A North Korea–linked hacking group known as Konni has been identified in a new cyber-espionage campaign targeting blockchain and cryptocurrency developers. Security researchers confirmed that the group is using an advanced PowerShell backdoor that appears to be generated with the help of artificial intelligence. The campaign mainly focuses on developers working on crypto platforms and decentralized technologies. This marks a significant shift in Konni’s traditional attack targets.

North Korea–linked Konni hackers conducting cyber espionage using laptops and advanced malware.

Konni has been active for many years and is known for conducting espionage operations against governments, research institutions, and technology firms. In this latest campaign, the group has changed its focus to software engineers involved in blockchain development. Researchers believe this shift is driven by the high value of crypto infrastructure and digital assets. Developers often have privileged access, making them attractive targets.

The attack starts with phishing messages that trick victims into downloading a ZIP file. These files are commonly shared through platforms like Discord, making them appear trustworthy. Inside the ZIP file are a decoy document and a Windows shortcut file. When the shortcut is opened, it silently launches a malicious PowerShell script in the background.

Blockchain and cryptocurrency network illustration representing developers targeted in cyber espionage attacks.

While the victim sees a normal document on their screen, the malware begins installing itself without any visible warning. Additional files are extracted and placed in system folders to avoid suspicion. The malware also creates scheduled tasks that allow it to restart automatically. This gives the attackers long-term access to the infected system.

The PowerShell backdoor used in this campaign is heavily obfuscated to hide its true purpose. It includes multiple anti-analysis techniques designed to avoid detection by security tools. The malware checks for sandbox environments and monitoring tools before fully activating. This behavior makes it difficult for researchers and antivirus software to detect.

AI-generated PowerShell malware code showing trojans and spyware used in cyber attacks.

Security experts noted that the structure and formatting of the malware strongly suggest the use of AI tools. The code is unusually well-organized and contains clear logic flows and descriptive elements. These traits are uncommon in manually written malware. This indicates that threat actors are increasingly using AI to speed up development and improve effectiveness.

Once active, the backdoor connects to a remote command-and-control server controlled by the attackers. Through this connection, the hackers can run commands, steal data, and download additional malware. This allows them to monitor the system continuously. The compromised machine essentially becomes part of the attacker’s network.

Digital crypto wallet illustration showing risk of

The main goal of the campaign is believed to be the theft of sensitive developer assets. This includes API keys, infrastructure credentials, source code, and digital wallet access. By compromising developer systems, attackers can potentially infiltrate entire blockchain platforms. Researchers warn that this campaign highlights the growing risks facing the crypto and Web3 ecosystem.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news