22.01.2026
2 min
339
Beginning with the threat actor known as Konni in North Korea, the group has utilized artificial intelligence (AI) generated PowerShell malware to attack engineering/development teams and developers working within the blockchain industry. The phishing campaign that was identified by Check Point Research in an effort to identify the phishing campaign has targeted individuals from Japan, Australia, and India; this represents a larger geographic footprint for the group than was previously established in the groups history of focusing primarily on South Korea, Ukraine, Russia, and Europe. As it relates to the timeline of the group, Check Point Research indicated that the group has been active since at least 2014 and are also referred to as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.
The phishing campaign utilizes zip files that contain either PDF decoys or malicious LNK shortcuts. Upon execution of the LNK shortcut, the PowerShell loader will initiate a multi stage infection process that includes but is not limited to the use of scheduled tasks for persistence, UAC bypass, disabling Microsoft Defender for suppression, system profiling, and then deploying the legitimate Remote Monitoring and Management (RMM) tool called SimpleHelp for long term remote access into the environment.
According to security researchers who have analyzed the PowerShell backdoor, the backdoor clearly contains evidence of AI assisted development due to its modular design, inclusion of human readable documentation, and inclusion of structured source code comments that were not common in traditional Advanced Persistent Threat (APT) tooling.
As previously mentioned, the group has been tied to a number of Android targeted phishing campaigns, as well as the exploitation of both Google and Naver’s advertising platforms for phishing purposes. Additionally, the group has been tied to phishing operations that are impersonating human rights and financial organizations. Other North Korea based threat actors have been identified to be using AI generated lures, LNK file delivery, and supply chain compromise to deliver Remote Access Trojans (RATs) and backdoors.
The campaign identified as Konni serves as an example of how AI is increasing the speed of malware development and creating operational consistency in which attackers can utilize AI to create the ability to attack development environments. This provides attackers with the opportunity to potentially compromise multiple projects through downstream compromise, thus providing them with the ability to increase the potential impact of a single intrusion.
