{
	"id": "04975f86-1bc5-4cf8-b2f2-3c0c0fbf66ec",
	"created_at": "2026-04-06T00:08:12.173888Z",
	"updated_at": "2026-04-10T03:26:56.287029Z",
	"deleted_at": null,
	"sha1_hash": "07e6b07d8ba0cced6ef0bef140350703df07ab0c",
	"title": "KONNI: A Malware Under The Radar For Years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1431174,
	"plain_text": "KONNI: A Malware Under The Radar For Years\r\nBy Paul Rascagneres\r\nPublished: 2017-05-03 · Archived: 2026-04-05 21:38:21 UTC\r\nThis blog was authored by Paul Rascagneres\r\nExecutive Summary Talos has discovered an unknown Remote Administration Tool that we\r\nbelieve has been in use for over 3 years. During this time it has managed to avoid scrutiny by the\r\nsecurity community. The current version of the malware allows the operator to steal files,\r\nkeystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has\r\nnamed this malware KONNI.\r\nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the\r\ninitial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display\r\na decoy document to the users, and finally execute the malware on the victim's machine. The malware\r\ninfrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has\r\nevolved over time. In this article, we will analyse this evolution:\r\nat the beginning the malware was only an information stealer without remote administration\r\nit moved from a single file malware to a dual file malware (an executable and a dynamic library)\r\nthe malware has supported more and more features over the time\r\nthe decoy documents have become more and more advanced\r\nThe different versions contain copy/pasted code from previous versions. Moreover the new version\r\nsearches for files generated by previous versions. (This implies that the malware has been used several\r\ntimes against the same targets) This evolution is illustrated across 4 campaigns: one in 2014, one in 2016\r\nand finally two in 2017. The decoy document of the 2 last campaigns suggests that the targets are public\r\norganisations. Both documents contained email addresses, phone numbers and contacts of members of\r\nofficial organizations such as United Nations, UNICEF, and Embassies linked to North Korea.\r\n3 Years Of Campaigns\r\n2014 Campaign: Fatal Beauty In this campaign, the dropper filename was beauty.scr. Based on the\r\ncompilation date of the two binaries, this campaign took place in September 2014. Once executed, two files\r\nwere dropped on the targeted system: a decoy document (a picture) and a fake svchost.exe binary. Both files\r\nwere stored in \"C:\\Windows\". The picture is a Myanmar temple:\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 1 of 13\n\nThe fake svchost binary is the KONNI malware. The first task of the malware is to generate an ID to identify the\r\ninfected system. This ID is generated based on the installation date of the system, as found in the registry\r\n(HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate). The second task of malware is to ping the\r\nCC and get orders. The malware includes 2 domains:\r\nphpschboy[.]prohosts[.]org\r\njams481[.]site[.]bz\r\nThe developer used the Microsoft Winsocks API to handle the network connection. Surprisingly, this isn't the\r\neasiest or the most efficient technical choice for HTTP connection. The malware samples we analysed connected\r\nto only one URI: \u003cc2-domain\u003e/login.php.\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 2 of 13\n\nThis version of KONNI is not designed to execute code on the infected system. The purpose is to be executed only\r\nonce and steal data on the infected system, here are the main features:\r\nKeyloggers\r\nClipboard stealer\r\nFirefox profiles and cookies stealer\r\nChrome profiles and cookies stealer\r\nOpera profiles and cookies stealer\r\nThe malware internally uses several temporary files:\r\nspadmgr.ocx\r\nscreentmp.tmp (log file of the keylogger)\r\nsolhelp.ocx\r\nsultry.ocx\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 3 of 13\n\n2016 Campaign: \"How can North Korean hydrogen bomb wipe out Manhattan.scr\" The name of the .scr\r\nfile was directly linked to tension between North Korea and USA in March 2016: more information. Based\r\non the compilation dates of the binaries, the campaign took place in the same period. An interesting fact:\r\nthe dropped library was compiled in 2014 and appears in our telemetry in August 2015. Indicating that this\r\nlibrary was probably used in another campaign.