Konni’s New Arsenal: Unmasking GSRAT in North Korea-linked APT Operation
Contents
Konni’s New Arsenal: Unmasking GSRAT
in North Korea-linked APT Operation
Takuma Matsumoto
Yoshihiro Ishikawa
© 2026 LAC Co., Ltd.
Who We Are
© 2026 LAC Co., Ltd.
Takuma Matsumoto
Yoshihiro Ishikawa
Malware Analyst
Cyber Emergency Center at LAC Co., Ltd.
Cyber Threat and Malware Analyst
Cyber Emergency Center at LAC Co., Ltd.
2
Agenda
1. Overview
2. Campaign Summary
3. A Study of AutoIt
4. Deep Dive into GSRAT
5. Attribution
6. Countermeasures of Threat
7. Conclusion
© 2026 LAC Co., Ltd.
3
Introduction
• In May 2025, North Korea-related APT actor Konni launched an attack using a
new AutoIt-based RAT (GSRAT)
• This campaign targeted organizations associated with Japanese financial
institutions
• Konni distributed malware consisting of an LNK file and an AutoIt script via
a spear-phishing attack that impersonated affiliated companies
• We share more details about this campaign, including new malware GSRAT
© 2026 LAC Co., Ltd.
4
01
Overview
© 2026 LAC Co., Ltd.
5
Konni
• North Korean state-sponsored threat group active since at least 2014
• Alias:
• Opal Sleet (Microsoft), UNC4531 (Mandiant), Earth Imp (TrendMicro)
North Korea
• Targets:
• Main Victims:
2014
- …
in North Korea-linked APT Operation
Takuma Matsumoto
Yoshihiro Ishikawa
© 2026 LAC Co., Ltd.
Who We Are
© 2026 LAC Co., Ltd.
Takuma Matsumoto
Yoshihiro Ishikawa
Malware Analyst
Cyber Emergency Center at LAC Co., Ltd.
Cyber Threat and Malware Analyst
Cyber Emergency Center at LAC Co., Ltd.
2
Agenda
1. Overview
2. Campaign Summary
3. A Study of AutoIt
4. Deep Dive into GSRAT
5. Attribution
6. Countermeasures of Threat
7. Conclusion
© 2026 LAC Co., Ltd.
3
Introduction
• In May 2025, North Korea-related APT actor Konni launched an attack using a
new AutoIt-based RAT (GSRAT)
• This campaign targeted organizations associated with Japanese financial
institutions
• Konni distributed malware consisting of an LNK file and an AutoIt script via
a spear-phishing attack that impersonated affiliated companies
• We share more details about this campaign, including new malware GSRAT
© 2026 LAC Co., Ltd.
4
01
Overview
© 2026 LAC Co., Ltd.
5
Konni
• North Korean state-sponsored threat group active since at least 2014
• Alias:
• Opal Sleet (Microsoft), UNC4531 (Mandiant), Earth Imp (TrendMicro)
North Korea
• Targets:
• Main Victims:
2014
- …
IoC
https://blog.alyac.co.kr/2308
http://194.68.27.204
https://paper.seebug.org/3033/
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
https://github.com/nazywam/AutoIt-Ripper
http://accuses.org
http://65.21.154.31
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker?WT.mc_id=AZ-MVP-4021785
http://116.202.99.218
https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/
https://github.com/JacobPimental/exe2aut
https://www.genians.co.kr/en/blog/threat_intelligence/spear-phishing
https://download.ahnlab.com/kr/site/library/Analysis_Report_Operation_Moneyholic.pdf
https://www.estsecurity.com/enterprise/security-center/notice/view/417126
https://webapp-wdac-wizard.azurewebsites.net/
http://91.107.208.93
https://github.com/werkamsus/Lilith
https://www.genians.co.kr/blog/threat_intelligence/bitcoin
https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3
http://94.103.87.212
https://www.autoitscript.com/site/
http://185.231.154.22
http://38.180.249.56
http://62.113.118.157
http://109.234.36.135
http://kpcserver.com
https://www.genians.co.kr/en/blog/threat_intelligence/android
