{
	"id": "cdd2d59b-61aa-47f1-84fb-232f56a71a61",
	"created_at": "2026-04-06T00:09:50.076093Z",
	"updated_at": "2026-04-10T03:26:56.183618Z",
	"deleted_at": null,
	"sha1_hash": "434ed570c39e2e3221e9748b0265394287653640",
	"title": "New KONNI Campaign References North Korean Missile Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 697513,
	"plain_text": "New KONNI Campaign References North Korean Missile\r\nCapabilities\r\nBy Paul Rascagneres\r\nPublished: 2017-07-06 · Archived: 2026-04-05 14:17:34 UTC\r\nThursday, July 6, 2017 03:58\r\nThis blog was authored by Paul Rascagneres\r\nExecutive Summary\r\nWe recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by\r\na small number of campaigns over the past 3 years. We have identified a new distribution\r\ncampaign which took place on 4th July. The malware used in this campaign has similar features\r\nto that distributed earlier in 2017 with the following changes:\r\nA new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency\r\nin Korea;\r\nThe dropper includes a 64 bit version of KONNI;\r\nA new CC infrastructure consisting of a climbing club website. North Korea conducted a test missile\r\nlaunch on 3rd July. This campaign appears to be directly related to the launch and the ensuing discussion of\r\nNorth Korean missile technology. This is consistent with previous KONNI distribution campaigns which\r\nhave also frequently mentioned North Korea.\r\n\"N.K. marks anniversary of strategic force, touting missile capabilities\" campaign\r\nWe identified an executable file, SHA-256 hash sum:\r\nhttp://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html\r\nPage 1 of 5\n\n33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90, which when opened\r\ndisplays the following Office document:\r\nThe content of the document is a copy/pasted from an article published on July 3rd by Yonhap News Agency in\r\nKorea. In addition to displaying this document, the malicious executable also drops 2 different versions of\r\nKONNI:\r\nC:\\Users\\Users\\AppData\\Local\\MFAData\\event\\eventlog.dll (64 bit)\r\nC:\\Users\\Users\\AppData\\Local\\MFAData\\event\\errorevent.dll (32 bit)\r\nOn 64 bit versions of Windows, both files are dropped; on 32 bit versions of Windows, only errorevent.dll, the 32\r\nbit version is dropped. Unlike previous campaigns, both binaries are packed with ASPack. In both cases, the\r\ndropped malware is immediately executed via rundll32.exe with one of the following registry keys created to\r\nensure that the malware persists and is executed on rebooting the compromised system:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\RTHDVCPE\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\RTHDVCP\r\nThis attack uses a new Command \u0026 Control infrastructure hosted on the following domain:\r\nmember-daumchk[.]netai[.]net\r\nThe CnC traffic of KONNI takes place as HTTP post requests to web pages hosted as\r\n/weget/download.php, /weget/uploadtm.php or /weget/upload.php on the domain itself.\r\nhttp://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html\r\nPage 2 of 5\n\nThe attackers have gone to some effort to disguise the website as a legitimate climbing club.\r\nHere is a screenshot of the website:\r\nHowever, the website does not contain real text, only the default text of the Content Management System (CMS).\r\nAdditionally, the website contains a contacts section with an address in USA, but the map below the address is in\r\nKorean and points to a location in Seoul, South Korea:\r\nhttp://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html\r\nPage 3 of 5\n\nConclusion\r\nThe KONNI malware distributed as part of this campaign is similar to previous versions that we\r\nhave identified this year. The attackers have added a 64 bit version and used a packer to\r\ncomplicate analysis. This campaign is directly related to current events and is clearly 'fresh'. The\r\nbinary was compiled on July 4th, the decoy document was published on July 3rd.\r\nThe threat actors associated with KONNI typically use decoy documents relating to North Korea, and this\r\ncampaign is no exception. However, in contrast to the convincing decoy document lifted from a third party, the\r\ncontent of the decoy website hosted on the CnC server does not look legitimate. The text content is not consistent\r\nwith the website navigation, and the contacts page contains a mis-match of a US address with a Korean map.\r\nNevertheless, this threat actor continues to remain active, and continues to develop updated versions of their\r\nmalware. Organisations which may have an interest in the contents of this decoy document, and that used in\r\nprevious campaigns should ensure that they are adequately protected against this and subsequent campaigns.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html\r\nPage 4 of 5\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network\r\nIOC\r\nFile hashes\r\nDropper: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90\r\n32 Bits binary: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a\r\n64 bits binary: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad\r\nNetwork\r\nMember-daumchk[.]netai[.]net\r\nSource: http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html\r\nhttp://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html"
	],
	"report_names": [
		"konni-references-north-korean-missile-capabilities.html"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/434ed570c39e2e3221e9748b0265394287653640.pdf",
		"text": "https://archive.orkl.eu/434ed570c39e2e3221e9748b0265394287653640.txt",
		"img": "https://archive.orkl.eu/434ed570c39e2e3221e9748b0265394287653640.jpg"
	}
}