{ "id": "d9e5f57f-dcc4-4d3b-935e-9e0b691a05c3", "created_at": "2026-04-06T00:08:44.276071Z", "updated_at": "2026-04-10T03:31:17.750742Z", "deleted_at": null, "sha1_hash": "208091c6d1702c77f485a39e56bd6ff439314ce3", "title": "New variant of Konni malware used in campaign targetting Russia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4806899, "plain_text": "New variant of Konni malware used in campaign targetting Russia\r\nBy Mark Stockley\r\nPublished: 2021-08-19 · Archived: 2026-04-05 17:29:47 UTC\r\nThis blog post was authored by Hossein Jazi\r\nIn late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni\r\nwas first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named\r\nAPT37.\r\nWe discovered two documents written in Russian language and weaponized with the same malicious macro. One\r\nof the lures is about the trade and economic issues between Russia and the Korean Peninsula. The other one is\r\nabout a meeting of the intergovernmental Russian-Mongolian commission.\r\nArticle continues below this ad.\r\nIn this blog post we provide on overview of this campaign that uses two different UAC bypass techniques and\r\nclever obfuscation tricks to remain under the radar.\r\nAttack overview\r\nThe following diagram shows the overall flow used by this actor to compromise victims. The malicious activity\r\nstarts from a document that executes a macro followed by a chain of activities that finally deploys the Konni Rat.\r\nDocument analysis\r\nWe found two lures used by Konni APT. The first document “Economic relations.doc” contains a 12 page article\r\nthat seems to have been published in 2010 with the title: “The regional economic contacts of Far East Russia with\r\nKorean States (2010s)“. The second document is the outline of a meeting happening in Russia in 2021: “23th\r\nmeeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical\r\noperation“.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 1 of 21\n\nThese malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It\r\njust uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active\r\ndocument as input and looks for the \"^var\" string using\r\nfindstr\r\nand then writes the content of the line staring from “var” into y.js . At the end it calls\r\nWscript\r\nShell function to executes the Java Script file (\r\ny.js\r\n).\r\nThe clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of\r\nthe document content and did not put it directly into the macro to avoid being detected by AV products as well as\r\nhiding its main intent from them.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 2 of 21\n\nThe y .js file is being called with the active document as its argument. This javascript looks for two patterns\r\nencoded within the the active document and for each pattern at first it writes that content starting from the pattern\r\ninto\r\ntemp.txt\r\nfile and then base 64 decodes it using its built-in base64 decoder function, function de(input) , and finally\r\nwrites the decoded content into the defined output.\r\nyy.js is used to store the data of the first decoded content and\r\ny.ps1\r\nis used to store the data of the second decoded content. After creating the output files, they are executed using\r\nWscript and\r\nPowershell\r\n.\r\nThe Powershell script ( y.ps1 ), uses\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 3 of 21\n\nDllImport\r\nfunction to import URLDownloadToFile from\r\nurlmon.dll\r\nand WinExec from\r\nkernel32.dll\r\n. After importing the required functions it defines the following variabbles:\r\nURL to download a file from it\r\nDirectory to store the downloaded file (%APPDATA%/Temp)\r\nName of the downloaded file that will be stored on disk.\r\nIn the next step it calls URLDownloadToFile to download a cabinet file and stores it in the\r\n%APPDATA%Temp\r\ndirectory with the unique random name created by GetTempFileName . At the end it uses\r\nWinExec\r\nto execute a cmd command that calls expand to extract the content of cabinet file and delete the cabinet file. The\r\ny.ps\r\n1 is deleted at the end using Winexec .\r\nThe extracted cabinet file contains 5 files: check.bat ,\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 4 of 21\n\ninstall.bat\r\n, xmlprov.dll ,\r\nxmlprov.ini\r\nand xwtpui.dll . The yy.js is responsible to execute\r\ncheck.bat\r\nfile that extracted from the cabinet file and delete itself at the end.