KONNI Adopts AI to Generate PowerShell Backdoors
Essential information
- Published
- 22/01/2026 18:22
- Modified
- 22/01/2026 20:32
- Tags
- 2026-01-22 ai-generated apac backdoor blockchain north korea phishing powershell powershell backdoor simplehelp software developers
- Related entities
- 34 observables, 1 intrusion sets (apt), 5 others
Description
A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.