Konni hackers target blockchain engineers with AI-built malware

News

Featured
Latest

Fortinet confirms critical FortiCloud auth bypass not fully patched

Okta SSO accounts targeted in vishing-based data theft attacks

Hackers exploit critical telnetd auth bypass flaw to get root

Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026

Konni hackers target blockchain engineers with AI-built malware

A lifetime of multi-device ad blocking is just $40 in this deal

ShinyHunters claim to be behind SSO-account data theft attacks

Malicious AI extensions on VSCode Marketplace steal developer data

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityKonni hackers target blockchain engineers with AI-built malware

Konni hackers target blockchain engineers with AI-built malware

By Bill Toulas

January 24, 2026
10:23 AM
0

The North Korean hacker group Konni (Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector.
Believed to be associated with APT37 and Kimsuky activity clusters, Konni has been active since at least 2014 and has been seen targeting organizations in South Korea, Russia, Ukraine, and various countries in Europe.
Based on samples analyzed by Check Point researchers, the threat actor's latest campaign focuses on targets in the Asia-Pacific region, as the malware was submitted from Japan, Australia, and India.

The attack begins with the victim receiving a Discord-hosted link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file.
The LNK runs an embedded PowerShell loader that extracts a DOCX document and a CAB archive containing a PowerShell backdoor, two batch files, and a UAC bypass executable.
Launching the shortcut file causes the DOCX to open and to execute one batch file included in the cabinet file.

The lure used in the phishing attackSource: Check Point
The lure DOCX document suggests that the hackers want to compromise development environments, which could provide them "access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings."
The first batch file creates a staging directory for the backdoor and the second batch file, and creates an hourly scheduled task masquerading as a OneDrive startup task.
This task reads an XOR-encrypted PowerShell script from disk and decrypts it for in-memory execution. Finally, it deletes itself to wipe the signs of infection.

Latest infection chainSource: Check Point
AI-generated backdoor
The PowerShell backdoor itself is heavily obfuscated using arithmetic-based string encoding, runtime string reconstruction, and execution of the final logic via ‘Invoke-Expression.’
The researchers say that the PowerShell malware "strongly indicates AI-assisted development rather than traditional operator-authored malware."
The evidence leading to this conclusion includes the clear, structured documentation at the top of the script, which is unusual for malware development; its modular, clean layout; and the presence of a “# <– your permanent project UUID” comment.

The exposing stringSource: Check Point
"This phrasing is highly characteristic of LLM-generated code, where the model explicitly instructs a human user on how to customize a placeholder value," explains Check Point.
"Such comments are commonly observed in AI-produced scripts and tutorials."
Before execution, the malware performs hardware, software, and user activity checks to ensure it is not running in analysis environments, and then generates a unique host ID.
Next, depending on what execution privileges it has on the compromised host, it follows a separate path of action as shown in the following diagram.

Privilege-based action diagramSource: Check Point
Once the backdoor is fully running on the infected device, it periodically contacts the command-and-control (C2) server to send basic host metadata and polls the server at randomized intervals.
If the C2 response contains PowerShell code, it turns it into a script block and executes it asynchronously via background jobs.
Check Point attributes these attacks to the Konni threat actor based on earlier launcher formats, lure filename and script name overlaps, and commonalities in the execution chain structure with earlier attacks.
The researchers have published indicators of compromise (IoCs) associated with this recent campaign to help defenders protect their assets.

Secrets Security Cheat Sheet: From Sprawl to Control
Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
Download Now

Related Articles:
VoidLink cloud malware shows clear signs of being AI-generatedNew PDFSider Windows malware deployed on Fortune 100 firm's networkClickFix attack uses fake Windows BSOD screens to push malwareCISA warns of Chinese "BrickStorm" malware attacks on VMware serversSmartTube YouTube app for Android TV breached to push malicious update

AI Malware
Backdoor
Konni
Malware
North Korea
Phishing

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Discover how phishing kits are sold and deployed. Download the full research report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Konni, a North Korean hacker group associated with APT37 and Kimsuky, is utilizing AI-generated PowerShell malware in a recent campaign targeting blockchain engineers. The operation, identified as TA406, has been active since 2014 and has previously targeted organizations in South Korea, Russia, Ukraine, and across Europe. This latest iteration, observed across Japan, Australia, and India, demonstrates a significant shift in development tactics, strongly suggesting AI assistance.

The attack begins with a phishing campaign delivering a ZIP archive containing a malicious LNK shortcut file. This lure, disguised as a PDF, prompts the victim to execute the shortcut, initiating the malware’s sequence. Upon execution, the LNK file triggers an embedded PowerShell loader that extracts a DOCX document and a CAB archive. The CAB contains a PowerShell backdoor, two batch files, and a UAC bypass executable, allowing the attackers to escalate privileges on compromised systems.

Crucially, the malware exhibits characteristics strongly indicative of AI-assisted development. Check Point researchers pinpointed this through several key markers. Firstly, the script’s clear, structured documentation, uncommon in traditional malware development, is a telling sign. Secondly, the script’s modular, clean layout reflects a deliberate design process often associated with AI-generated code. Finally, the presence of a comment – "# <– your permanent project UUID” – is a hallmark of AI-produced scripts and tutorials, where the model explicitly instructs the user to customize a placeholder.

Once launched, the PowerShell backdoor performs hardware, software, and user activity checks to avoid detection in analysis environments before establishing a unique host ID. The malware then dynamically adapts its execution path based on available privileges, communicating periodically with a command-and-control (C2) server. If the C2 responds with PowerShell code, the backdoor executes it asynchronously through background jobs, showcasing a sophisticated level of obfuscation and dynamic behavior.

The C2 server receives host metadata and polls the server at randomized intervals, adding another layer of complexity to evade detection. This dynamic communication strategy, combined with the AI-influenced design, suggests a concerted effort by Konni to maintain operational security and minimize the risk of attribution.

Check Point has published indicators of compromise (IoCs) associated with this campaign to assist defenders in mitigating the threat. The group's operational approach, leveraging AI-generated code, represents a concerning trend in cybercrime, potentially lowering the barrier to entry for sophisticated attacks and demanding a shift in defense strategies. The evolution of malware development, coupled with the attackers' resourcefulness, necessitates continuous monitoring, proactive threat hunting, and robust security controls for blockchain-related infrastructure.