\r\nThe .scr file contains 2 Office documents. The first document was in English and a second in Russian. In the\r\nsample only the English version can be displayed to the user (that is hardcoded in the sample):\r\nThe Russian document is not used by the sample, we assume that the author of the malware forgot to remove the\r\nresource containing the Russia decoy document:\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 4 of 13\n\nThe malware author changed the malware architecture, this version is divided in two binaries:\r\nconhote.dll\r\nwinnit.exe Another difference is the directory where the files are dropped, it's no longer C:\\Windows but\r\nrather the local setting of the current user (%USERPROFILE%\\Local Settings\\winnit\\winnit.exe). Thanks\r\nto this modification, the malware can be executed with a non-administrator account. The .dll file is\r\nexecuted by the .exe file. In this version, a shortcut is created in order to launch winnit.exe in the following\r\npath %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk. As you can see the attacker\r\nhas went to great lengths to disguise his service as a legitimate Antivirus Service by using the name 'Anti\r\nvirus service.lnk'. This is of course simple but often it can be enough for a user to miss something\r\nmalicious by name.\r\nAs in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is\r\ndifferent and the analysed version this time only contains a single domain:\r\ndowhelsitjs[.]netau[.]net In this version, the developer used a different API, the Wininet API which make\r\nmore sense for Web requests. Moreover the C2 infrastructure evolved too, more .php files are available\r\nthrough the web hosting:\r\n\u003cc2-domain\u003e/login.php (for infected machine registration)\r\n\u003cc2-domain\u003e/upload.php (for uploading files on the C2)\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 5 of 13\n\n\u003cc2-domain\u003e/download.php (for downloading file from the C2)\r\nThis version includes the stealer features mentioned in the previous version and additionally Remote\r\nAdministration Tool features such as file uploading/download and arbitrary command execution. The library is\r\nonly used to perform keylogging and clipboard stealing.  Indeed, the malware author moved this part of the code\r\nfrom the core of the malware to a library. An interesting element is that the malware looks for filenames created\r\nwith the previous version of KONNI. This implies that the malware targeted the same people as the previous\r\nversion and they are designed to work together.\r\nThe malware internally uses the following files:\r\nsolhelp.ocx\r\nsultry.ocx\r\nhelpsol.ocx\r\npsltre.ocx\r\nscreentmp.tmp (log file of the keylogger)\r\nspadmgr.ocx\r\napsmgrd.ocx\r\nwpg.db\r\n2017 Campaigns\r\nPyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr In this campaign, the malware author uses\r\nthe following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr. The decoy document\r\nshown after infection is an Office document containing email addresses, phone numbers and contacts of members of official\r\norganizations such as the United Nations, UNICEF, Embassies linked to North Korea.\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 6 of 13\n\nThe .scr files drops two files: an executable and a library. As in the previous version, the persistence is achieved\r\nby a Windows shortcut (in this case adobe distillist.lnk). Contrary to the previous version, the developers moved\r\nthe core of malware to the library. The executable performs the following tasks:\r\nIf the system is a 64-bit version of Windows, it downloads and executes a specific 64-bit version of the\r\nmalware thanks to a powershell script:\r\nLoading the dropped library\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 7 of 13\n\nThe library contains the same features as the previous version as well as new ones. This version of KONNI is the\r\nmost advanced with better coding. The malware configuration contains one Command and Control:\r\npactchfilepacks[.]net23[.]net A new URI is available:\r\n\u003cc2-domain\u003e/uploadtm.php This URI is used with a new feature implemented in this version: the malware\r\nis able to perform screenshot (thanks to the GDI API) and uploads it thank to this URL. The malware\r\nchecks if a file used on a previous version of KONNI is available on the system. Here is the complete list\r\nof files internally used by the RAT:\r\nerror.tmp (the log file of the keylogger)\r\ntedsul.ocx\r\nhelpsol.ocx\r\ntrepsl.ocx\r\npsltred.ocx\r\nsolhelp.ocx\r\nsulted.ocx The handling of instructions has improved too. Here are the 7 actions that the infected machine\r\ncan be instructed to perform:\r\nDelete a specific file;\r\nUpload a specific file based on a filename;\r\nUpload a specific file based on the full path name;\r\nCreate a screenshot and uploads it on the C2;\r\nGet system information;\r\nDownload a file from the Internet;\r\nExecute a command; This graph shows the decision tree:\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 8 of 13\n\nWhen the attacker wants to gather information on the infected system (action 5), it retrieves the following\r\ninformation:\r\nHostname\r\nIP address\r\nComputer name\r\nUsername name\r\nConnected drive\r\nOS version\r\nArchitecture\r\nStart menu programs\r\nInstalled software\r\nInter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr The last identified campaign where\r\nKONNI was used was named Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr. This file\r\ndrops exactly the same files than the previous campaign but the decoy document is different:\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 9 of 13\n\nThis document contains the name, phone number and email address of members of agencies, embassies and\r\norganizations linked to North Korea.