{
	"id": "471b93aa-5863-483e-84ea-83a5eb268c54",
	"created_at": "2026-04-06T00:12:05.613178Z",
	"updated_at": "2026-04-10T13:12:02.33934Z",
	"deleted_at": null,
	"sha1_hash": "92c37a8def1ad20659b82eba04c2aaec4efc9cca",
	"title": "Meeting the “Ministrer” | Fortinet Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1018193,
	"plain_text": "Meeting the “Ministrer” | Fortinet Blog\r\nBy James Slaughter\r\nPublished: 2022-09-19 · Archived: 2026-04-05 21:30:55 UTC\r\nThings not always being as they seem is a common adage that lends itself well to the cyber world. Phishing tries\r\nexplicitly to convince an email recipient that a message is legitimate and trustworthy when it is not. This applies\r\nequally to cases where the sender is interested in criminal exploits or nation-state activity.\r\nFortiGuard Labs recently came across an unassuming phishing email that proved to be far more than it initially\r\nseemed. Written in Russian, it attempts to lure the recipient into deploying malware on their system. The actions\r\nused to execute this strategy are consistent with previous instances of Konni, a remote administration tool (RAT)\r\nthat has been tied to the group APT 37 (aka: Ricochet Chollima, InkySquid, ScarCruft, Reaper, and Group123).\r\nThis group has been known to align its targeting and objectives with those of the government of the Democratic\r\nPeople’s Republic of Korea (DPRK), commonly known as North Korea.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Potential to deploy additional malware for additional purposes\r\nSeverity Level: Medium\r\nThe Phishing Email\r\nAs mentioned, the email is unassuming and streamlined. It aims to appear official by spoofing an address for the\r\nConsulate General of Russia in Shenyang, China. It is targeted at another Russian government address.\r\nInterestingly, the subject of the message is “Re: Посольство России в Японии”, which translates to “Re: Russian\r\nEmbassy in Japan”. This technique of including a previous thread in the email is commonly used in an attempt to\r\nlook more credible to the recipient.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 1 of 9\n\nFigure 1. Phishing email.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 2 of 9\n\nFigure 2. Phishing email translation.\r\nThe body text of the email asks the recipient to check the attached details to execute a request for a transfer of\r\nfunds between the sender and receiver.\r\nAttached to the email is a Zip archive, “Donbass.zip”. This is interesting because this is the English spelling of an\r\narea of Ukraine.\r\nDonbass.zip\r\nContained within the Zip archive are two Microsoft PowerPoint files, “_Pyongyang in talks with Moscow on\r\naccess to Donbass.pptx” and “Donbass.ppam”\r\nFigure 3. Contents of “Donbass.zip”.\r\nFile 1: _Pyongyang in talks with Moscow on access to Donbass.pptx\r\nThis PowerPoint file is actually a decoy. The slide deck contains news referencing high-level meetings between\r\nthe DPRK and the Donetsk Peoples Republic (DPR). Links between the two entities were covered by mainstream\r\nnews outlets around the time this file was created.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 3 of 9\n\nFigure 4. PowerPoint title slide with the spelling mistake referenced in the blog title.\r\nFigure 5. PowerPoint slide with a readout of a diplomatic meeting between the DPRK and the DPR.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 4 of 9\n\nFigure 6. PowerPoint slide with further news of diplomatic activity and several hyperlinks to recent news on the\r\nsubject.\r\nWhile Figure 6 shows several hyperlinks embedded in the file, all are benign. They simply direct traffic to an\r\nInternet news source. Two additional slides in Russian are just text.\r\nThere are no macros present in the file or anything that could be considered malicious.\r\nFile 2: Donbass.ppam\r\nPPAM is an add-in file format used by Microsoft PowerPoint and generally requires the application to open.\r\nShould that occur, a malicious macro will execute.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 5 of 9\n\nFigure 7. Malicious macro in “Donbass.ppam”.\r\nFigure 8. Error presented to the user after opening “Donbass.ppam”.\r\nThe macro initially presents the user with the message box in Figure 8. Using a command prompt, it then deposits\r\na large block of base 64-encoded text into a file called “oup.dat” that is then stored within the user’s “temp”\r\ndirectory (%TMP%). Using the Microsoft “Certutil” tool (https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), the encoded text within “oup.dat” is then decoded to\r\n“oup.vbs”, a VBScript file that will be deposited into the Microsoft Office directory\r\n(%LOCALAPPDATA%\\Microsoft\\Office).\r\nFigure 9. “oup.vbs”.