March 6, 2026

KONNI APT Targets Developers With AI PowerShell Backdoor

Protos AI CTI Agent V 2.1

#CyberSecurity #ThreatIntelligence #KONNI #APT #MalwareAnalysis #InfoSec #PowerShell #ArtificialIntelligence
March 6, 2026
KONNI — January 2026 AI-developed PowerShell Backdoor Campaign | Protos AI
ClassificationDateRisk LevelConfidence
TLP:CLEAR 2026-03-04 HIGH Medium–High

Executive Summary

At-a-Glance
AttributeValue
Risk LevelHIGH
ConfidenceMedium–High
Key FindingKONNI conducted a developer-targeting phishing campaign in January 2026 that delivered an AI-assisted PowerShell backdoor enabling encrypted C2 and in-memory execution.
Primary ActionImmediate: Hunt for scheduled tasks invoking obfuscated PowerShell and block identified malicious hashes and C2 endpoints after telemetry validation.

Available vendor reporting indicates a January 2026 campaign that prioritized developer personas (including blockchain engineers) and delivered a PowerShell backdoor that executed server-supplied code in memory and used encrypted C2.

LLM-enabled malware development (with caveats): Multiple vendor sources describe the backdoor as AI/LLM-assisted. However, direct operator confirmation is not available. Defenders should treat the LLM aspect as a signal of faster variant churn and lower-cost iteration, not as proof of novel capabilities.

Detection should prioritize behavioral indicators (LNK → PowerShell → XOR-decrypt → IEX; scheduled tasks; AES-protected C2) over static signatures due to likely variant churn. C4

Investigation Scope & Methodology

Original Question: In January 2026, an APT group named KONNI targeted developers with an AI-developed PowerShell backdoor. Conduct a deep-dive analysis on their campaign including TTP evolution.
Scope ItemDetails
Investigation FocusKONNI January 2026 campaign: delivery chain, malware capabilities, infrastructure, TTPs, IOCs, and evolution
Time PeriodJanuary 2026 (primary); historical baseline 2019–2025
Sources UsedThreat intelligence reporting, vendor technical analyses, OSINT research, artifact-level sample analysis
MethodologyReviewed vendor technical writeups; mapped behavior to ATT&CK; assessed attribution and evolution vs. historical KONNI reporting

Key Findings

✅ High Confidence Findings

1
Developer-focused targeting
HIGH

The January 2026 operation prioritized developers (including blockchain engineers) to access high-value credentials and project secrets.

Evidence: Check Point and supporting vendor reporting describe developer-oriented lures and delivery channels.

Analysis: Developer-targeted lures materially increase exposure to source code, CI/CD tokens, and environment secrets. C6

2
Encrypted C2 & in-memory PowerShell execution
HIGH

The backdoor uses AES-style encrypted command channels and executes server-supplied PowerShell code entirely in memory.

Evidence: Technical sample analysis demonstrating AES protection and IEX in-memory execution.

Analysis: Encrypted C2 and in-memory execution reduce opportunity for static detection. C4

⚠️ Medium Confidence Findings

#FindingEvidenceCaveat
1Delivery chain: collaboration platform → ZIP → LNK → PowerShell loaderVendor technical walkthroughs documenting ZIP+LNK delivery.Validate platform-specific URLs; the platform itself is not an IOC.
2Persistence & anti-analysis — scheduled tasks, UUID single-instance enforcementSample analysis and vendor reports. C3Patterns may vary across variants.
3Attribution to KONNI — TTP overlap and launcher reuseCheck Point IOC lists; multiple vendor attribution.Evidence-based but not definitive — operator mimicry remains a possibility.

