The North Korean threat actor known as Konni has been linked to a new phishing campaign that uses AI-generated PowerShell malware to compromise developers and engineering teams working in the blockchain sector.
According to Check Point Research, the campaign targets organizations in Japan, Australia, and India, marking a clear expansion beyond Konni’s traditional focus on South Korea, Russia, Ukraine, and parts of Europe.
Active since at least 2014, Konni also tracked under names such as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia has a long history of intelligence-driven operations. Previous Cyber Espionage Campaigns were focused primarily on Espionage Activities directed toward South Korean National Interests However, Recent Trends Demonstrate a Larger Variety of Cyber Espionage Activities and a Higher Degree of Technical Development.
From Mobile Wiping to AI-Assisted Malware
In late 2025, Researchers identified Konni using Google’s Find Hub to perform remote resets and remote wipes of Android Devices, clearly indicating an increased level of sophistication in terms of capabilities within this group. Recently, the group has begun to run Operation Poseidon in which it impersonated North Korean Human Rights Organizations and Financial Institutions to deliver EndRAT malware to targeted victims via a remote access trojan.
During these campaigns, the phishing emails were designed to look like financial notices and they redirected the target victims to legitimate advertising tracking domains and then on to malicious ZIP files being stored on unsecured WordPress websites.
Multi-Stage Attack Chain Using Trusted Platforms
The latest activity documented by Check Point introduces a more elaborate infection chain. Attackers have deliberately chosen to target development environments using malicious ZIP archive files hosted on Discord’s content delivery network by masking them as project requirement documents.
When an archive is accessed, it generates a Windows shortcut capable of launching an embedded PowerShell loader with no user intervention required. The loader retrieves additional modules like a component that allows remote access using PowerShell, extra batch files, and another program for bypassing User Account Control. All components establish persistence via scheduling tasks and removal of evidence before conducting additional actions, including doing a full security evaluate of the host and attempting to bypass various forms of anti-malware and heuristics.
One technique used to do this was to execute a command that executed instead of having a scheduled task that runs (and) granting elevated privileges to that scheduled task. An additional method to maintain long term presence on an infected system was to use SimpleHelp, a legitimate Remote Monitoring and Management utility; attackers can control the system while blending in with typical administrative activity.
Additionally, the communication mechanism with their Command and Control Servers (C2) uses encrypted tunnels so that anything other than normal web traffic is effectively blocked, helping them avoid being caught through automated analysis.
Signs of AI-Assisted Development
One indication of possible AI-augmented development occurs with the PowerShell backdoor. Specific evidence points to an AI-assisted development process is the modular structure, systematic documentation and clear code annotations of the backdoor by researchers.
Rather than reinventing delivery methods, Konni appears to be using AI to speed up malware development and standardize tooling, while continuing to rely on proven phishing techniques and trusted platforms to reach targets.
Why Developers Are the Real Target
Check Point notes that the campaign’s goal is not limited to stealing credentials from individuals. The attackers can access the source code, Cloud access credentials, CI/CD Pipelines, and downstream projects by breaking into the developer environments (Development Environment).
The activity campaign matches the North Korean activity trend over the past year with increased Phishing Campaigns delivering:
1. MoonPeak
2. TigerRAT
3. StarshellRAT
4. JelusRAT
5. GopherRAT
using E-mail attachments, manipulated via PDF, and similar deceptive document lures sent via trusted delivery mechanisms.
Source: The Hacker News
