lazarusholic

Everyday is lazarus.dayβ

Multi-Stage malware campaign targeting South Korean entities linked to Konni APT

2025-04-29, Symantec
https://www.broadcom.com/support/security-center/protection-bulletin/multi-stage-malware-campaign-targeting-south-korean-entities-linked-to-konni-apt
#Konni #LNK

Contents

Multi-Stage malware campaign targeting South Korean entities linked to Konni APT

April 29, 2025

A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. The final payload is a Remote Access Trojan (RAT) that establishes persistent access, collects system information and directory listings and exfiltrates the data to a compromised Command and Control (C2) server.

Symantec protects you from this threat, identified by the following:

Behavior-based

SONAR.Powershell!g20
SONAR.Powershell!g111

Carbon Black-based

Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit …