Key Findings:

• The North Korean threat actor Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector.

• The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations.

• Konni, also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia, has been active since at least 2014 and is primarily known for targeting organizations and individuals in South Korea.

• In November 2025, the Genians Security Center (GSC) detailed the hacking group's targeting of Android devices by exploiting Google's asset tracking service, Find Hub, to remotely reset victim devices and erase personal data.

• Konni has been observed distributing spear-phishing emails containing malicious links disguised as harmless advertising URLs associated with Google and Naver's advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT.

Background

Konni, the North Korean threat actor, has been active since at least 2014 and is primarily known for targeting organizations and individuals in South Korea. The group has also been tracked under the names Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.

In November 2025, the Genians Security Center (GSC) detailed the hacking group's targeting of Android devices by exploiting Google's asset tracking service, Find Hub, to remotely reset victim devices and erase personal data from them, signaling a new escalation of their tradecraft.

Phishing Campaign Targets Blockchain Developers

The latest campaign documented by Check Point Research leverages the use of AI-generated PowerShell malware to target developers and engineering teams in the blockchain sector. The phishing campaign has been observed targeting victims in Japan, Australia, and India, indicating an expansion of the group's targeting scope beyond its traditional focus on South Korea, Russia, Ukraine, and European nations.

Delivery Mechanisms and Malware Capabilities

The campaign uses spear-phishing emails containing malicious links disguised as harmless advertising URLs associated with Google and Naver's advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT.

The email messages impersonate financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) that's designed to execute an AutoIt script disguised as a PDF document. The AutoIt script is a known Konni malware called EndRAT (aka EndClient RAT).

The latest campaign leverages ZIP files mimicking project requirements-themed documents and hosted on Discord's content delivery network (CDN) to unleash a multi-stage attack chain that performs the following sequence of actions:

• The ZIP archive contains a PDF decoy and an LNK file

• The shortcut file launches an embedded PowerShell loader which extracts two additional files, a Microsoft Word lure document and a CAB archive

• The shortcut file extracts the contents of the CAB archive, which contains a PowerShell Backdoor, two batch scripts, and an executable used for User Account Control (UAC) bypass

• The PowerShell backdoor carries out a string of anti-analysis and sandbox-evasion checks, profiles the system, and attempts to elevate privileges using the FodHelper UAC bypass technique

• The backdoor proceeds to drop SimpleHelp, a legitimate Remote Monitoring and Management (RMM) tool, for persistent remote access and communicates with a C2 server that's safeguarded by an encryption gate

AI-Assisted Malware Development

Researchers have noted clear signs of AI-assisted code generation in the malware's documentation and structure, suggesting an effort to accelerate development and standardize the code while continuing to rely on proven delivery methods and social engineering tactics.

Sources

• https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html

• https://bingx.com/pt-br/news/post/north-korean-konni-hackers-use-ai-generated-powershell-malware-to-target-blockchain-engineers

• https://www.bleepingcomputer.com/news/security/konni-hackers-target-blockchain-engineers-with-ai-built-malware/

• https://www.bitget.com/amp/news/detail/12560605167162