KONNI Developer Phishing (AI-Enhanced Backdoor)
BLUF
North Korean threat actor KONNI is targeting software developers and engineering teams across the APAC region with AI-generated PowerShell backdoors.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by AI-enhanced spear-phishing targeting software developers with persistent PowerShell backdoors, the financial impact is driven less by single-system remediation and more by investigation scope, intellectual property exposure risk, and prolonged containment efforts across engineering environments.
· Low-end total cost: $250K – $600K
o (limited developer compromise, rapid detection, no confirmed IP loss)
· Typical expected range: $900K – $2.4M
o (multiple developer endpoints affected, extended forensic investigation)
· Upper-bound realistic scenarios: $4M – $8M
o (suspected source code exposure, regulatory review, prolonged remediation)
Key Cost Drivers
· Number of developer endpoints requiring forensic validation
· Duration of undetected persistence within engineering environments
· Scope of source code, credentials, or intellectual property accessed
· Regulatory notification requirements across APAC jurisdictions
· Impact to development velocity and release timelines
Targeted Sectors
· Software Development
· Engineering
· Blockchain Infrastructure
Countries
· Japan
· Australia
· India
· South Korea
Date of First Reported Activity
· January 22, 2026
Date of Last Reported Activity Update
· January 22, 2026
APT Names
· KONNI (linked to North Korea).
Associated Criminal Organization Names
· None identified
IOCs
As a reminder, detection should focus on the heuristic behavior of the attacks. Indicators such as hashes, domains, and similar artifacts can be useful for identifying historical activity; however, attackers are highly dynamic. These indicators often vary by target and attack, and can even change within the same attack.
Malicious Filenames & Lures
· AI-enhanced_code_optimizer.zip (Lure impersonating AI tools for developers)
· Developer_Survey_2026.docx (Social engineering lure)
· backdoor.ps1 (AI-generated PowerShell script)
Domain & C2 Infrastructure
· dev-tools-update[.]com (C2 and delivery domain)
· ai-assisted-coding[.]net (Phishing host)
Host-Based Indicators
· Creation of a hidden directory: %AppData%\DevMetrics\
· Modified registry key
o HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemOptimizer for persistence
General/Historical KONNI Phishing IOCs
Historically, KONNI campaigns (such as those targeting government and diplomatic entities) have used the following patterns:
Common File Types
· Documents
o .doc
o .docx containing malicious VBA macros.
· Scripts
o .jse (Encrypted JavaScript)
o .ps1 (PowerShell)
o .bat files.
· Loaders
o Malicious .dll payloads often sideloaded or executed via Rundll32.
Historical
Known IP Addresses
· 45.14.148.21
· 185.225.17.201
Techniques
· Use of CertUtil to download and decode base64-encoded payloads to evade detection.
· cdn.jsdelivr[.]net/gh/clock-cheking/expert-barnacle/load (Script hosting)
Tools Used
· AI-generated PowerShell backdoors
· SyncAppvPublishingServer.vbs (Proxy execution).
TTPs
Initial Access & Phishing
· T1566.001 Phishing
o Spearphishing Attachment: Delivering malicious ZIP archives or Microsoft Word documents containing VBA macros.
· T1566.002 Phishing
o Spearphishing Link: Using malicious URLs, including those disguised via Google advertising infrastructure, to bypass security filters.
· T1598.003 Search Victim-Owned Websites
o Conducting reconnaissance to tailor phishing lures for specific developers or government personnel.
Execution & Persistence
· T1059.003 Command and Scripting Interpreter
o Windows Command Shell: Executing Batch scripts and system commands (e.g., cmd /c systeminfo) to profile targets.
· T1204.002 User Execution Malicious File
o Relying on social engineering, such as changing font colors (grey to black), to trick users into enabling malicious macros.
· T1547.001 Boot or Logon Autostart Execution
o Registry Run Keys: Establishing persistence by modifying registry keys or dropping shortcuts into the Windows Startup folder.
· T1574.002 Hijack Execution Flow
o DLL Side-Loading: Sideloading a concealed malicious DLL through a legitimate executable to evade detection.
Evasion & Discovery
· T1140 Deceptive/Decoy Document
o Presenting a legitimate-looking decoy document (e.g., about regional trade or human rights) to the user while the malware installs in the background.
· T1082 System Information Discovery
o Gathering OS version, architecture, and RAM size to ensure compatibility for second-stage payloads.
· T1105 Ingress Tool Transfer
o Utilizing tools like CertUtil to download and decode remote files from a C2 server.
Collection & Exfiltration
· T1113 Screen Capture
o Periodically taking screenshots of the victim's desktop.
· T1115 Data from Clipboard
o Capturing information copied to the system clipboard.
· T1041 Exfiltration Over C2 Channel
o Sending stolen credentials (from browsers like Chrome or Firefox) and files back to actor-controlled infrastructure.
