Trojanized VPN Installer Deploys NKNShell Backdoor, Using P2P Blockchain and MQTT Protocols for Covert C2

AhnLab SEcurity Intelligence Center (ASEC) has uncovered a new malware distribution campaign compromising the website of a major South Korean VPN provider—marking the latest incident in an attack series stretching back to 2023. The threat actor, tracked as Larva-24010, has once again weaponized a trojanized VPN installer to deliver multiple backdoors, including the newly identified NKNShell, an advanced Go-based implant using blockchain-style networking and IoT messaging protocols for command-and-control operations.

The attack begins when users download the VPN installer directly from the compromised website. The VPN download page appears normal, but the downloaded ZIP archive secretly contains a malicious installer.

ASEC explains, “When the downloaded archive is extracted and executed, the legitimate VPN installation proceeds while simultaneously using PowerShell to download and execute a PowerShell script.”

This bundled script deploys multiple payloads:

• NKNShell
• MeshAgent (custom builds with attacker PDB paths)
• gs-netcat
• Optionally SQLMap malware, depending on attacker configuration

The trojan installer is written in Go and signed with a fraudulent NVIDIA certificate. It contains virtual machine detection based on code from GoDefender. The installer launches a PowerShell console designed to bypass AMSI—ensuring payloads execute without security inspection.

The first downloader script, sql-auto.ps1, contains unusual comments that ASEC believes were generated by AI: “Evidence suggests the attacker used generative AI to create the malware… including the PowerShell scripts.” It attempts to disable Windows Defender, bypass AMSI using Null-AMSI, and retrieve further payloads.

The second script, install.ps1, disables ETW, registers a malicious WMI filter for persistence, and includes 15 UAC bypass techniques, although none were actually used.

The standout malware in this campaign is NKNShell, a Go-based backdoor with hybrid P2P and MQTT C&C channels.

ASEC describes: “The malware installed and executed under the name PX.exe is a backdoor… named NKNShell… notable for using NKN and MQTT protocols for communication with its C&C server.”

NKN (New Kind of Network) is a decentralized, blockchain-inspired P2P protocol. MQTT is a lightweight IoT messaging protocol typically used by smart devices.

NKNShell:

• Generates a unique NKN ID
• Connects to seed nodes
• Sends host information to attacker-controlled addresses
• Also connects to MQTT brokers such as:
• broker.emqx.io:1833
• broker.hivemq.com:1833
• broker.mqtt.cool:1833
• broker.mosquitto.org:1833

ASEC notes, “Any attacker subscribed to that topic can later retrieve detailed information about the compromised system.”

Massive Backdoor Command Set

NKNShell supports an unusually large toolkit, including:

• File upload/download
• Shellcode execution
• Token theft
• Remote proxy
• DLL sideloading
• DDoS attack commands
• Session cloning
• Full PowerShell and Python execution
• Process injection
• Screenshot capture

The attackers also deploy customized versions of MeshAgent—a remote management tool frequently abused by threat actors. The PDB paths embedded in the binaries indicate compromise of the attackers’ development environment, matching older campaigns.

The gs-netcat implant further enables encrypted remote shells across the Global Socket Relay Network. The script sets persistence via a scheduled task named “Windows Linux System.”

Although commented out in the script, ASEC confirmed that SQLMap malware was used in real operations. SQLMap is an automated SQL injection scanner, suggesting the threat actor may be exploiting vulnerable servers from compromised user machines.

The attacker has consistently targeted South Korean VPN providers for at least three years: “Since at least 2023, the Larva-24010 threat actor has been targeting Korean VPN users to spread malware.”

ASEC warns that NKNShell and its PowerShell components show increasing sophistication—partly enabled by generative AI usage.

Related Posts:

• WailingCrab Malware Evolves: Embracing MQTT for Stealthier C2 Communication
• NKAbuse: Go-Powered Malware Floods & Hacks, Targets Linux & Beyond
• Microsoft Enhances Exchange and SharePoint Security with AMSI Integration
• Jack Dorsey Unveils “Bitchat”: New Bluetooth-Only App Offers Decentralized, Internet-Free Messaging