"The North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations, Check Point Research said in a technical report published last week."
"Active since at least 2014, Konni is primarily known for its targeting of organizations and individuals in South Korea. It's also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia. In November 2025, the Genians Security Center (GSC) detailed the hacking group's targeting of Android devices by exploiting Google's asset tracking service, Find Hub, to remotely reset victim devices and erase personal data from them, signaling a new escalation of their tradecraft."
Konni has deployed PowerShell malware generated with artificial intelligence to target blockchain developers and engineering teams across Japan, Australia, and India. The group, active since at least 2014 and tracked under multiple aliases, has broadened its targeting beyond South Korea, Russia, Ukraine, and parts of Europe. Konni has exploited Google's Find Hub to remotely reset and wipe Android devices, indicating escalated tradecraft. Recent campaigns use spear-phishing with links disguised as Google and Naver advertising URLs to bypass filters and deliver the EndRAT remote access trojan. Attacks impersonate North Korean human rights groups and financial institutions and leverage unsecured WordPress sites to host ZIP archives containing LNK files that execute an AutoIt script disguised as a PDF to install EndRAT.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]