❓ Low Confidence / Requires Validation

AI-assistance in code generation: LLM-style code artifacts and comments noted, but operator confirmation is lacking. Treat as Medium analytic judgment. C9

Technical Analysis

Delivery & Execution Chain (Reported)

  • Initial access: Link via collaboration/file-sharing platform → ZIP with decoy + malicious LNK → embedded PowerShell loader. C2
  • Loader behavior: LNK extracts CAB contents and stages backdoor + batch scripts. C5
  • Runtime & C2: XOR-encrypted storage, XOR → IEX in-memory execution; AES-protected HTTP(S) polling. C4

Infrastructure Analysis

Vendor reports published sample hashes and listed domains/IPs. Hash listings should be validated against internal telemetry before blocking. C7

Threat Context

Diamond Model Assessment

VertexFindingsConfidence
AdversaryKONNI (North Korea–linked cluster) — vendor attribution present but not incontrovertibleMedium
CapabilityPowerShell backdoor with encrypted C2, anti-analysis, in-memory code executionHigh
InfrastructurePublic file-sharing delivery channel; vendor-listed domains/IPs and sample hashes (needs validation)Medium
VictimSoftware developers (incl. blockchain engineers) in APAC & beyondHigh

Kill Chain Progression

StageEvidenceStatus
ReconnaissanceDeveloper project materials used as luresObserved
DeliveryCollaboration/file-sharing link → ZIP with LNK C2Observed
ExploitationLNK launched PowerShell loader (user interaction)Observed
InstallationScheduled task persistence; occasional service/RMM install C5Observed
Command & ControlEncrypted polling and server-supplied PowerShell C4Observed
Actions on ObjectivesStaged upload/exfiltration workflows observed in samples C4Observed
Furthest Stage Reached: Actions on Objectives — staged exfiltration and remote tasking observed; implies elevated urgency for containment and credential rotation.

Evolution vs Prior KONNI Campaigns

Summary: January 2026 retains KONNI's established multi-stage phishing and encrypted C2 approach but shows two notable shifts: explicit developer-centric targeting and introduction of AI-assisted/LLM-style code artifacts.

DimensionDetailCitation
ContinuitiesSocial engineering → multi-stage loader → persistence → encrypted C2; UAC bypass and staged uploads consistent with historical KONNI.C8
EvolutionsTargeting shifted to developer communities; code artifacts exhibit LLM-style structure consistent with AI assistance — may increase variant churn.C9
Implication: Treat developer collaboration platforms and dev workstations as elevated trust boundaries; apply stricter isolation and secrets hygiene.

Recommendations & Mitigation

🚨 Immediate Actions — Priority 1

#ActionRationaleOwner
1Hunt & remediate: Search for scheduled tasks invoking PowerShell with XOR/IEX strings; isolate and rotate credentials if found.Matches observed persistence + in-memory execution.IR / EDR Team
2Block & validate: Ingest vendor SHA256 hashes into quarantine after validating against internal telemetry.Vendor-published hashes map to observed ZIP/LNK samples.Threat Intel / SOC
3Restrict LNK → PowerShell: Block shortcuts launching PowerShell from user-download folders.Prevents the primary observed delivery chain.Endpoint / SOC

⚠️ Short-term Actions — Priority 2

#ActionRationale
1Harden developer secrets: Enforce short-lived tokens, remove long-lived credentials, mandate vaulting.Limits post-compromise value of developer hosts.
2Network detection: Create signatures for AES-wrapped C2, /api/errorMessage-like endpoints, anomalous POST/GET patterns.Detects encrypted C2 and exfiltration behaviors.

🎯 Long-term Improvements — Priority 3

  • Apply secure development sandboxing for untrusted projects (isolate VMs or ephemeral containers).
  • Integrate developer-centric threat awareness training focused on supply-chain & code contribution lures.

🔍 Detection Opportunities

  • Hunt for scheduled tasks with OneDrive/Updater masquerade names running PowerShell with encoded payloads.
  • Hunt for hardcoded UUID f7d77a6d-36e0-4fcb-bae7-5f4b3b723f61 (defanged). C3

Indicators of Compromise

⚠ All indicators are defanged for safety. Validate against internal telemetry before enforcement.