Malware Name
o AI-PS-Backdoor
Malware Family
· Trojan.Graftor / FlyStudio
sha256
37397f8d8e4b3731749094d7b7cd2cf56cacb12dd69e0131f07dd78dff6f262b
Known Decoding Key
· CyberFortress
Verdict
· Malicious
o The file is consistently flagged by multiple security vendors as a high-risk Trojan or backdoor.
Primary Objectives
· Establish initial access and long-term persistence on the victim's host.
· Execute arbitrary PowerShell commands to facilitate secondary payloads.
· Conceal malicious activity using misleading filenames and double extensions (e.g., payroll.pdf.exe).
Behavior Analysis
Execution
· Drops a text file and triggers a PowerShell script upon execution.
Persistence
· May use self-watching functions or environment variables to ensure the process remains active, mimicking techniques seen in persistent backdoors.
Evasion
· Employs double extensions to trick users into believing the file is a non-executable document.
Network Activity
· Typically attempts to establish communication with a Command and Control (C2) server for further instructions or data exfiltration.
Suggested Rules / potential hunts
Suricata
Target the command-and-control (C2) patterns and initial delivery payloads.
CertUtil Download Activity
Detects the use of CertUtil.exe to download remote files, a frequent KONNI tactic.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KONNI CertUtil Download Pattern"; flow:established,to_server; content:"User-Agent|3a 20|CertUtil"; http_header; reference:url,attack.mitre.org/software/S0356/; classtype:trojan-activity; sid:2026001; rev:1;)
Suspicious .LNK/Shortcut Delivery
Detects the delivery of shortcut files masquerading as antivirus or system tools.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KONNI Possible .LNK Phishing Attachment"; flow:established,from_server; file_data; content:"L|00 00 00 01 14 02 00|"; depth:8; content:".lnk"; nocase; sid:2026002; rev:1;)
SentinelOne
Word Spawning Command Interpreters
Detects weaponized Word documents launching cmd.exe or PowerShell to execute encoded commands.
ProcessName In ("winword.exe", "excel.exe") AND ChildProcName In ("cmd.exe", "powershell.exe", "wscript.exe")
Hunt: CertUtil Base64 Decoding
KONNI often uses CertUtil to decode its final RAT payload.
ProcessName = "certutil.exe" AND (CommandLine ContainsAny ("-decode", "/decode"))
Hunt: Persistence via Registry Modification
Monitor for modifications to ComSysApp or Svchost registry keys used for persistence.
RegistryKey Path ContainsAny ("ComSysApp", "xmlProv") AND RegistryValue Change
Splunk
Identify incoming emails with KONNI-favored extensions like .zip, .rar, or .chm.
index=email sourcetype=stream:smtp attach_filename IN ("*.zip", "*.rar", "*.chm", "*.lnk") | stats count by sender, receiver, attach_filename
Abnormal System Reconnaissance
index=main sourcetype=WinEventLog:Security EventCode=4688 (Process_Name="*systeminfo.exe" OR Process_Name="*tasklist.exe") | stats count by ComputerName, New_Process_Name, Parent_Process_Name | where count > 5
C2 Beaconing to New Domains
index=proxy | lookup domain_age_lookup domain as url_domain OUTPUT age | where age < 2 | stats count by src_ip, url_domain
Delivery Methods
· Spear-phishing emails containing malicious Word documents or .LNK files.
Email sample
Subject Line Ideas
· "Blockchain Developer Opportunity - [Project Name]," "Request for Technical Consultation,"
· "[Urgent] Updated Security Protocols for Engineering Teams".
Sender
· Often spoofed to appear from a legitimate peer
· A high-profile blockchain project
· An international relations/human rights organization.
Content
Dear [Developer Name],I am reaching out from [Spoofed Company] regarding a potential collaboration on our upcoming blockchain infrastructure project. We have reviewed your GitHub contributions and believe your expertise in [Specific Tech Stack] would be a valuable asset.Please find the attached technical requirements and project briefing document (ZIP) for your review. We would like to schedule a call once you have had a chance to look over the materials.Best regards,
[Spoofed Identity]
Attachment
· A ZIP archive containing a legitimate executable (used for DLL sideloading) and a concealed malicious DLL that deploys the KONNI malware.
References
VirusTotal
· hxxps://www.virustotal.com/gui/file/ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985
CheckPoint
· hxxps://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/
Genians Co
· hxxps://www.genians.co.kr/en/blog/threat_intelligence/spear-phishing
GBHackers
· hxxps://gbhackers.com/spear-phishing-campaign/
CyFirma
· hxxps://www.cyfirma.com/news/weekly-intelligence-report-23-january-2026/
Korea JoongAng Daily
· hxxps://koreajoongangdaily.joins.com/news/2026-01-19/national/northKorea/Hackers-linked-to-North-exploiting-Naver-and-Google-ad-systems-to-distribute-malware-report-finds/2503563
