THE North Korean threat group Konni is extending its reach to blockchain developers, using a new AI-generated PowerShell backdoor to breach development environments and, potentially, cryptocurrency holdings, according to researchers.
The activity targets APAC-based developers with access to blockchain resources, including in Japan, Australia, and India, a shift from Konni’s usual focus on government and academically affiliated targets, Check Point Research said in a recent blog post according to Check Point Research. Phishing lures resemble legitimate project documentation and aim to establish a foothold in development environments, enabling broader access across multiple projects and services, the report notes.
The backdoor is described as unusually well-structured, with upfront documentation that explains its function, such as ensuring only one instance runs at a time and reporting system info via HTTP GET every 13 minutes. The campaign foregrounds AI-assisted tooling as a means to accelerate and standardise code, while still exploiting traditional social engineering to deliver the malware.
IoCs, including hashes, scripts, executables and related domains/IPs, are listed in Check Point’s post to help defenders recognise Konni’s latest attack on blockchain developers. January 26, 2026.