The North Korean hacker group Konni (Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector.
Believed to be associated with APT37 and Kimsuky activity clusters, Konni has been active since at least 2014 and has been seen targeting organizations in South Korea, Russia, Ukraine, and various countries in Europe.
Based on samples analyzed by Check Point researchers, the threat actor’s latest campaign focuses on targets in the Asia-Pacific region, as the malware was submitted from Japan, Australia, and India.
The attack begins with the victim receiving a Discord-hosted link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file.
The LNK runs an embedded PowerShell loader that extracts a DOCX document and a CAB archive containing a PowerShell backdoor, two batch files, and a UAC bypass executable.
Launching the shortcut file causes the DOCX to open and to execute one batch file included in the cabinet file.
The lure used in the phishing attack
Source: Check Point
The lure DOCX document suggests that the hackers want to compromise development environments, which could provide them “access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings.”
The first batch file creates a staging directory for the backdoor and the second batch file, and creates an hourly scheduled task masquerading as a OneDrive startup task.
This task reads an XOR-encrypted PowerShell script from disk and decrypts it for in-memory execution. Finally, it deletes itself to wipe the signs of infection.
Latest infection chain
Source: Check Point
AI-generated backdoor
The PowerShell backdoor itself is heavily obfuscated using arithmetic-based string encoding, runtime string reconstruction, and execution of the final logic via ‘Invoke-Expression.’
The researchers say that the PowerShell malware “strongly indicates AI-assisted development rather than traditional operator-authored malware.”
The evidence leading to this conclusion includes the clear, structured documentation at the top of the script, which is unusual for malware development; its modular, clean layout; and the presence of a “#