http://93.183.93.185
https://asec.ahnlab.com/en/59590/
https://blog.talosintelligence.com/konni-malware-under-radar-for-years/
109.234.36.135
91.107.208.93
3.3.16.1
3.2.4.0
3.3.14.5
3.1.0.15
116.202.99.218
3.3.14.2
94.103.87.212
192.168.10.10
3.3.8.0
3.2.10.0
93.183.93.185
3.3.16.0
3.3.2.0
3.2.0.0
3.3.8.1
185.231.154.22
3.3.17.0
3.3.0.0
194.68.27.204
3.3.6.1
3.3.4.0
23.254.225.184
3.3.18.0
3.3.14.1
38.180.249.56
3.2.5.1
62.113.118.157
3.3.17.1
3.2.6.0
65.21.154.31
3.1.1.0
3.3.10.0
[email protected]
0ecac57958e77648b5e5b47787612f992175bf22e00dbf8ea4de0b9f12dea2d8
9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a
bcf9044ac1c90206d8d8b7b98cf084d90abdbd6b3bc10aa9da4cac69465a1f74
d3590bf0017815f77bd286b4c47f186832ab2b48f123f95ca4cbc25b95ff8ef3
7107c110e4694f50a39a91f8497b9f0e88dbe6a3face0d2123a89bcebf241a1d
e9239ba649aec746e3c0088bc56400460b4a03e5f2df132ec7e47c14ccb70c0c
22ddecca88cc964f4357458467acbcb881b0ebb77875525c17bef30299f03497
4abfbbfa443e7be34da30abda4665789d1b2e5a70cbef066e6dfacd59a1bfdbb
0c5b6081e73a500825eae5687961565bf0e918e91002ce5ff10185ac969a792b
8b396ba6861a39b1801b369eb461311940d6081eae834d949c9aa55bffd0a625
3b4a56b6d86393fa0c058cdd3d26809ef6c956fb6b69fac9d84f9212d5db7ee1
http://194.68.27.204
https://paper.seebug.org/3033/
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
https://github.com/nazywam/AutoIt-Ripper
http://accuses.org
http://65.21.154.31
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker?WT.mc_id=AZ-MVP-4021785
http://116.202.99.218
https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/
https://github.com/JacobPimental/exe2aut
https://www.genians.co.kr/en/blog/threat_intelligence/spear-phishing
https://download.ahnlab.com/kr/site/library/Analysis_Report_Operation_Moneyholic.pdf
https://www.estsecurity.com/enterprise/security-center/notice/view/417126
https://webapp-wdac-wizard.azurewebsites.net/
http://91.107.208.93
https://github.com/werkamsus/Lilith
https://www.genians.co.kr/blog/threat_intelligence/bitcoin
https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3
http://94.103.87.212
https://www.autoitscript.com/site/
http://185.231.154.22
http://38.180.249.56
http://62.113.118.157
http://109.234.36.135
http://kpcserver.com
https://www.genians.co.kr/en/blog/threat_intelligence/android
http://93.183.93.185
https://asec.ahnlab.com/en/59590/
https://blog.talosintelligence.com/konni-malware-under-radar-for-years/
109.234.36.135
91.107.208.93
3.3.16.1
3.2.4.0
3.3.14.5
3.1.0.15
116.202.99.218
3.3.14.2
94.103.87.212
192.168.10.10
3.3.8.0
3.2.10.0
93.183.93.185
3.3.16.0
3.3.2.0
3.2.0.0
3.3.8.1
185.231.154.22
3.3.17.0
3.3.0.0
194.68.27.204
3.3.6.1
3.3.4.0
23.254.225.184
3.3.18.0
3.3.14.1
38.180.249.56
3.2.5.1
62.113.118.157
3.3.17.1
3.2.6.0
65.21.154.31
3.1.1.0
3.3.10.0
[email protected]
0ecac57958e77648b5e5b47787612f992175bf22e00dbf8ea4de0b9f12dea2d8
9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a
bcf9044ac1c90206d8d8b7b98cf084d90abdbd6b3bc10aa9da4cac69465a1f74
d3590bf0017815f77bd286b4c47f186832ab2b48f123f95ca4cbc25b95ff8ef3
7107c110e4694f50a39a91f8497b9f0e88dbe6a3face0d2123a89bcebf241a1d
e9239ba649aec746e3c0088bc56400460b4a03e5f2df132ec7e47c14ccb70c0c
22ddecca88cc964f4357458467acbcb881b0ebb77875525c17bef30299f03497
4abfbbfa443e7be34da30abda4665789d1b2e5a70cbef066e6dfacd59a1bfdbb
0c5b6081e73a500825eae5687961565bf0e918e91002ce5ff10185ac969a792b
8b396ba6861a39b1801b369eb461311940d6081eae834d949c9aa55bffd0a625
3b4a56b6d86393fa0c058cdd3d26809ef6c956fb6b69fac9d84f9212d5db7ee1