KONNI Deploys AI-Generated PowerShell Backdoors Targeting Blockchain Developers

Check Point Research reported that North Korean APT group KONNI deployed AI-assisted, PowerShell-based backdoors in a targeted campaign against blockchain and cryptocurrency developers in Japan, Australia and India. Attackers delivered malicious ZIP archives via Discord links; each ZIP contained a PDF lure, a Windows LNK shortcut and staged payloads. The shortcut launched an embedded PowerShell loader that unpacked a DOCX and CAB archive containing a PowerShell backdoor, batch files and a UAC-bypass executable. The chain created a staging directory, scheduled an hourly task that mimicked OneDrive, decrypted an XOR-encoded PowerShell script and executed it in memory, then removed traces. The backdoor used arithmetic string encoding, runtime reconstruction and Invoke-Expression to run commands and periodically contacted attacker-controlled C2 servers every ~13 minutes using a fixed UUID for persistence. Analysts noted signs of large language model (LLM) assistance in the codebase—clear English documentation, modular structure and instructional placeholders—suggesting AI helped develop the malware. KONNI, active since at least 2014 and previously focused on Korean diplomatic and government targets, has expanded operations to the cryptocurrency sector by targeting developers who control code, APIs, infrastructure and wallets. Check Point published indicators of compromise and recommended mitigations. For crypto traders: this campaign raises operational risks including credential theft, API-key compromise, persistent remote access and potential sabotage of code or infrastructure. Traders should harden developer workstations, rotate and protect keys, restrict developer network access, enable multi-factor authentication, monitor for suspicious outbound connections and apply the provided IOCs to defensive tooling.