\r\nCheck.bat\r\nThis batch file checks if the command prompt is launched as administrator using net session \u003e nul and if that\r\nis the case, it executes\r\ninstall.bat\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 5 of 21\n\n. If the user does not have the administrator privilege, it checks the OS version and if it is Windows 10 sets a\r\nvariable named num to 4, otherwise it sets it to 1. It then executes\r\n xwtpui.dll\r\nusing rundll32.exe by passing three parameters to it:\r\nEntryPoint\r\n(The export function of the DLL to be executed), num (the number that indicated the OS version) and\r\ninstall.bat\r\n.\r\nInstall.bat\r\nthe malware used by the attacker pretends to be the xmlprov Network Provisioning Service. This service manages\r\nXML configuration files on a domain basis for automatic network provisioning.\r\nInstall.bat is responsible to install\r\nxmlprov.dll\r\nas a service. To achieve this goal, it performs the following actions:\r\nStop the running\r\nxmlprov\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 6 of 21\n\nservice\r\nCopy dropped\r\nxmlprov.dll\r\nand\r\nxmlrov.ini\r\ninto the system32 directory and delete them from the current directory\r\nCheck if\r\nxmlProv\r\nservice is installed or not and if it is not installed create the service through\r\nsvchost.exe\r\nModify the\r\nxmlProv\r\nservice values including\r\ntype\r\nand\r\nbinpath\r\nAdd\r\nxmlProv\r\nto the list of the services to be loaded by\r\nsvchost\r\nadd\r\nxmlProv\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 7 of 21\n\nto the\r\nxmlProv\r\nregistry key\r\nStart the\r\nxmlProv\r\nservice\r\nxwtpui.dll\r\nAs we mentioned earlier if the victim’s machine does not have the right privilege, xwtpui.dll is being called to\r\nload\r\ninstall.bat\r\nfile. Since install.bat is creating a service, it should have the high integrity level privilege and\r\n\"xwtpui.dll\"\r\nis used to bypass UAC and get the right privilege and then loads install.bat .\r\nEntryPoint is the main export function of this dll. It starts its activities by resolving API calls. All the API call\r\nnames are hard coded and the actor has not used any obfuscation techniques to hide them.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 8 of 21\n\nIn the next step, it checks privilege level by calling the Check_Priviledge_Leve l function. This function\r\nperforms the following actions and returns zero if the user does not have the right privilege or UAC is not\r\ndisabled.\r\nCall\r\nRtlQueryElevationFlags\r\nto get the elevation state by checking\r\nPFlags\r\nvalue. If it sets to zero, it indicates that UAC is disabled.\r\nGet the access token associated to the current process using\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 9 of 21\n\nNtOpenProcessToken\r\nand then call\r\nNtQueryInformationToken\r\nto get the\r\nTokenElevationType\r\nand check if it’s value is 3 or not (If the value is not 3, it means the current process is elevated). The\r\nTokenElevationType can have three values:\r\nTokenElevationDefault (1): Indicates that UAC is disabled.\r\nTokenElevationTypeFull (2): Indicates that the current process is running elevated.\r\nTokenElevationTypeLimited (3): Indicates that the process is not running elevated.\r\nAfter checking the privilege level, it checks the parameter passed form check.bat that indicates the OS version\r\nand if the OS version is Windows 10 it uses a combination of a modified version of RPC UAC bypass reported by\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 10 of 21\n\nGoogle Project Zero and Parent PID Spoofing for UAC bypass while for other Windows versions it uses “\r\nToken Impersonation technique\r\n” technique to bypass UAC.\r\nToken Impersonation UAC Bypass (Calvary UAC Bypass)\r\nCalvary is a token impersonation/theft privilege escalation technique that impersonates the token of the Windows\r\nUpdate Standalone Installer process ( wusa.exe ) to spawn\r\ncmd.exe\r\nwith highest privilege to execute install.bat . This technique is part of the US CIA toolsets leak known as\r\nVault7.