A Deep Dive Into a Multi-Stage Malware Campaign Potentially Linked to DPRK’s Konni Group
Contents
A Deep Dive Into a Multi-Stage Malware Campaign Potentially Linked to DPRK’s Konni Group
Introduction
I recently came across a ZIP archive containing a suspicious .lnk
file with a Korean filename. That instantly caught my eye. And after digging into it, I realized this wasn’t just some random shortcut it was part of a full-blown multi-stage malware campaign that’s still active.
What’s more intriguing is that the TTPs observed in this campaign bear strong similarities to previous operations linked to DPRK’s Konni APT group.
But who is this Konni APT? The Konni APT group, active since at least 2014 and first exposed by Cisco’s Talos team in 2017, is a North Korean-linked cyberthreat actor. It primarily targets South Korean financial institutions, government, and defense sectors with sophisticated phishing campaigns.
In this blog, I’ll walk through the entire execution flow, unpack file behaviors, and highlight why this operation might be part of a broader DPRK-linked campaign. Attribution …
Introduction
I recently came across a ZIP archive containing a suspicious .lnk
file with a Korean filename. That instantly caught my eye. And after digging into it, I realized this wasn’t just some random shortcut it was part of a full-blown multi-stage malware campaign that’s still active.
What’s more intriguing is that the TTPs observed in this campaign bear strong similarities to previous operations linked to DPRK’s Konni APT group.
But who is this Konni APT? The Konni APT group, active since at least 2014 and first exposed by Cisco’s Talos team in 2017, is a North Korean-linked cyberthreat actor. It primarily targets South Korean financial institutions, government, and defense sectors with sophisticated phishing campaigns.
In this blog, I’ll walk through the entire execution flow, unpack file behaviors, and highlight why this operation might be part of a broader DPRK-linked campaign. Attribution …
IoC
https://attack.mitre.org/
https://virustotal.com
https://www.chatgpt.com
https://ausbildungsbuddy.de/modules/mod_mail/src/upload.php
https://open.kakao.com/o/ssRLGYoh
https://ausbildungsbuddy.de/modules/mod_mail/inc/get.php?ra=iew&zw=lk0100
http://fromausbildungsbuddy.de
http://ausbildungsbuddy.de/modules/mod_mail/src/upload.php
http://ausbildungsbuddy.de
https://ausbildungsbuddy.de/
https://i.secai.ai/research/ausbildungsbuddy.de
https://ausbildungsbuddy.de/modules/mod_mail/src/list.php?f=%COMPUTERNAME%.txt
https://jmarketing.agency/
627ee714b1e4f5bd692061e1c29783191f71c10c91f14c632e405fbe57d4dd3b
https://virustotal.com
https://www.chatgpt.com
https://ausbildungsbuddy.de/modules/mod_mail/src/upload.php
https://open.kakao.com/o/ssRLGYoh
https://ausbildungsbuddy.de/modules/mod_mail/inc/get.php?ra=iew&zw=lk0100
http://fromausbildungsbuddy.de
http://ausbildungsbuddy.de/modules/mod_mail/src/upload.php
http://ausbildungsbuddy.de
https://ausbildungsbuddy.de/
https://i.secai.ai/research/ausbildungsbuddy.de
https://ausbildungsbuddy.de/modules/mod_mail/src/list.php?f=%COMPUTERNAME%.txt
https://jmarketing.agency/
627ee714b1e4f5bd692061e1c29783191f71c10c91f14c632e405fbe57d4dd3b