{ "id": "b5062e49-a31e-480f-87e0-575c638762af", "created_at": "2026-04-06T00:13:36.842064Z", "updated_at": "2026-04-10T03:38:06.609842Z", "deleted_at": null, "sha1_hash": "939e034168db66b31a40ef1283d6be7fe151b031", "title": "New KONNI Malware attacking Eurasia and Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1419292, "plain_text": "New KONNI Malware attacking Eurasia and Southeast Asia\r\nBy Josh Grunzweig, Bryan Lee\r\nPublished: 2018-09-27 · Archived: 2026-04-05 19:07:03 UTC\r\nIntroduction\r\nBeginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family,\r\nwhich we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named\r\nKONNI, however, after careful consideration, we believe enough differences are present to introduce a different\r\nmalware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns\r\nand Ks.\r\nBecause of code overlap found within both malware families, as well as infrastructure overlap, we believe the\r\nthreat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was\r\nlikely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean\r\npeninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related\r\nto known adversary groups operating in the regions of interest, although there is evidence of a tenuous\r\nrelationship with a group known as Reaper.\r\nThe latest activity leveraging the NOKKI payload likely targets politically-motivated victims in Eurasia and\r\npossibly Southeast Asia. These attacks leverage compromised legitimate infrastructure for both delivery and\r\ncommand and control (C2). These compromised servers are largely located within South Korea. In total, we\r\nobserved two waves of attacks spanning from early 2018 to at least July 2018 which we were able to cluster via\r\nthe specific network protocol used for C2. In addition, the decoy documents themselves wer both created and last\r\nmodified by an author named zeus. The zeus username is a recurring artifact witnessed in all of the discussed\r\nattacks in this report.\r\nJanuary 2018 Attack\r\nThe earliest observed attack delivering NOKKI took place in January 2018. This attack leverages a Microsoft\r\nWindows executable file using a PDF icon in an attempt to trick the victim into launching the file. The malware\r\nsample contains the properties seen in Table 1:\r\nMD5 48f031f8120554a5f47259666fd0ee02\r\nSHA1 02ee6302436250e1cee1e75cf452a127b397be8d\r\nSHA256 b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nPDB String\r\nC:\\Users\\zeus\\Documents\\Visual Studio 2010\\Projects\\virus-dropper\\Release\\virus-dropper.pdb\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 1 of 15\n\nCompile\r\nTimestamp\r\n2018-01-26 00:14:31 UTC\r\nFirst\r\nEncountered\r\n2018-01-26 03:10:12 UTC\r\nTable 1 January NOKKI properties\r\nThe malware is capable of collecting information on the victim machine, dropping, and executing a payload, as\r\nwell as dropping and opening a decoy document.\r\nThe malware will collect data from the victim machine and write this information to\r\nLOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp. The following information is collected from the victim:\r\nIP Address\r\nHostname\r\nUsername\r\nDrive Information\r\nOperating System Information\r\nInstalled Programs\r\nThis specific function shares significant code overlap with the KONNI tool first discovered by Talos.\r\nThe NOKKI payload is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being\r\nexecuted in a new process. Persistence is achieved by writing the file path to the\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svstartup registry key.\r\nAfter being executed and establishing persistence, NOKKI then connects to  101.129.1[.]104 for C2\r\ncommunication via FTP. This IP does not have a domain name resolution; however, WHOis shows the IP assigned\r\nto China Central Television.\r\nThe decoy document is written to the same file path as the initial dropper, however, the extension is renamed to\r\n.pdf and becomes a legitimate document.\r\nBased on the decoy document contents and language, the attack may target\r\nCambodian speakers with an interest in Cambodian political matters.\r\nFigure 1 shows the decoy document used for this sample:\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 2 of 15\n\nFigure 1 Decoy document for b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311\r\nApril 2018 Attack\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 3 of 15\n\nIn early April 2018, another attack was observed delivering the NOKKI payload. This attack leveraged a\r\nmalicious executable with an .scr extension that had the original filename referring to the Russian Ministry of\r\nForeign Affairs and its contents can be found online.\r\nThe file contains the properties as seen in Table 2:\r\nMD5 42fbea771f3e0ff04ac0a1d09db2a45e\r\nSHA1 2b6b6f24f58072a02f03fa04deaccce04b6bb43b\r\nSHA256 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nPDB String\r\nC:\\Users\\zeus\\Documents\\Visual Studio 2010\\Projects\\virus-dropper\\Release\\virus-dropper.pdb\r\nCompile\r\nTimestamp\r\n2018-04-04 21:06:26 UTC\r\nFirst\r\nEncountered\r\n2018-04-04 12:55:38 UTC\r\nTable 2 April NOKKI Properties\r\nThis sample contained the same PDB string within it as sample from January 2018. Functionally, it was nearly\r\nidentical in its behavior as the previous attack.\r\nUnlike the previously witnessed attack that possibly targeted Cambodian language speakers with an interest in\r\nCambodian political matters, the decoy document used in this attack is written Cyrillic and contains content\r\nrelated to Russian political matters.