The North Korean-linked hacking group, known as Konni, Opal Sleet and TA406, is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector, according to new Check Point research.
Active since at least 2014, Konni is believed to be associated with the APT37 and Kimsuky clusters. The group has previously targeted organizations across South Korea, Russia, Ukraine, and multiple European countries.
Check Point researchers say the group’s latest campaign is focused on the Asia-Pacific region, with malware samples submitted from Japan, Australia, and India. The attack chain begins with a Discord-hosted link that delivers a ZIP archive containing a PDF lure and a malicious Windows shortcut (LNK). When opened, the shortcut launches an embedded PowerShell loader that drops a DOCX lure and a CAB file containing a PowerShell backdoor, batch scripts, and a UAC bypass tool.
The malware establishes persistence via a scheduled task disguised as a OneDrive startup process, decrypts and executes its payload entirely in memory, and then removes traces of the initial infection. Researchers noted that the PowerShell backdoor is heavily obfuscated and appears to have been developed using AI tools, as evidenced by its structured documentation, modular design, and unusual developer comments. Once active, the backdoor profiles the host, communicates with command-and-control (C&C) servers at randomized intervals, and executes received PowerShell code asynchronously.
Check Point attributes the campaign to Konni based on overlaps in launcher formats, lure filenames, script naming, and execution chains seen in earlier operations.
Earlier this month, cybersecurity firm Genians reported that Konni has been abusing online advertising infrastructure operated by Google and South Korea’s Naver to distribute malware.