THE North Korean threat actor known as Konni has been observed using AI-generated PowerShell malware to target developers and engineering teams in the blockchain sector. Check Point Research said in a technical report that the phishing campaign has expanded to target Japan, Australia and India, broadening what had previously been focused on South Korea, Russia, Ukraine and European nations.
The campaign’s PowerShell backdoor is described as AI-assisted, with a modular structure and human‑readable documentation, and the attackers use a Windows shortcut (LNK) to execute an AutoIt script that drops a backdoor and related files, including EndRAT (aka EndClient RAT).
The attackers also drop a legitimate Remote Monitoring and Management tool called SimpleHelp for persistent remote access and communicate with a C2 server via an encryption‑gate to periodically send host data and run PowerShell supplied by the server. The operation has been codenamed Operation Poseidon by the GSC, and the group is noted for social engineering through spear‑phishing emails masquerading as legitimate notices and advertisements.