\r\nAs shown in Figure 9, “oup.vbs” has two purposes. The first is to create a scheduled task called “Office\r\nUpdatev2.2”. The purpose of this task is to continually run “oup.vbs” once every 5 minutes.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 6 of 9\n\nFigure 10. Scheduled task “OfficeUpdatev2.2”.\r\nThe second purpose of “oup.vbs” is to execute a base 64-encoded PowerShell command. \r\nFigure 11. Final decoded PowerShell command.\r\nThe PowerShell command attempts to provide some environment information (e.g., machine name) and connect\r\nto a URL at gg1593[.]c1[.]biz. This domain points to IP address185[.]176[.]43[.]106. As of the time of this\r\nwriting, however, the command and control (C2) server was not responding to connections, preventing further\r\nanalysis.\r\nFigure 12. Packet capture showing an attempted connection to the C2 URL.\r\nWith the C2 site no longer available, obtaining the executable for the RAT for further analysis was not possible.\r\nThat said, the activity to ensure persistence and connect to a C2 matches prior attempts at deploying Konni.\r\nConclusion\r\nPhishing doesn’t always have to be a perfect facsimile of a legitimate email to be effective. This example shows\r\nthat even where nation-state objectives may be involved, there just has to be enough of a hook to reel in a user.\r\nWhat appears at first glance to be a simple phish is still effective.\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 7 of 9\n\nThey become more believable using familiar terms, or as in this case, the inclusion of what appears to be a\r\nprevious thread with the recipient.\r\nAs this example shows, once attackers are in, they mean to stay through the use of persistence mechanisms and\r\nfrequent check-ins with command and control.\r\nThis makes prevention and detection all the more critical to ward off potential disaster.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus,\r\nFortiMail, FortiClient, and FortiEDR services, as follows:\r\nThe following (AV) signatures detect the malware samples mentioned in this blog\r\nVBA/Agent.AIF!tr\r\nThe WebFiltering client blocks all network-based URIs.\r\nFortinet has multiple solutions designed to help train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nWe also suggest that organizations have their end users undergo our FREE NSE training program: NSE 1 –\r\nInformation Security Awareness. It includes a module on Internet threats designed to help end users learn how to\r\nidentify and protect themselves from various types of phishing attacks.\r\nIOCs\r\nFilename SHA256\r\nDonbass.zip cf69e7cf0eef759f5c1604448be8e2ed4b2e4d02ad72724406f4aa19f501b08b\r\n_Pyongyang in talks with\r\nMoscow on access to\r\nDonbass.pptx\r\nb1f9b577088f00ffe54c1822578e0ca309c08589791249323b6db1e32f2d2a22\r\n(clean)\r\nDonbass.ppam 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578\r\nNetwork IOCs:\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 8 of 9\n\nIOC IOC type\r\ngg1593[.]c1[.]biz C2\r\n185[.]176[.]43[.]106 C2\r\nLearn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s\r\nFortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.\r\nSource: https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nhttps://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware"
	],
	"report_names": [
		"konni-rat-phishing-email-deploying-malware"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bbe36874-34b7-4bfb-b38b-84a00b07042e",
			"created_at": "2022-10-25T15:50:23.375277Z",
			"updated_at": "2026-04-10T02:00:05.327922Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"APT37",
				"InkySquid",
				"ScarCruft",
				"Group123",
				"TEMP.Reaper",
				"Ricochet Chollima"
			],
			"source_name": "MITRE:APT37",
			"tools": [
				"BLUELIGHT",
				"CORALDECK",
				"KARAE",
				"SLOWDRIFT",
				"ROKRAT",
				"SHUTTERSPEED",
				"POORAIM",
				"HAPPYWORK",
				"Final1stspy",
				"Cobalt Strike",
				"NavRAT",
				"DOGCALL",
				"WINERACK"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552ff939-52c3-421b-b6c9-749cbc21a794",
			"created_at": "2023-01-06T13:46:38.742547Z",
			"updated_at": "2026-04-10T02:00:03.08515Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"Operation Daybreak",
				"Red Eyes",
				"ScarCruft",
				"G0067",
				"Group123",
				"Reaper Group",
				"Ricochet Chollima",
				"ATK4",
				"APT 37",
				"Operation Erebus",
				"Moldy Pisces",
				"APT-C-28",
				"Group 123",
				"InkySquid",
				"Venus 121"
			],
			"source_name": "MISPGALAXY:APT37",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92c37a8def1ad20659b82eba04c2aaec4efc9cca.pdf",
		"text": "https://archive.orkl.eu/92c37a8def1ad20659b82eba04c2aaec4efc9cca.txt",
		"img": "https://archive.orkl.eu/92c37a8def1ad20659b82eba04c2aaec4efc9cca.jpg"
	}
}