Threat Research

KONNI Adopts AI to Generate PowerShell Backdoors

Checkpoint
KONNI Adopts AI to Generate PowerShell Backdoors

Check Point Research identified a KONNI-linked phishing campaign targeting blockchain developers across the APAC region that uses Discord-hosted lures and weaponized LNK shortcuts to deploy a multi-stage infection chain. The operation deploys an AI-generated, obfuscated PowerShell backdoor, leverages UAC bypass and scheduled-task persistence, and communicates with a PHP-based C2 protected by a JavaScript/AES challenge. #KONNI #SimpleHelp

Keypoints

  • Check Point Research attributes an ongoing phishing campaign to the North Korea–aligned KONNI group, noting overlaps with historical KONNI artifacts and tradecraft.
  • The campaign targets software developers and engineering teams involved with blockchain and crypto projects using lure documents presented as legitimate project materials.
  • Initial delivery begins with a Discord-hosted link that downloads a ZIP containing a PDF lure and a weaponized LNK shortcut that launches an embedded PowerShell loader.
  • The attackers deploy an AI-assisted, heavily obfuscated PowerShell backdoor that performs anti-analysis checks, single-instance enforcement, system fingerprinting, and remote tasking via a PHP-based C2.
  • Persistence and privilege escalation are achieved via scheduled tasks disguised as OneDrive startup tasks and a fodhelper UAC bypass combined with a small registry-modifying executable (rKXujm.exe).
  • Infrastructure and artifacts include multiple file hashes (ZIP/LNK/CAB/scripts/executables), hosting domains and IPs used for downloads and C2, and earlier variants that used OneDriveUpdater.exe and SimpleHelp for interactive access.

MITRE Techniques

  • [T1566] Phishing – Initial access via phishing lures and hosted links. (‘CPR is tracking a phishing campaign linked to a North Korea–aligned threat actor known as KONNI.’)
  • [T1105] Ingress Tool Transfer – Downloading secondary components and payloads from attacker-controlled servers. (‘The infection chain starts with a Discord-hosted link that downloads a ZIP archive via an unknown vector.’)
  • [T1204] User Execution – Use of weaponized LNK shortcuts to execute embedded loaders. (‘The LNK launches an embedded PowerShell loader which extracts two additional files…’)
  • [T1059.001] PowerShell – Execution and in-memory interpretation of a malicious PowerShell backdoor using IEX. (‘…iex $c’ and ‘Invoke-Expression cmdlet’)
  • [T1027] Obfuscated Files or Information – Heavy obfuscation via arithmetic-based character encoding to hide strings and logic. (‘The PowerShell backdoor is heavily obfuscated using arithmetic-based character encoding.’)
  • [T1548.003] Bypass User Account Control – Abusing fodhelper to elevate privileges by modifying registry handlers. (‘The backdoor uses fodhelper UAC bypass to elevate privileges… creates a custom handler in HKCUSoftwareClasses…’)
  • [T1053.005] Scheduled Task/Job – Creating and modifying scheduled tasks for persistence disguised as legitimate OneDrive tasks. (‘schtasks /create /sc hourly … /tn “OneDrive Startup Task-…”‘)
  • [T1082] System Information Discovery – Fingerprinting systems via WMI queries for motherboard serial and system UUID to build host identifiers. (‘It fingerprints the system by querying WMI for the motherboard serial number and the system UUID.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications using HTTP GET/POST to a PHP-based endpoint and handling server-provided tokens. (‘This script … sends system info via HTTP GET every 13 minutes.’ / ‘PHP-based C2 endpoint.’)
  • [T1112] Modify Registry – Changing registry keys to redirect protocol handlers and disable UAC prompts and adding Windows Defender exclusions. (‘…modifying registry keys under HKCUSoftwareClasses …’ / ‘adds a Windows Defender exclusion for C:ProgramData’)

Indicators of Compromise

  • [File Hash – ZIP] ZIP archives observed as initial payload containers – c79ef37866b2dff0afb9ca07b4a7c381ba0b201341f969269971398b69ade5d5, c040756802a217abf077b2f14effb1ed68e36165fde660fef8ff0cfa2856f25d, and 3 more hashes
  • [File Hash – LNK] Weaponized shortcut artifacts used for execution – 39fdff2ea1a5e2b6151eccc89ca6d2df33b64e09145768442cec93a578f1760c, 26356e12aae0a2ab1fd0ec15d49208603d3dd1041d50a0b153ab577319797715, and 5 more hashes
  • [File Hash – CAB] CAB archives extracted from LNK containing payloads – de75afa15029283154cf379bc9bb7459cbcd548ff9d11efe24eb2fde7552af07, 8647209127d998774179aa889d2fcc664153d73557e2cca5f29c261c48dd8772
  • [File Hash – Scripts] Malicious scripts used for staging and execution – b958d4d6ce65d1c081800fc14e558c34daff3b28cdd45323d05b8d40c4146c3c, b15f95d0f269bc1edce0e07635681d7dd478c0daa82c6bfd50c551435eba10ff, and other script hashes
  • [File Hash – Executable] Dropped executables (UAC bypass/utilities) – f8e86693916be2178b948418228d116a8f73c7856e11c1f4470b8c413268c6c8, 64e6a852fc2e4d3e357222692eefbf445c2bd9ba654b83e64fe9913f2bb115cc, and 1 more
  • [File Names] Notable filenames observed in the chain – OneDriveUpdater.exe, rKXujm.exe, uc.exe (used for UAC bypass or to deploy SimpleHelp/remote access)
  • [Domains] Hosting and infrastructure domains used for file hosting/C2 – filetrasfer.wuaze[.]com, goldenftp.rf[.]gd, and 4 other domains
  • [IP Addresses] Infrastructure IPs observed in samples and C2 listings – 46.4.112[.]56, 34.203.111[.]164, and 3 more IPs

Read more: https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/