Analysis of the KONNI's LINKON Malware
Contents
Analysis of the KONNI's LINKON Malware
2025.02.14
S2W Threat Intelligence Center TALON has published a report analyzing the LINKON malware associated with the North Korean APT group KONNI. This highly sophisticated threat intelligence report details malware disguised as the Financial Intelligence Unit of the Financial Services Commission.
✅ Report Title:
The North Korea-backed KONNI’s LINKON malware disguised as a Financial Services Commission
✅ Executive Summary:
On January 23, 2025, an LNK malware disguised as the file "Virtual Asset Service Provider Inspection Plan Party Policy Meeting Presentation_FN2" was discovered and analyzed.
- File name: 가상자산사업자 검사계획민당정회의 발표자료_FN2.hwp.lnk (Korean file name)
- MD5: e37c8f6aba686aab3d7ecedbd1d0ef43
- SHA256: 5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892
Upon execution, this malicious LNK file leverages PowerShell commands to drop and execute a decoy document along with additional files embedded within the LNK. It has been identified as LINKON malware.
KONNVBS and KONNBAT scripts maintain persistence by registering specific script files in the Windows Task Scheduler or downloading additional files from a hardcoded attacker-controlled server …
2025.02.14
S2W Threat Intelligence Center TALON has published a report analyzing the LINKON malware associated with the North Korean APT group KONNI. This highly sophisticated threat intelligence report details malware disguised as the Financial Intelligence Unit of the Financial Services Commission.
✅ Report Title:
The North Korea-backed KONNI’s LINKON malware disguised as a Financial Services Commission
✅ Executive Summary:
On January 23, 2025, an LNK malware disguised as the file "Virtual Asset Service Provider Inspection Plan Party Policy Meeting Presentation_FN2" was discovered and analyzed.
- File name: 가상자산사업자 검사계획민당정회의 발표자료_FN2.hwp.lnk (Korean file name)
- MD5: e37c8f6aba686aab3d7ecedbd1d0ef43
- SHA256: 5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892
Upon execution, this malicious LNK file leverages PowerShell commands to drop and execute a decoy document along with additional files embedded within the LNK. It has been identified as LINKON malware.
KONNVBS and KONNBAT scripts maintain persistence by registering specific script files in the Windows Task Scheduler or downloading additional files from a hardcoded attacker-controlled server …