPRK, #CTI https://asec.ahnlab.com/ko/87992/