Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers

The North Korean threat actor known as Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations, Check Point Research said in a technical report published last week.

Active since at least 2014, Konni is primarily known for its targeting of organizations and individuals in South Korea. It's also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia. In November 2025, the Genians Security Center (GSC) detailed the hacking group's targeting of Android devices by exploiting Google's asset tracking service, Find Hub, to remotely reset victim devices and erase personal data from them, signaling a new escalation of their tradecraft.

The Latest Campaign: Operation Poseidon

As recently as this month, Konni has been observed distributing spear-phishing emails containing malicious links that are disguised as harmless advertising URLs associated with Google and Naver's advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT. The campaign has been codenamed Operation Poseidon by the GSC, with the attacks impersonating North Korean human rights organizations and financial institutions in South Korea.

The attacks are also characterized by the use of improperly secured WordPress websites to distribute malware and for command-and-control (C2) infrastructure. The email messages have been found to masquerade as financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites.

The ZIP file comes with a Windows shortcut (LNK) that's designed to execute an AutoIt script disguised as a PDF document. The AutoIt script is a known Konni malware called EndRAT (aka EndClient RAT). "This attack is analyzed as a case that effectively bypassed email security filtering and user vigilance through a spear-phishing attack vector that exploited the ad click redirection mechanism used within the Google advertising ecosystem," the South Korean security outfit said. "It was confirmed that the attacker utilized the redirection URL structure of a domain used for legitimate ad click tracking (ad.doubleclick[.]net) to incrementally direct users to external infrastructure where actual malicious files were hosted."

AI-Generated PowerShell Backdoor

The latest campaign documented by Check Point leverages ZIP files mimicking project requirements-themed documents and hosted on Discord's content delivery network (CDN) to unleash a multi-stage attack chain. The exact initial access vector used in the attacks is unknown.

The ZIP archive contains:

• A PDF decoy file
• An LNK (Windows shortcut) file

The attack chain executes in this sequence:

1. The shortcut file launches an embedded PowerShell loader
2. The loader extracts two additional files: a Microsoft Word lure document and a CAB archive
3. The Word document displays as a distraction mechanism
4. The CAB archive contains a PowerShell Backdoor, two batch scripts, and a UAC bypass executable

The first batch script:

• Prepares the environment
• Establishes persistence using a scheduled task
• Stages and executes the backdoor
• Deletes itself from disk to reduce forensic visibility

The PowerShell backdoor performs anti-analysis and sandbox-evasion checks, then profiles the system and attempts to elevate privileges using the FodHelper UAC bypass technique. It cleans up the UAC bypass executable, configures Microsoft Defender exclusion for "C:\ProgramData," and runs the second batch script to replace the scheduled task with one capable of running with elevated privileges.

The backdoor then drops SimpleHelp, a legitimate Remote Monitoring and Management (RMM) tool, for persistent remote access. It communicates with a C2 server protected by an encryption gate that blocks non-browser traffic, periodically sending host metadata and executing PowerShell code returned by the server.

AI Assistance in Malware Development

The cybersecurity company said there are indications that the PowerShell backdoor was created with the assistance of an AI tool, citing:

• Its modular structure
• Human-readable documentation
• Source code comments like "# <- your permanent project UUID"

"Instead of focusing on individual end-users, the campaign goal seems to be to establish a foothold in development environments, where compromise can provide broader downstream access across multiple projects and services," Check Point said. "The introduction of AI-assisted tooling suggests an effort to accelerate development and standardize code while continuing to rely on proven delivery methods and social engineering."

Related North Korean Campaigns

The findings coincide with multiple other North Korea-led campaigns facilitating remote control and data theft:

Visual Studio Code Tunnel Campaign: A spear-phishing campaign using JavaScript Encoded (JSE) scripts mimicking Hangul Word Processor (HWPX) documents and government-themed decoy files to deploy a VS Code tunnel for remote access.

MoonPeak RAT: A phishing campaign distributing LNK files masquerading as PDF documents to launch PowerShell scripts that detect virtual and malware analysis environments, delivering the MoonPeak remote access trojan.

ERP Supply Chain Attacks: Two cyber attacks assessed to be conducted by Andariel in 2025:

• Targeting an unnamed European legal sector entity to deliver TigerRAT
• Compromising a South Korean Enterprise Resource Planning (ERP) software vendor's update mechanism to distribute three new trojans: StarshellRAT, JelusRAT, and GopherRAT

According to Finnish cybersecurity company WithSecure, the ERP vendor's software has been targeted twice before—in 2017 and 2024—to deploy malware families like HotCroissant and Xctdoor.

New Trojan Capabilities

JelusRAT: Written in C++, supports retrieving plugins from C2 server StarshellRAT: Developed in C#, supports command execution, file upload/download, and screenshot capture GopherRAT: Based on Golang, features ability to run commands/binaries, exfiltrate files, and enumerate file systems

"Their targeting and objectives have varied over time; some campaigns have pursued financial gain, while others have focused on stealing information aligned with the regime's priority intelligence needs," WithSecure researcher Mohammad Kazem Hassan Nejad said. "This variability underscores the group's flexibility and its ability to support broader strategic goals as those priorities change over time."

Practical Takeaways for Blockchain Developers

Immediate Actions:

• Verify all project-related communications through multiple channels
• Be suspicious of ZIP archives from Discord CDNs or unexpected project documents
• Monitor for unusual scheduled task creation or Defender exclusions
• Audit use of legitimate RMM tools like SimpleHelp in development environments

Technical Defenses:

• Implement application allowlisting for PowerShell execution
• Monitor for FodHelper UAC bypass attempts (registry modifications)
• Block ad.doubleclick.net redirects that lead to file downloads
• Enable enhanced logging for LNK file execution and CAB archive extraction

Development Environment Security:

• Segment development networks from production systems
• Implement code signing requirements for all scripts
• Use dedicated development VMs with no persistent access to sensitive repositories
• Regularly audit scheduled tasks and startup items

The shift toward AI-assisted malware development represents an evolution in how nation-state actors scale their operations while maintaining sophisticated capabilities. For blockchain developers specifically, the focus on development environments rather than end-users suggests these attackers understand that compromising a single developer can provide access to multiple projects, repositories, and potentially cryptocurrency wallets or private keys.

Organizations should treat this as a reminder that even legitimate tools like PowerShell and RMM software can be weaponized, and that the line between legitimate administration tools and malware continues to blur in modern cyberattacks.