Cybersecurity researchers have raised the alarm about a sophisticated new malware scheme. North Korea-linked hacking group Konni (also known as Opal Sleet and TA406) is leveraging AI-generated PowerShell malware to directly target blockchain developers and engineers.
Cybersecurity researchers have raised the alarm about a sophisticated new malware scheme. North Korea-linked hacking group Konni (also known as Opal Sleet and TA406) is leveraging AI-generated PowerShell malware to directly target blockchain developers and engineers.
Konni is a North Korean advanced persistent threat (APT) group that’s operated for at least a decade. While their targets lie in South Korea, Russia, Ukraine, and Europe regions, Asia-Pacific has also been added to the list..
The group is linked to other DPRK cyber groups, such as APT37 and Kimsuky, and has a track record of stealing money and secrets from banks, financial systems, and tech companies.
Experts, including , have shared detailed reports explaining how the Konni hack works step-by-step.
The hack starts with a Discord message containing a link. Clicking it downloads a compressed file that looks legitimate, holding both a PDF decoy and a harmful Windows shortcut file.
Opening the shortcut file starts a PowerShell loader that unpacks more files. Among them are a fake DOCX document and a cabinet (CAB) archive holding a PowerShell backdoor, batch scripts, and an executable designed to bypass User Account Control (UAC). This allows the virus to stay installed on the victim’s computer.
Researchers note that the virus shows clear signs of being AI-generated. Its code is built in separate blocks, contains unusually neat comments, and uses strange placeholder text, which sets it apart from typical human-written malware.
The malicious software sets up an automated hourly task, disguised as a OneDrive startup task. This secretly unlocks and launches a PowerShell command in the computer’s memory. After the harmful part of the program runs, it cleans up some of its own files to cover its tracks.
Unlike typical hacks that target random users, this attack is aimed directly at software developers and engineers who build crypto platforms. These individuals often have access to API keys, source code access, and private wallet keys.
If hacked, they could give attackers control over important applications and large amounts of crypto. Researchers have seen this campaign mainly hitting targets in Japan, Australia, and India, showing that the hackers are deliberately going after new regions.
