KONNI Adopts AI to Generate PowerShell Backdoors

Jan. 22, 2026, 8:32 p.m.

Description

A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.

External References

https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware
https://otx.alienvault.com/pulse/69726ae65cfcf0a192c03c35
Tags
backdoor
phishing
north korea
powershell
blockchain
simplehelp
ai-generated
apac
powershell backdoor
software developers
2026-01-22

Date

  • Created: Jan. 22, 2026, 6:22 p.m.
  • Published: Jan. 22, 2026, 6:22 p.m.
  • Modified: Jan. 22, 2026, 8:32 p.m.

Indicators

  • 851695cb3807a693aae25c8b9ade20a90eaea6802bc619c1d19d121a92aef7a0
  • e57fa2d1d3e2bff9603ce052e51a8d6ee5c6d207633765b401399b136249ca35
  • b411fbe03d429556ced09412dd26dc972ee55cff907bfdb5594fe9e3f1c9f0b2
  • 26356e12aae0a2ab1fd0ec15d49208603d3dd1041d50a0b153ab577319797715
  • 26a01ffa237241e31a59f1ff4d62a063f55c97598732d55855cce18b8b27b2d6
  • c94e58f134c26c3dc25f69e4da81d75cbf4b4235bcfb40b17754da5fe07aad0a
  • 20e61936144822399149e651da665eb67b16e90ec824dac3d9eec8a4da42fdd2
  • c040756802a217abf077b2f14effb1ed68e36165fde660fef8ff0cfa2856f25d
  • f8e86693916be2178b948418228d116a8f73c7856e11c1f4470b8c413268c6c8
  • de75afa15029283154cf379bc9bb7459cbcd548ff9d11efe24eb2fde7552af07
  • 856ac810f4a00a7e3fa89aec4c94cc166ae6ccf06c3557e9694f8639223ce25d
  • 64e6a852fc2e4d3e357222692eefbf445c2bd9ba654b83e64fe9913f2bb115cc
  • 1ebc4542905c8d4fd8ac6f6d9fadeef51698e5916f6ce1bcc61dcfdea02758ec
  • c3c8d6ea686ad87ca2c6fcb5d76da582078779ed77c7544b4095ecd7616ba39d
  • 48585baa9f1c2b721bb8c4fbd88eff65f8fa580a662aadcd143bc4fda6590156
  • 8647209127d998774179aa889d2fcc664153d73557e2cca5f29c261c48dd8772
  • c2ec24dea46273085daa82e83c1c38f3921c718a61f617a66e8b715d1dcc0f57
  • 738637fcb82920f418111c0cd83d74d9a0807972a73abfbdc71b7446e5bd6a9d
  • b958d4d6ce65d1c081800fc14e558c34daff3b28cdd45323d05b8d40c4146c3c
  • a1d4272ec0ce88f9c697b3e6c70624ec5f1ad9a83c9e64120b5ee21688365af9
  • 39fdff2ea1a5e2b6151eccc89ca6d2df33b64e09145768442cec93a578f1760c
  • fcc9b2ac73a0ca01fb999e6aa1a8bdbd89e632939443bcc9186ae1294089123e
  • 3b67217507e0c44bd7a4cfafed0e8958d21594c98eec43a999614815a7060410
  • f619d63aa8d09bafb13c812bf60f2b9189a8dc696c7cef2f246c6b223222e94c
  • 159f81fc57399186503190562f28b2dd430d8cc07303e15e2ec60aee6bca798c
  • c79ef37866b2dff0afb9ca07b4a7c381ba0b201341f969269971398b69ade5d5
  • fb9f16a8900bae93dd93b5d059a0d2997c1db7198acf731f3acf1696a19eeead
  • ec8c191ad171cf40461dc870b02f5c4e9904f9fec1191174d524b1fb3cbde47f
  • af8ca986a52e312fb85f97b235e4b406d665d7ac09cbdb5e25662d4c508ebad4
  • b15f95d0f269bc1edce0e07635681d7dd478c0daa82c6bfd50c551435eba10ff
  • eec55e9a7f27f2ecaba71735fbd636679783ff60d9019eabf8216beebd47300b
  • 192.144.34.77
  • 223.16.184.105
  • 192.144.34.40
Download all indicators here!

Attack Patterns

  • KONNI

Additional Informations

  • Technologies
  • India
  • British Indian Ocean Territory
  • Japan
  • Australia