{ "id": "973e4707-a126-449a-b6ef-115f6e5741f4", "created_at": "2026-04-06T00:18:09.87045Z", "updated_at": "2026-04-10T13:11:53.27806Z", "deleted_at": null, "sha1_hash": "4f3ffe69b6a2b3938f1c3ba2fbf83766efa36797", "title": "KONNI evolves into stealthier RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 274468, "plain_text": "KONNI evolves into stealthier RAT\r\nBy Mark Stockley\r\nPublished: 2022-01-25 · Archived: 2026-04-05 14:43:41 UTC\r\nThis blog post was authored by Roberto Santos\r\nKONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor\r\nthat is using this piece of malware has being identified under the Kimsuky umbrella. This group has been very\r\nbusy, attacking political institutions located in Russia and South Korea. The last known attack where KONNI Rat\r\nwas used was described here.\r\nWe found that KONNI Rat is being actively developed, and new samples are now including significant updates. In\r\nthis blog post, we will cover some of the major changes and explain why the security community should keep a\r\nclose eye on it.\r\nArticle continues below this ad.\r\nSimplified Attack Chain\r\nThe attack usually starts leveraging a malicious Office document. When this document is opened by the victim, a\r\nmultistage attack is started, involving various steps. But these steps are just the way that the attackers manage to\r\naccomplish tasks to elevate privileges, evade detection and deploy required files. As we described in a previous\r\nblog post, the attack chain could be summarized in the following diagram:\r\nThe attack usually starts leveraging a malicious Office document. When this document is opened by the victim, a\r\nmultistage attack is started, involving various steps. But these steps are just the way that the attackers manage to\r\naccomplish tasks to elevate privileges, evade detection and deploy required files.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 1 of 7\n\nThe final goal of the attack is installing what is called KONNI Rat, which is a .dll file supported by an .ini file. In\r\na nutshell, the .dll file contains the functionality of the RAT, and the .ini file contains the address of the first C\u0026C\r\nserver. KONNI Rat’s general behavior remains almost the same as previous versions, but there are changes we\r\nwill cover below.\r\nRundll no longer supported\r\nIn previous KONNI Rat samples there were two branches. One handles if the malware was launched using a\r\nWindows service, and the other handles the execution through rundll. The next image shows these two old\r\nbranches, with the strings svchost.exe and rundll32.exe visible:\r\nHowever, new samples will not show these strings. In fact, rundll is no longer a valid way to execute the\r\nsample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages.\r\nIn early stages of our analysis, we thought that they were using the classic process name check, or any other usual\r\ntechnique. The reality is far simpler and brilliant; the actual export just implements the SvcMain prototype so the\r\nprogram will break at some point when accessing one of the arguments.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 2 of 7\n\nIn the previous image we see the state of the machine at the moment that this exception is thrown. RDI at that\r\npoint should contain a pointer to the service name. The exception happens because the Service Main function\r\nmeets one prototype and rundll32 will expect another different prototype:\r\nVOID WINAPI SvcMain( DWORD dwArgc, LPTSTR *lpszArgv )\r\nVOID WINAPI runnableExport(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)\r\nBasically, at some point of the execution, hinst will be treated as lspzArgv, causing the exception. But why did the\r\nattackers delete that functionality? There are multiple benefits.\r\nFirst of all, we have not seen any recent attack that used rundll. In fact, the only way that the attackers launched\r\nKONNI Rat in recent campaigns involves registering a Windows service. So the rundll32 branch wasn’t being\r\nused in real world attacks.\r\nBut there is another big reason in how sandboxes will fail in collecting the real behavior of the sample, as it just\r\ncannot execute that way.\r\nStrings are now protected using AES\r\nMultiple malware families protect their strings in order to defeat most basic string analysis. KONNI wasn’t an\r\nexception, and also used this technique. Old samples were using base64 for obfuscation means. Also, they were\r\nusing a custom alphabet. This custom alphabet was changed from time to time in order to make the decoding task\r\nmore difficult:\r\nNow, the attackers made a major change in that regard by protecting the strings using AES encryption. The\r\nalgorithm followed by new Konni RAT samples could be represented as follows:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 3 of 7\n\nThe reason behind that change is clear. As the key used for decryption is the service name, samples run by\r\ndifferent service names will not work properly. Moreover, having only the sample without knowing the service\r\nname becomes useless, as these strings contain core information about the sample behavior.