PowerShell malware created with artificial intelligence (AI) tools has been seen to be used by the North Korean threat actor Konni to target blockchain developers and engineering teams This article explores cyberattacks allegedly carried. . According to a technical report released last week by Check Point Research, the phishing campaign has targeted Japan, Australia, and India, demonstrating the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European countries.

Konni has been active since at least 2014, and its main focus is on South Korean organizations and individuals. Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia are other names for it.

The hacking group's targeting of Android devices by using Google's asset tracking service, Find Hub, to remotely reset victim devices and remove personal data from them was described in November 2025 by the Genians Security Center (GSC), indicating a new escalation of their tradecraft.

There is an LNK file and a PDF decoy in the ZIP archive. A Microsoft Word lure document and a CAB archive are extracted by the shortcut file's embedded PowerShell loader, which then displays the Word document as a diversion. The shortcut file extracts the contents of the CAB archive, which includes an executable for User Account Control (UAC), two batch scripts, and a PowerShell Backdoor.

avoid The first batch script sets up the environment, uses a scheduled task to create persistence, stages and runs the backdoor, and then erases itself from disk to lessen forensic visibility. After performing a series of anti-analysis and sandbox-evasion checks, the PowerShell backdoor profiles the system and makes an effort to to use the FodHelper UAC bypass method to increase privileges In order to replace the previously created scheduled task with a new one that can run with elevated privileges, the backdoor cleans up the previously dropped UAC bypass executable, sets up Microsoft Defender exclusion for "C:\ProgramData," and executes the second batch script. The backdoor then drops SimpleHelp, a valid Remote Monitoring and Management (RMM) tool for long-term remote access, and connects to a C2 server protected by an encryption gate designed to prevent non-browser traffic in order to send host metadata on a regular basis and run PowerShell code that the server returns. The cybersecurity firm claimed that there are signs that an AI tool was used to create the PowerShell backdoor, pointing to its modular design, human-readable documentation, and the existence of comments in the source code such as "-– your permanent project UUID."

According to Check Point, "the campaign goal seems to be to establish a foothold in development environments, where compromise can provide broader downstream access across multiple projects and services, rather than focusing on individual end-users."

"The introduction of AI-assisted tooling suggests an effort to standardize code and accelerate development while continuing to rely on proven delivery methods and social engineering." The results align with the identification of several North Korean-led initiatives that enable remote control and data theft: a spear-phishing campaign that employs government-themed decoy files and JavaScript Encoded (JSE) scripts that imitate Hangul Word Processor (HWPX) documents to create a Visual Studio Code (VS Code) tunnel for remote access A phishing campaign that disseminates LNK files that appear to be PDF documents in order to start a PowerShell script that finds virtual and malware analysis environments and distributes the MoonPeak remote access trojan Two cyberattacks that were allegedly carried out by Andariel in 2025 against an unidentified TigerRAT was delivered by a European legal firm, and three new trojans—StarshellRAT, JelusRAT, and GopherRAT—were distributed to downstream victims by hacking the update mechanism of a South Korean enterprise resource planning (ERP) software vendor. The ERP vendor's software has been the target of similar supply chain breaches twice in the past, in 2017 and 2024, to install malware families like HotCroissant and Xctdoor, according to the Finnish cybersecurity firm WithSecure.

StarshellRAT is written in C# and supports command execution, file upload/download, and screenshot capture, whereas JelusRAT is written in C++ and has the ability to retrieve plugins from the C2 server. On the other hand, GopherRAT, which is based on Golang, can execute commands or binaries, exfiltrate files, and list all of the files in the file system. According to WithSecure researcher Mohammad Kazem Hassan Nejad, "their targeting and objectives have varied over time; some campaigns have pursued financial gain, while others have focused on stealing information aligned with the regime's priority intelligence needs."

"As those priorities shift over time, this variability highlights the group's adaptability and its capacity to support broader strategic goals."