{"id":206583,"date":"2026-01-26T03:54:00","date_gmt":"2026-01-26T08:54:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/01\/26\/konni-hackers-deploy-ai-generated-powershell-backdoor-against-blockchain-developers\/"},"modified":"2026-01-26T08:10:08","modified_gmt":"2026-01-26T13:10:08","slug":"konni-hackers-deploy-ai-generated-powershell-backdoor-against-blockchain-developers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/01\/26\/konni-hackers-deploy-ai-generated-powershell-backdoor-against-blockchain-developers\/","title":{"rendered":"Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers"},"content":{"rendered":"

Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/01\/konni-hackers-deploy-ai-generated.html<\/a><\/p>\n

Publish Date: 2026-01-26 03:54:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Jan 26, 2026<\/span><\/span>Malware \/ Endpoint Security<\/span><\/p>\n

The North Korean threat actor known as Konni<\/strong> has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector.<\/p>\n

The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary’s expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations, Check Point Research said in a technical report published last week.<\/p>\n

Active since at least 2014, Konni is primarily known for its targeting of organizations and individuals in South Korea. It’s also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.<\/p>\n

In November 2025, the Genians Security Center (GSC) detailed the hacking group’s targeting of Android devices by exploiting Google’s asset tracking service, Find Hub, to remotely reset victim devices and erase personal data from them, signaling a new escalation of their tradecraft.<\/p>\n

As recently as this month, Konni has been observed distributing spear-phishing emails containing malicious links that are disguised as harmless advertising URLs associated with Google and Naver’s advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT.<\/p>\n

The campaign has been codenamed Operation Poseidon by the GSC, with the attacks impersonating North Korean human rights organizations and financial institutions in South Korea. The attacks are also characterized by the use of improperly secured WordPress websites to distribute malware and for command-and-control (C2) infrastructure.<\/p>\n

\"Cybersecurity\"<\/p>\n

The email messages have been found to masquerade as financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) that’s designed to execute an AutoIt script disguised as a PDF document. The AutoIt script is a known…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers https:\/\/thehackernews.com\/2026\/01\/konni-hackers-deploy-ai-generated.html Publish Date: 2026-01-26 03:54:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":206584,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZjxGlZLamF04EJ6k6LroD__iJijKDR-um0kxbhfPls3rVFqj3SNIZweWeNb_S0WqzDo5EwSfg6iTiVddPJJg48dQKaUkw2RYxMeYVC-NcfGDxMbGHR79_V6nSAawHyjJgDrTlEtRFheK3q6sDqJIgZwvGDYtaKf-KintMeOaelZyqgjl_0-qNSNO4gS6W\/s1700-e365\/hackers-ps.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24,32,25,34],"class_list":["post-206583","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206583"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=206583"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206583\/revisions"}],"predecessor-version":[{"id":206585,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206583\/revisions\/206585"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/206584"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=206583"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=206583"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=206583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}