\r\nConclusion The analysis shows us the evolution of KONNI over the last 3 years. The last\r\ncampaign was started a few days ago and is still active. The infrastructure remains up and\r\nrunning at the time of this post. The RAT has remained under the radar for multiple years. An\r\nexplanation could be the fact that the campaign was very limited nature, which does not arouse\r\nsuspicion.\r\nThis investigation shows that the author has evolved technically (by implementing new features) and in the quality\r\nof the decoy documents. The campaign of April 2017 used pertinent documents containing potentially sensitive\r\ndata. Moreover the metadata of the Office document contains the names of people who seems to work for a public\r\norganization. We don't know if the document is a legitimate compromised document or a fake that the attacker has\r\ncreated in an effort to be credible.\r\nClearly the author has a real interest in North Korea, with 3 of the 4 campaigns are linked to North Korea.\r\nThe following graph show the evolution of KONNI over the last 3 years:\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 10 of 13\n\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection ofIPS andNGFW have up-to-date signatures to detect malicious network activity\r\nby threat actors.\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 11 of 13\n\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network\r\nIOCs\r\n2014 Campaign: Fatal Beauty\r\nDropper SHA256: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f\r\nFilename: beauty.scr\r\nDropped files#1\r\nSHA256: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435\r\nFilename: C:\\Windows\\beauty.jpg\r\nFile type: JPEG image data, JFIF standard 1.02\r\n#2\r\nSHA256: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9\r\nHilename: C:\\Windows\\svchost.exe\r\nFile type: PE32 executable (GUI) Intel 80386, for MS Windows\r\nCC phpschboy[.]prohosts[.]org\r\njams481[.]site[.]bz\r\n2016 Campaign: How can North Korean hydrogen bomb wipe out Manhattan\r\nDropper SHA256: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5\r\nFilename: How can North Korean hydrogen bomb wipe out Manhattan.scr\r\nDropped #1\r\nSHA256: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634\r\nFilename: conhote.dll\r\n#2\r\nSHA256: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc\r\nFilename: winnit.exe\r\n#3\r\nSHA256: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f\r\nFilename: Anti virus service.lnk\r\nCC dowhelsitjs[.]netau[.]net\r\n2017 Campaign A:\r\nDropper SHA256: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0\r\nFilename: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 12 of 13\n\nDropped #1\r\nSHA256: 3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1\r\nFilename: adobe distillist.lnk\r\n#2\r\nSHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635\r\nFilename: winload.exe\r\n#3\r\nSHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d\r\nFilename: winload.dll\r\nCC Pactchfilepacks[.]net23[.]net\r\ncheckmail[.]phpnet[.]us\r\n2017 Campaign B:\r\nDropperSHA256: 640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e\r\nFilename: Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr\r\nDropped #1\r\nSHA256: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b\r\nFilename: adobe distillist.lnk\r\n#2\r\nSHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635\r\nFilename: winload.exe\r\n#3\r\nSHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d\r\nFilename: winload.dll\r\nCC Pactchfilepacks[.]net23[.]net\r\ncheckmail[.]phpnet[.]us\r\nSource: https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nhttps://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html"
	],
	"report_names": [
		"konni-malware-under-radar-for-years.html"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434092,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07e6b07d8ba0cced6ef0bef140350703df07ab0c.pdf",
		"text": "https://archive.orkl.eu/07e6b07d8ba0cced6ef0bef140350703df07ab0c.txt",
		"img": "https://archive.orkl.eu/07e6b07d8ba0cced6ef0bef140350703df07ab0c.jpg"
	}
}