Key Insights
- Konni used AI-generated PowerShell malware in their crypto scams to target blockchain developers across APAC.
- The campaign delivers backdoors via Discord ZIP files with PDF lures and malicious shortcuts.
- Researchers say LLM-style comments and structure strongly indicate AI-assisted malware development.
North Korean-linked Konni hackers have launched a campaign using AI-built malware to target blockchain developers and engineers, according to Check Point researchers. The activity adds to ongoing concerns over crypto scams and state-linked cyber operations targeting digital asset infrastructure. The campaign relies on PowerShell-based backdoors and social engineering lures to compromise development environments and access sensitive crypto-related assets.
Konni, also known as Opal Sleet and tracked as TA406, has operated since at least 2014. Researchers believe the group maintains ties to other North Korean threat clusters, including APT37 and Kimsuky. Historical activity shows that Konni has targeted organizations across South Korea, Russia, Ukraine, and several European countries.
AI-Built Malware Campaign Shows Risks of Crypto Scams Targeting Developers
The crypto scam attack begins with a Discord link that leads to a ZIP archive containing a decoy PDF and a malicious Windows shortcut (LNK) file. When a victim opens the shortcut, it launches an embedded PowerShell loader. The loader extracts a DOCX file and a cabinet archive that contains a PowerShell backdoor, two batch files, and a user account control (UAC) bypass executable.
The shortcut opens the DOCX file and runs one of the batch files included in the archive. The decoy document serves as a lure, suggesting an attempt to compromise development environments. Researchers noted that such access could expose infrastructure details, API credentials, wallet access, and cryptocurrency holdings.
The first batch file creates a staging directory for the backdoor and related components. The second batch file creates a scheduled task that runs hourly and masquerades as a OneDrive startup task. This scheduled task reads an XOR-encrypted PowerShell script from disk, decrypts it in memory, and executes it. After execution, the crypto scam malware deletes itself to remove signs of compromise.
Evidence Shows AI-Generated Malware Used in Crypto Scams
Check Point researchers reported that the PowerShell backdoor shows strong indicators of AI-assisted development. The script uses heavy decoding techniques, including arithmetic-based string encoding, runtime string reconstruction, and execution through Invoke-Expression.
In addition, the malware includes structured documentation and modular code layout. Researchers described it as atypical for traditional malware authored manually by operators of crypto scams.
A specific comment within the script, “# <– your permanent project UUID,” stood out as characteristic of code generated by large language models. Following this, researchers noted that such placeholder instructions are common in AI-generated scripts and tutorials.
Before executing its core functions, the malware checks hardware, software, and user activity to detect analysis environments. It then generates a unique host identifier. Depending on the privilege level available on the compromised system, the malware follows different execution paths.
Once active, the backdoor periodically contacts its command-and-control (C2) server. It sends basic host metadata and polls the server at randomized intervals. If the server returns PowerShell code, the malware converts the response into a script block and executes it asynchronously using background jobs.
Attribution and Indicators of Compromise
Check Point credited the campaign to Konni on several overlaps with prior activity related to crypto scams. Researchers noted similarities in launcher formats, the names of lure files, some naming conventions for scripts, and the structures of execution chains. These attributes are also similar to those of previous Konni forces observed during previous campaigns.
The researchers also published indicators of compromise related to the campaign to help defenders identify and address infections. These signs are intended to help organizations secure sensitive systems, especially those related to the development of blockchains and cryptocurrency infrastructure.