Code by AI: KONNI APT Targets Crypto Devs with “Polished” Backdoor

The KONNI APT group, a threat actor historically aligned with North Korean interests, has launched a sophisticated new phishing campaign that marks a significant shift in both targeting and tradecraft. Security researchers at Check Point Research (CPR) have uncovered an operation aimed squarely at software developers and engineering teams, using an AI-generated PowerShell backdoor to infiltrate high-value networks.

The campaign, which targets the APAC region, including Japan, Australia, and India, represents a departure from KONNI’s traditional focus on South Korean diplomatic and government entities.

The attack vector is precision-engineered for tech professionals. Victims are lured with documents masquerading as legitimate project materials for blockchain and cryptocurrency initiatives. “The attackers use lure content designed to look like legitimate project documentation, often tied to blockchain and crypto initiatives,” the report explains.

These documents, such as Credential_Verification_System.docx, contain detailed technical specs, development roadmaps, and even budget milestones to establish credibility. The goal is clear: to “compromise development environments, thereby obtaining access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings”.

Perhaps the most alarming discovery is the tool used to maintain access. The researchers found a PowerShell backdoor that appears to have been written by an Artificial Intelligence.

“The PowerShell backdoor strongly indicates AI-assisted development rather than traditional operator-authored malware,” the report notes.

The script features “unusually polished structure” and human-readable documentation that is “atypical for commodity or APT-authored PowerShell implants” . But the smoking gun was a comment embedded directly in the code: # <- your permanent project UUID.

“This phrasing is highly characteristic of LLM-generated code, where the model explicitly instructs a human user on how to customize a placeholder value,” CPR researchers observed.

The attack begins with a Discord-hosted link that downloads a malicious ZIP file. This archive contains a weaponized shortcut (LNK) file that triggers a multi-stage infection process:

1. Extraction: The LNK extracts a hidden CAB archive containing the payload.
2. Staging: A batch script moves the malware to a staging directory in C:\ProgramData.
3. Persistence: The malware creates a scheduled task disguised as a “OneDrive Startup Task” to run the backdoor hourly.
4. UAC Bypass: If the victim is a standard user, the malware uses a “fodhelper UAC bypass” to silently elevate privileges without triggering a prompt.

This campaign signals that KONNI is evolving. By combining their “proven delivery methods and social engineering” with “AI-assisted tooling,” the group is accelerating its development cycle while expanding its target list.

“This operation illustrates how a mature threat actor can maintain stable intrusion workflows while adapting both its targeting and tooling,” the report concludes. Developers working in the blockchain space should be on high alert for unsolicited project proposals, especially those hosted on external file-sharing services.

Related Posts:

• Konni RAT Resurfaces: North Korean Espionage Malware Evolves with Stealth and Persistence
• North Korea’s KONNI APT Hijacks Google Find Hub to Remotely Wipe and Track South Korean Android Devices
• Cyberattackers Target South Korean Inboxes with LNK Weaponry
• Operation Poseidon: Konni APT Hijacks Google & Naver Ads for Malware