North Korean Konni Group Deploys AI-Generated Malware Targeting Blockchain Engineers

Source: CryptoNewsNet Original Title: Konni hackers target blockchain engineers with AI malware Original Link: North Korean hacking group Konni is now targeting blockchain engineers with artificial intelligence-generated malware. According to reports, the hacker group is deploying AI-generated PowerShell malware to target developers and engineers in the blockchain industry.

The North Korean hacker group is believed to have been in operation since at least 2014 and is associated with APT37 and Kimusky activity clusters. The group has targeted organizations across South Korea, Ukraine, Russia, and several European countries. According to threat analysis, the latest campaign targets the Asian Pacific region.

Attack Mechanism

The attack begins with victims receiving a Discord link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file. The LNK runs an embedded PowerShell loader that extracts a DOCX document and a CAB archive containing a PowerShell backdoor, batch files, and a UAC bypass executable.

After the shortcut file is launched, the DOCX opens and executes a batch file. The lure document indicates the hackers aim to compromise the development environment to gain access to sensitive assets, including infrastructure, API credentials, wallet access, and digital asset holdings.

The first batch file creates a staging directory for the backdoor, while the second batch file creates an hourly scheduled task mimicking OneDrive’s startup task. The task reads an XOR-encrypted PowerShell script from disk, decrypts it for in-memory execution, and then deletes itself to erase infection traces.

AI-Assisted Malware Development

The PowerShell backdoor masks its origin using arithmetic-based string encoding and runtime string reconstruction. Researchers identified signs of AI-assisted development rather than traditionally authored malware, including:

• Clear and structured documentation at the top of the script (unusual for malware)
• Clean and modular code layout
• Presence of placeholder comments like “# <-- your permanent project UUID”

These elements are commonly seen in LLM-generated code and tutorials, suggesting the North Korean hackers utilized AI tools in malware development.

Execution and Command-and-Control

Before execution, the malware performs hardware, software, and user activity checks to ensure it is not running in analysis environments. Once activated on an infected device, the malware contacts command-and-control (C2) servers periodically to send host metadata and polls at random intervals. If the C2 contains PowerShell code, it executes it using background jobs.

These attacks can be attributed to the North Korean Konni threat actor based on launcher format similarities, lure names, and execution chain structure overlaps with earlier campaigns. Security researchers have published indicators of compromise to help defenders identify and protect against this threat.