Pierluigi Paganini
January 26, 2026
Check Point Research uncovered an active phishing campaign attributed to the North Korea–linked KONNI group (aka Kimsuky, Earth Imp, TA406, Thallium, Vedalia, and Velvet Chollima). The operation targets software developers and engineers using fake project documentation tied to blockchain and crypto initiatives. While consistent with KONNI’s known spear-phishing tactics, the campaign shows broader APAC targeting and features an AI-written PowerShell backdoor, highlighting evolving threat actor tradecraft.
The campaign shows expanded geographic reach beyond South Korea, with samples linked to Japan, Australia, and India. It targets engineering teams, especially those working on blockchain technologies, using lure documents disguised as legitimate project materials. These lures aim to compromise development environments and access sensitive assets such as infrastructure, credentials, wallets, and cryptocurrency. The infection chain uses a Discord-hosted ZIP containing a PDF and LNK file, which launches an obfuscated PowerShell loader.
“The infection chain starts with a Discord-hosted link that downloads a ZIP archive via an unknown vector. The ZIP contains two files: a PDF lure document and a Windows shortcut (LNK) file.” reads the report published by CheckPoint. “The LNK launches an embedded PowerShell loader which extracts two additional files: a DOCX lure document and a CAB archive, both embedded within the LNK and XOR-encoded using a single-byte key.”
The malware establishes persistence via a scheduled task masquerading as OneDrive and deploys a heavily obfuscated PowerShell backdoor executed in memory.
The PowerShell backdoor shows strong signs of AI-assisted development rather than traditional APT tooling. The script features unusually clear documentation, modular structure, and instructional comments such as “your permanent project UUID,” a hallmark of LLM-generated code.
“This phrasing is highly characteristic of LLM-generated code, where the model explicitly instructs a human user on how to customize a placeholder value. Such comments are commonly observed in AI-produced scripts and tutorials.” reads the report. “The verbose documentation, modular layout, and instructional placeholder comments all strongly suggest that the PowerShell backdoor was generated using an AI system, marking a notable shift in KONNI APT’s tooling development.”
Beyond its AI-like coding style, the backdoor includes robust anti-analysis checks, sandbox evasion, user-interaction validation, and single-instance enforcement via a global mutex. The malicious code fingerprints hosts for C2 tracking, adapts execution based on privilege level, performs UAC bypass and Defender evasion, and can deploy legitimate RMM software for persistence. C2 access is achieved by emulating JavaScript challenges to bypass browser-only protections, enabling ongoing command execution and data exfiltration.
Earlier samples uploaded to VirusTotal in October 2025 show an older version of the infection chain. This version starts with an obfuscated PowerShell script that downloads several components, including batch files, VBScript launchers, a PowerShell backdoor, and PE files such as uc.exe for UAC bypass and OneDriveUpdater.exe. The OneDriveUpdater tool installs a SimpleHelp client to give attackers remote access.
Execution starts with start.vbs, which launches simi.bat. This script creates a staging folder in C:\ProgramData, moves the downloaded files there, runs OneDriveUpdater.exe, and then starts schedule1.bat. The final script sets up persistence by creating a scheduled task that runs the PowerShell backdoor. Unlike later samples, this variant splits tasks across multiple scripts instead of using a single batch file.
Check Point states that the campaign’s TTPs closely match those of the North Korea–linked KONNI APT group. It begins with a weaponized LNK file that mirrors KONNI launchers seen in earlier reports, including reuse of a known lure filename. The execution chain follows KONNI’s typical modular, multi-stage design using VBS and multiple BAT scripts, each with a specific role. Earlier variants also reuse script names and code patterns tied to past KONNI activity, reinforcing attribution to the group.
“This campaign highlights the evolution of the KONNI APT group. The delivery and staging remain aligned with previously documented KONNI tradecraft, including the use of weaponized LNK shortcuts and a modular, multi-stage execution chain built from narrowly scoped script components.” concludes the report. “At the same time, the targeting reflects a notable shift in behavior.” “Finally, this campaign is notable for its apparent use of an AI-written PowerShell backdoor. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, KONNI)
Data Breach / January 25, 2026