Network Indicators

TypeIndicatorContextRisk
Domainfiletrasfer[.]wuaze[.]comDomain observed in vendor IOC lists (validate before blocking).MEDIUM
Domainprice-oracle-v2[.]vercel[.]appDeveloper-style staging domain in vendor reporting (validate).MEDIUM
IP87[.]236[.]177[.]9Reported stage 2 C2 host (validate in your network before blocking).MEDIUM

File Indicators

TypeHash / ValueFilenameContext
SHA256c79ef378...ade5d5(ZIP sample)Published vendor hash — confirmed in vendor IOC list. C7
SHA25639fdff2e...1760c(LNK launcher)Published vendor hash — confirmed in vendor IOC list. C7
FilenameOneDriveUpdate.ps1 / schedule1.bat / simi.batStaging filenamesObserved in samples. Observable.
Mutex/UUIDf7d77a6d-36e0-4fcb-bae7-5f4b3b723f61Hardcoded UUID for single-instance enforcement (huntable). HIGH C3

Evidence Gaps & Limitations

Information Gaps

  • Attribution certainty: No operator confession or direct tracing. Additional infrastructure telemetry would raise confidence. C1
  • AI provenance: Code provenance and developer confirmation required to fully substantiate AI-generated claim. C9
  • Infrastructure correlation: Some domains require independent validation in internal telemetry before enforcement.

Methodology Limitations

Analysis relies on vendor-published sample analyses and reporting; internal telemetry was not available in this investigation.

Recommended Follow-up

  • Validate vendor hashes/domains against internal EDR/telemetry and VirusTotal submission metadata.
  • Collect network captures from suspected hosts to extract C2 patterns and map server certificates.

Confidence Assessment

Confidence LevelFindings
HighDeveloper targeting (Key Finding 1); Encrypted C2 & in-memory execution (Key Finding 2)
MediumDelivery chain details; Persistence & anti-analysis; Vendor attribution to KONNI; AI-assistance assessment
Low/UnverifiedSome infrastructure domains and hosting relationships pending validation in internal telemetry

Sources & References

Source TypeDescription
Threat IntelligenceCheck Point Research, Broadcom/Symantec protection bulletin, vendor sample analyses (primary)
OSINT ResearchSecondary press and vendor summarizations (DarkReading, BleepingComputer)
Historical AnalysisFortinet/FortiGuard Labs KONNI baseline reporting (historic TTP comparison)

Citations

C1
Check Point Research attributed the campaign to KONNI via TTP overlap and IOC similarity — Check Point Research MEDIUM
C2
Campaign used a Discord-hosted link to deliver a ZIP with a decoy and malicious LNK → PowerShell loader — Check Point Research MEDIUM
C3
Backdoor performed anti-analysis checks using hardcoded UUID f7d77a6d-36e0-4fcb-bae7-5f4b3b723f61 — Check Point Research MEDIUM
C4
The January 2026 KONNI backdoor implemented encrypted C2 (AES-protected) and executed server-supplied PowerShell in memory — Check Point Research · Broadcom/Symantec HIGH
C5
Persistence via scheduled task; obfuscation consistent with XOR-decrypt-then-IEX — Check Point Research MEDIUM
C6
Reporting described targeting of developers (including blockchain engineers) with developer-oriented lures — Check Point Research · Dark Reading HIGH
C7
Vendor published SHA-256 hashes for ZIP and LNK launcher artifacts — Check Point Research MEDIUM
C8
Historic KONNI (2023) used weaponized docs, batch scripts, DLL components for UAC bypass and encrypted C2 — Fortinet FortiGuard Labs MEDIUM
C9
January 2026 shows evolution toward developer-centric targeting and AI-assisted malware while retaining phishing/encrypted C2 tradecraft — Check Point Research · Fortinet FortiGuard Labs MEDIUM
EXPERIENCE PROTOS AI

Want to do a Deep Dive Analysis with Protos AI for Free?

Everything you need to run your first AI-powered CTI investigation. Leverage OSINT with Protos AI's Agentic AI capability.

Get Started for Free
Download Full Report

KONNI APT Targets Developers With AI PowerShell Backdoor


Inquire Now
Inquire Now
Click Here to Download the Full Report
Oops! Something went wrong while submitting the form.
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Pushing the frontier of
Risk Intelligence
Request A Demo
Request A Demo
call Now
call Now
quick links
About UsUse Cases ResourcesPrivacy Policy
Get in touch
Singapore
JTC Launchpad
75 Ayer Rajah Crescent,
#02-06, Singapore 139953

USA
New York
(to be announced)
social media
LinkedinxYoutube