\r\nThe actor has used this method on its 2019 campaign as well. This UAC bypass starts by executing wusa.exe\r\nusing\r\nShellExecuteExw\r\nand gets its access token using NtOpenProcessToken . Then the access token of\r\nwusa.exe\r\nis duplicated using NtDuplicatetoken . The\r\nDesiredAccess\r\nparameter of this function specifies the requested access right for the new token. In this case the actor passed\r\nTOKEN_ALL_ACCESS as\r\nDesiredAccess\r\nvalue which indicates that the new token has the combination of all access rights of this current token. The\r\nduplicated token is then passed to ImpersonateLoggedOnUser and then a cmd instance is spawned using\r\nCreateProcessWithLogomW\r\n. At the end the duplicated token is assigned to the created thread using NtSetINformationThread to make it\r\nelevated.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 11 of 21\n\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 12 of 21\n\nWindows 10 UAC Bypass\r\nThe UAC bypass used for Windows 10 uses a combination of a modified version of RPC based UAC bypass\r\nreported by Google project Zero and Parent PID spoofing to bypass UAC. The process is as follows:\r\nStep 1: Creates a string binding handle for interface id “201ef99a-7fa0-444c-9399-19ba84f12a1a” and\r\nreturns its binding handle and sets the required authentication, authorization and security Quality of service\r\ninformation for the binding handle.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 13 of 21\n\nStep 2: Initializes an RPC_ASYNC_STATE to make asynchronous calls and creates a new non-elevated\r\nprocess (it uses\r\nwinver.exe\r\nas non-elevated process) through \r\nNdrAsyncClientCall\r\n.\r\nStep 3: Uses \r\nNtQueryInformationProcess\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 14 of 21\n\nto Open a handle to the debug object by passing the handle of the created process to it. Then detaches the\r\ndebugger from the process using\r\nNtRemoveProcessDebug\r\nand terminates this created process using\r\nTerminateProcess\r\n.\r\nStep 4: Repeats the step 1 and step 2 to create a new elevate process:\r\nTaskmgr.exe\r\n.\r\nStep 5: Get full access to the\r\ntaskmgr.exe\r\nprocess handle by retrieving its initial debug event.  At first It issues a wait on the debug object using\r\nWaitForDebugEvent\r\nto get the initial process creation debug event and then uses\r\nNtDuplicateObject\r\nto get the full access process handle.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 15 of 21\n\nStep 6: After obtaining the fully privileged handle of\r\nTaskmgr.exe\r\n, the actor uses this handle to execute cmd as high privilege process to execute\r\ninstall.bat\r\n. To achieve this, the actor has used Parent PID Spoofing technique to spawn a new cmd process using\r\nCreateProcessW\r\nand handle of\r\nTaskmgr.exe\r\nwhich is an auto elevated process is assigned as its parent process using\r\nUpdateProcThreadAttribute\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 16 of 21\n\n.\r\nXmlprov.dll (Konni Rat)\r\nThis is the final payload that has been deployed as a service using svchost.exe . This Rat is heavily obfuscated\r\nand is using multiple anti-analysis techniques. It has a custom section named “\r\nqwdfr0\r\n” which performs all the de-obfuscation process. This payload register itself as a service using its export function\r\nServiceMain .\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 17 of 21\n\nEven though this sample is heavily obfuscated its functionality has not changed much and it is similar to its\r\nprevious version. It seems the actor just used a heavy obfuscation process to hinder all the security mechanisms.\r\nVirusTotal detection of this sample at the time of analysis was 3 which indicates that the actor was successful in\r\nusing obfuscation and bypass most of the AV products.\r\nThis RAT has an encrypted configuration file “xmlprov.ini” which will be loaded and decrypted at the start of the\r\nanalysis. The functionality of this RAT starts by collecting information from the victim’s machine by executing the\r\nfollowing commands:\r\ncmd /c systeminfo:\r\nUses this command to collect the detailed configuration information about the victim’s machine including\r\noperation system configurations, security information and hardware data (RAM size, disk space and\r\nnetwork cards info) and store the collected data in a tmp file.