ACCORDING to Check Point Research, a active phishing campaign attributed to the North Korea–aligned KONNI group targets software developers and engineers with fake project documentation tied to blockchain and crypto initiatives, using an AI-written PowerShell backdoor as part of the toolset.
The operation extends beyond South Korea, with samples linked to Japan, Australia and India, and specifically aims at engineering teams working on blockchain technologies by luring them with legitimate‑sounding project documents to access development environments and sensitive assets such as infrastructure, credentials, wallets and cryptocurrency.
The infection chain begins with a Discord-hosted link that downloads a ZIP archive containing a PDF lure and a Windows shortcut (LNK); the LNK launches an embedded PowerShell loader that extracts a DOCX lure and a CAB archive, both XOR-encoded with a single-byte key. The malware maintains persistence via a scheduled task masquerading as OneDrive and deploys a heavily obfuscated PowerShell backdoor executed in memory, featuring AI‑assisted development, modular code and explanatory comments.
Check Point notes that the campaign’s TTPs closely mirror KONNI activity, while highlighting the AI-written backdoor as a notable evolution in the group’s tooling.