top of page
Buscar

Cracks in the Blockchain Wall: Konni Breaks Through with AI-Generated PowerShell

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 2 horas
  • 3 Min. de lectura

Blockchain development environments are often perceived as fortified structures: layered access controls, segmented networks, and highly skilled engineers guarding critical code. Yet even the strongest walls fail when attackers learn where the blocks don’t quite fit. The North Korea–linked Konni threat group has demonstrated how AI-assisted PowerShell tooling, combined with well-worn social engineering techniques, can quietly fracture these defenses. By targeting developers rather than end users, Konni seeks to undermine the integrity of entire ecosystems—one cracked wall at a time.


Phase 1: Finding the Weak Blocks 


Konni’s campaign focuses on blockchain developers and engineering teams in Japan, Australia, and India, marking a notable expansion beyond its traditional targeting of South Korea, Russia, Ukraine, and parts of Europe. Rather than indiscriminate phishing, the attackers carefully tailor lures to development workflows, posing as project requirements, financial notices, transaction confirmations, or wire transfer requests.

These lures are designed to blend naturally into the professional context of developers, exploiting trust in shared documents, collaboration platforms, and advertising ecosystems. The objective at this stage is not immediate exploitation, but convincing the victim to open what appears to be a legitimate project-related artifact.


Phase 2: Slipping Through the Gate 


Initial access is achieved through spear-phishing emails containing links that redirect victims to ZIP archives hosted on WordPress sites or Discord’s CDN. In earlier variants, Konni also abused Google and Naver advertising redirection URLs to bypass email security filters, leveraging legitimate ad-tracking infrastructure to mask malicious destinations.

Each ZIP archive contains a decoy PDF alongside a Windows shortcut (LNK) file. When executed, the shortcut launches an embedded PowerShell loader, immediately beginning the breach while displaying the decoy document to avoid suspicion.


Phase 3: Breaking the Wall from the Inside 


Once executed, the PowerShell loader initiates a multi-stage attack chain:

  • It extracts additional components, including a Microsoft Word lure, a CAB archive, and multiple scripts.

  • The CAB archive contains an AI-generated PowerShell backdoor, batch scripts, and a binary used to bypass User Account Control (UAC) via the FodHelper technique.

  • A first batch script prepares the environment, stages the backdoor, establishes persistence using a scheduled task, executes the payload, and then deletes itself to reduce forensic visibility.

At this point, the wall is no longer cracked—it is structurally compromised.


Phase 4: AI-Assisted Control and Persistence 


The PowerShell backdoor performs extensive anti-analysis and sandbox-evasion checks, profiles the system, and weakens defenses by configuring Microsoft Defender exclusions (notably for C:\ProgramData). It then replaces the original scheduled task with one capable of running at elevated privileges.

To maintain long-term access, the attackers deploy SimpleHelp, a legitimate Remote Monitoring and Management (RMM) tool, repurposed for persistent remote control. Communications with the command-and-control (C2) server are protected by an encryption gate that blocks non-browser traffic, allowing the malware to periodically exfiltrate host metadata and execute PowerShell commands received from the server.

Check Point researchers assess that parts of the PowerShell backdoor were generated or assisted by AI tools, citing modular design, human-readable documentation, and developer-style source comments. This reflects an effort to accelerate malware development while maintaining reliability over sophistication.


Phase 5: What the Attack Enables 


Rather than immediate monetization, the campaign’s goal is to establish a foothold inside development environments. From there, attackers can:

  • Exfiltrate system metadata and environment details

  • Steal credentials, source code, and project assets

  • Enable lateral movement across development pipelines

  • Lay groundwork for downstream supply-chain compromises

By breaching developers, Konni effectively targets the wall protecting multiple projects, services, and organizations downstream.


Measures to Reinforce the Wall 


Organizations—especially those operating blockchain or software development environments—should consider the following defensive measures:

  • Block or heavily restrict execution of LNK files from email and downloaded archives

  • Enforce PowerShell Constrained Language Mode and script logging

  • Monitor and alert on scheduled task creation and modification

  • Detect and investigate Microsoft Defender exclusion changes

  • Audit the use of legitimate RMM tools such as SimpleHelp

  • Harden WordPress sites and CDN-hosted assets against abuse

  • Apply least privilege principles across developer workstations

  • Segment development environments from production and sensitive networks


Konni’s latest campaign shows that walls don’t always fall to brute force. Sometimes they fail because attackers understand how to remove just enough blocks—quietly, methodically, and with the help of automation and AI. By combining proven spear-phishing techniques with AI-assisted PowerShell backdoors and legitimate remote tools, Konni demonstrates how modern espionage operations prioritize reliability, persistence, and strategic positioning over flashy exploits.


For organizations in the blockchain space, the lesson is clear: securing code means securing the people and environments that build it. If the wall around development cracks, everything built behind it is at risk.



The Hacker News


 
 
 

Comentarios

bottom of page