\r\ncmd /c tasklist\r\n: Executes this command to collect a list of running processes on victim’s machine and store them in a tmp\r\nfile.\r\nIn the next step each of the the collected tmp files is being converted into a cab file using cmd /c makecab and\r\nthen encrypted and sent to the attacker server in an HTTP POST request (\r\nhttp://taketodjnfnei898.c1.biz/up.php?name=%UserName%\r\n).\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 18 of 21\n\nAfter sending data to server it goes to a loop to receive commands from the server ( ). At the time of the analysis\r\nthe server was down and unfortunately we do not have enough information about the next step of this attack. The\r\ndetail analysis of this payload will be published in a follow up blog post.\r\nCampaign Analysis\r\nKonni is a Rat that potentially is used by APT37 to target its victims. The main victims of this Rat are mostly\r\npolitical organizations in Russia and South Korea but it is not limited to these countries and it has been observed\r\nthat it has targeted Japan, Vietnam, Nepal and Mongolia.\r\nThere were several operations that used this Rat but specifically the campaigns reported by ESTsecurity and\r\nCyberInt in 2019 and 2020 are similar to what we reported here. In those campaigns the actor used lures in\r\nRussian language to target Russia. There are several differences between past campaigns of this actor and what we\r\ndocumented here but still the main process is the same: in all the campaigns the actor uses macro weaponized\r\ndocuments to download a cab file and deploy the Konni RAT as a service.\r\nHere are the some major differences between this new campaign and older ones:\r\nThe macros are different. In the old campaign the actor used TextBoxes to store its data while in the new\r\none the content has been base64 encoded within the document content.\r\nIn the new campaign JavaScript files have been used to execute batch and PowerShell files.\r\nThe new campaign uses Powershell and URLMON API calls to download the cab file while in the old\r\ncampaign it used\r\ncertutil\r\nto download the cab file.\r\nThe new campaign has used two different UAC bypass techniques based on the victim’s OS while in the\r\nold one the actor only used the Token Impersonation technique.\r\nIn the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also,\r\nits configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.\r\nMalwarebytes customers are protected against this campaign.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 19 of 21\n\nIOCs\r\nname Sha256\r\nN/A fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa\r\neconomics\r\nrelations.doc\r\nd283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f\r\ny.js 7f82540a6b3fc81d581450dbdf7dec7ad45d2984d3799084b29150ba91c004fd\r\nyy.js 7a8f0690cb0eb7cbe72ddc9715b1527f33cec7497dcd2a1010def69e75c46586\r\ny.ps1 617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83\r\n tmpBD2B.tmp 10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f\r\ncheck.bat a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d\r\ninstall.bat 4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3\r\nxwtpui.dll 062aa6a968090cf6fd98e1ac8612dd4985bf9b29e13d60eba8f24e5a706f8311\r\nxmlprov.dll f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12\r\nxmlprov.dll 80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362\r\nxmlprov.ini 491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6\r\nDomains:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 20 of 21\n\ntakemetoyouheart[.]c1[.]biz\r\ntaketodjnfnei898[.]ueuo[.]com\r\ntaketodjnfnei898[.]c1[.]biz\r\nromanovawillkillyou[.]c1[.]biz\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" ], "report_names": [ "new-variant-of-konni-malware-used-in-campaign-targetting-russia" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434124, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/208091c6d1702c77f485a39e56bd6ff439314ce3.pdf", "text": "https://archive.orkl.eu/208091c6d1702c77f485a39e56bd6ff439314ce3.txt", "img": "https://archive.orkl.eu/208091c6d1702c77f485a39e56bd6ff439314ce3.jpg" } }