North Korea's Konni APT Deploys AI-Built Malware Against Devs

North Korean threat group Konni is deploying AI-generated PowerShell malware in an active campaign targeting blockchain developers across the Asia-Pacific region. Check Point Research published findings this week documenting the operation, which marks a significant departure from the group's historical focus on South Korean diplomatic and government targets.

The campaign reflects broader shifts in North Korean cyber operations—cryptocurrency theft now rivals traditional espionage as a priority, and threat actors are adopting AI tools to accelerate malware development.

A New Target Set

Konni, also tracked as Opal Sleet and TA406, has operated since at least 2014. The group historically targeted South Korean academics, government officials, and diplomatic personnel using geopolitically themed phishing lures.

This campaign breaks that pattern. Check Point observed Konni targeting software developers and engineering teams, particularly those working on blockchain and cryptocurrency projects. The geographic scope has expanded beyond the Korean peninsula to include Japan, Australia, and India.

The shift makes strategic sense. Compromising a developer's machine can yield access to code repositories, cloud infrastructure credentials, API keys, and cryptocurrency wallet files. A single compromised developer provides a foothold that traditional diplomatic targets rarely offer.

The Attack Chain

Konni delivers initial payloads through Discord—specifically, ZIP archives containing a PDF lure document and a Windows shortcut file (.LNK).

When the victim opens the LNK file, it executes an embedded PowerShell loader that:

1. Extracts XOR-encoded DOCX and CAB files using a single-byte key
2. Opens the DOCX lure to distract the victim
3. Unpacks the CAB archive containing the backdoor, batch files, and a UAC bypass executable

The lure documents are crafted to appeal to developers—structured project proposals, technical architecture specifications, development milestones. These aren't hastily constructed phishing attempts. They mirror legitimate software collaboration documents.

Persistence comes through a scheduled task disguised as "OneDrive Startup Task" that executes the main backdoor hourly.

AI Fingerprints in the Code

The PowerShell backdoor shows clear signs of AI-assisted development. Check Point identified several tells:

The script opens with a comment block explaining its purpose: "This script ensures that only one instance of this UUID-based project runs at a time. It sends system info via HTTP GET every 13 minutes." Real malware authors rarely document their work.

Instructional comments appear throughout, including the phrase # <-- your permanent project UUID—characteristic of LLM-generated code intended to guide users through customization.

The code structure itself is unusually polished, with well-defined logical sections and consistent formatting that reflects modern software engineering conventions rather than typical ad-hoc malware development.

None of this makes the malware less dangerous. AI-generated code functions identically to hand-crafted code once deployed.

Backdoor Capabilities

The backdoor implements comprehensive anti-analysis measures:

• Hardware threshold validation checks for sandbox environments
• Scans for analysis tools including IDA, Wireshark, and Procmon
• Monitors mouse activity, terminating if minimum interaction thresholds aren't met

For system identification, the backdoor fingerprints machines using WMI to extract motherboard serial numbers and UUIDs, then creates unique identifiers via SHA-256 hashing.

Privilege escalation follows two paths. At user level, the malware uses the fodhelper UAC bypass technique. With admin access, it modifies registry keys to disable User Account Control entirely.

C2 communications use an anti-bot gate bypass that emulates JavaScript challenges programmatically, obtaining session cookies before transmitting host metadata and executing received PowerShell commands.

Indicators of Compromise

Check Point published hashes for ZIP and LNK samples:

ZIP archives:

• c79ef37866b2dff0afb9ca07b4a7c381ba0b201341f969269971398b69ade5d5
• c040756802a217abf077b2f14effb1ed68e36165fde660fef8ff0cfa2856f25d
• f619d63aa8d09bafb13c812bf60f2b9189a8dc696c7cef2f246c6b223222e94c

Command and control domains:

• filetrasfer.wuaze[.]com
• goldenftp.rf[.]gd
• plaza.xo[.]je
• gabber.42web[.]io
• humimianserver.kesug[.]com
• drone.ct[.]ws

The campaign overlaps with infrastructure observed in October 2025, suggesting sustained operational tempo.

Why This Matters

This campaign adds to evidence that North Korean cyber operations increasingly prioritize financial targets over traditional intelligence collection. The Lazarus group's ClickFix campaign used similar developer-targeted tactics with fake job interview lures.

AI-generated malware represents an emerging trend worth monitoring. While the technique doesn't fundamentally change what malware can do, it accelerates development cycles and potentially lowers the skill barrier for threat actors.

Organizations with blockchain or cryptocurrency development teams should review these IOCs and consider enhanced monitoring for PowerShell execution, especially scheduled tasks with unusual names. Developer endpoints warrant additional scrutiny given their access to sensitive credentials and infrastructure.

For background on North Korean cyber operations structure and history, our guide to Lazarus and DPRK threat groups provides additional context on how these campaigns fit into broader state objectives.