\r\nFiles are also protected using AES\r\nKONNI Rat makes use of various support files when it is executed. One of these files is the .ini file, which\r\ncontains the primary C\u0026C server, but there are others like the .dat file that is supposed to be dropped eventually,\r\nand temporal files that are used to send some basic information about the computer.\r\nOur tests reveal that all of these files are dropped and protected using AES. Cleverly, they reused the algorithm\r\nused for string protection, making the file layout identical to the protected strings layout, as they appear in raw\r\nmemory:\r\nAs can be seen from the diagram, the file itself contains the IV and the encrypted data. The key used is extracted\r\nfrom its original filename. In some cases, the names match with the service name, so the keys used in the .ini and\r\nthe .dat files are the result of applying a SHA256 to the service name as well.\r\nAlso, files sent to the C\u0026C server are protected using AES. The IV is generated using a\r\nQueryPerformanceCounter API CALL. Filenames are generated concatenating 2 letters that represent the data\r\nwith the current timestamp, followed by the extension. Furthermore, they will use this newly generated name as\r\nAES key, so they send this name through the request to the C\u0026C server.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 4 of 7\n\nIn that regard, as the filename is generated automatically using the timestamp, identical files will produce different\r\nrequest contents, as they were encrypted using that filename. Network signatures could also fail to detect the\r\nmalicious activity, due to that.\r\nOther obfuscation techniques\r\nAs we found some samples that were protected just by the means that we described before, we also have found\r\nothers that were making use of an unidentified packer (UPDATE: There is a strong correlation between this\r\npacker and VMPROTECT v3, as you would see in the following paragraphs. Later deeper analysis tasks suggest\r\nthat this is probably the packer that was used in this ocasion). We would like to share some of our notes regarding\r\nthat packer, as others could find it useful in identification and attribution tasks.\r\nContiguous instruction obfuscation\r\nThe flow of the obfuscated program will make use of series of push-call pairs of instructions, where the pushed\r\nvalues will indicate the actions that the program will take. An image can better explain that:\r\nIn particular, we find it interesting that the attackers have placed random bytes between these pairs. This silly trick\r\ncauses wrong code interpretation for decompilers that will assume that bytes after the push instruction are part of\r\nthe next instruction. The image below shows how IDA fails in analyzing the code:\r\nObfuscated program flow\r\nThe used packer will obfuscate the original program flow. This is accomplished in various steps. The first required\r\nstep is to find the Image Base value, placed in a fixed location and the RIP (Instruction Pointer) value.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 5 of 7\n\nOnce the packer knows these two values, it will start jumping from one place to another, making analysis harder.\r\nFor that, it will store in some register value of the next address to jump in registers. The value of these registers is\r\ncalculated right after the jmp instruction, using structures like POP [reg] – JMP [reg] or ADD [reg1, reg2] – JMP\r\n[reg1]. Note that decompilers will fail in displaying the real flow, as the jumping address is determined by a\r\nsomehow undefined register.\r\nThe combination of these simple techniques ends in the packer being now in control of the flow, but statically the\r\ndecompiler cannot represent the path that the code will follow. Finally, the packer will execute a big amount of\r\njunk instructions and eventually will execute the real interesting code. For instance, the original code will take no\r\nmore than 20 instructions between GetProcAddress calls in IAT building tasks. but the packed code executes more\r\nthan 30,000 instructions.\r\nAccording to our threat intel data, most recent attacks are not making use of that packer anymore.\r\nConclusion\r\nAs we have seen, KONNI Rat is far from being abandoned. The authors are constantly making code\r\nimprovements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and\r\nmaking detection harder, especially via regular signatures as critical parts of the executable are now encrypted.\r\nMalwarebytes users are protected against this attack.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 6 of 7\n\nIOCs\r\nA3CD08AFD7317D1619FBA83C109F268B4B60429B4EB7C97FC274F92FF4FE17A2\r\nF702DFDDBC5B4F1D5A5A9DB0A2C013900D30515E69A09420A7C3F6EAAC901B12\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/" ], "report_names": [ "konni-evolves-into-stealthier-rat" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434689, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f3ffe69b6a2b3938f1c3ba2fbf83766efa36797.pdf", "text": "https://archive.orkl.eu/4f3ffe69b6a2b3938f1c3ba2fbf83766efa36797.txt", "img": "https://archive.orkl.eu/4f3ffe69b6a2b3938f1c3ba2fbf83766efa36797.jpg" } }