\r\nOnce the .scr file is executed, the NOKKI payload is installed onto the victim host which then connects to the IP\r\nresolving to a likely compromised but legitimate South Korean science and technology university website.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 4 of 15\n\nFigure 2 Decoy document for 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 5 of 15\n\nThe content of the decoy document in Figure 2 is a publicly available. Google Translate roughly translates to the\r\nfollowing:\r\nAbout the meeting of the State Secretary - Deputy Minister of Foreign Affairs of Russia GB Karasin and the\r\nDirector of the Institute of Strategic and Interregional Studies under the President of Uzbekistan, VI Norov\r\nA second sample was discovered in April 2018, also written Cyrillic and containing content related to Russian\r\npolitical matters. This file had the following properties as seen in Table 3:\r\nMD5 88587c43daff30cd3cc0c913a390e9df\r\nSHA1 1cc8ceeef9a2ea4260fae03368a9d07d56e8331b\r\nSHA256 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nPDB String\r\nC:\\Users\\zeus\\Documents\\Visual Studio 2010\\Projects\\virus-dropper\\Release\\virus-dropper.pdb\r\nCompile\r\nTimestamp\r\n2018-04-24 16:42:03 UTC\r\nFirst\r\nEncountered\r\n 2018-04-24 06:34:35 UTC\r\nTable 3 Second April NOKKI Properties\r\nAgain, we see consistency both in the embedded PDB string, as well as the functionality of the sample itself. This\r\nparticular sample connects to an IP address to which a likely legitimate but compromised website of a research\r\ninstitute in South Korea resolves. This server has also likely been compromised and repurposed by the adversary.\r\nMay 2018 Attack\r\nIn May 2018, Unit 42 observed an attack using malware with a filename of briefinglist.exe being downloaded\r\nfrom the somewhat redacted following URL. Again, it is a likely compromised but legitimate South Korean\r\nwebsite and the contents written Cyrillic and containing content related to Russian political matters.\r\nhttp://mail.[removed].co[.]kr/de/de_includes/mail/yandex.ru/download.php\r\nThis sample has the following properties as seen in Table 4:\r\nMD5 ae27e617f4197cd30cc09fe784453cd4\r\nSHA1 dc739ca07585eab7394843bc4dba2faca8e5bfe0\r\nSHA256 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 6 of 15\n\nPDB String\r\nC:\\Users\\zeus\\Documents\\Visual Studio 2010\\Projects\\virus-dropper\\Release\\virus-dropper.pdb\r\nCompile\r\nTimestamp\r\n2018-04-30 17:48:08 UTC\r\nTable 4. Third May NOKKI Properties\r\nThis sample remains consistent with previous samples of NOKKI in terms of functionality and the embedded\r\nPDB string.\r\nThe payload communicates with 145.14.145[.]32, which resolves to files.000webhost[.]com. This same host was\r\nwitnessed in previously reported KONNI malware activity.\r\nJuly 2018 Attack\r\nIn July 2018, a South Korean engineering organization was identified as compromised and hosting malware and\r\nC2 infrastructure on their webserver since at least May 2018. Again, a file in Cyrillic with a name referring to the\r\nRussian political matters was being distributed from the http://mail.[removed].co[.]kr/common URL.\r\nUnlike attacks leading up to this point, an executable file was not used as the initial malware file. Instead, this\r\nattack used a Microsoft Word document leveraging malicious macros to deliver the payload to the victim. Upon\r\nopening the file and enabling macros, the document downloaded both the payload and displayed a decoy\r\ndocument referencing political matters.\r\nNOKKI Malware Family\r\nFrom the samples discussed in this blog, we were able to identify two distinct variants of NOKKI. The earlier\r\nvariant witnessed in attacks between January 2018 to May 2018 made use of FTP for C2 communications.\r\nAlternatively, the newer variant witnessed since June 2018 made use of HTTP. While both variants used different\r\nnetwork protocols for communication, they both used the same file path structure on the remote C2 server.\r\nThe older variant begins by looking for the presence of the following file:\r\n%TEMP%\\ID56SD.tmp\r\nIf this file does not exist, the malware will generate a random string of 10 upper-case alphabetic characters. This\r\nstring will ultimately be used as the victim’s identifier. It will also create the %TEMP%\\stass file and write the\r\nvalue of a to it.\r\nThe malware continues to spawn a new thread that is responsible for network communication. Within an infinite\r\nloop, this malware will continue connecting to its C2 server via FTP.\r\nAfter successful connection to the C2, it will write the previously written stass file to the server’s public_html\r\nfolder. It will also upload the previously created uplog.tmp file to the remote server. After the upload is completed,\r\nNOKKI will then delete the local copy on the infected host. Finally, NOKKI will check for the presence of the\r\n[id]-down file on the C2 server, where [id] is the 10 character alphabetic string created prior. Should this file exist,\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 7 of 15\n\nit will be downloaded and written to %TEMP%\\svchostav.exe prior to being executed in a new process. After it is\r\nexecuted, the malware deletes the file on the C2 server. The malware will then sleep for 15 minutes between\r\nloops.\r\nThe newer variant operates in a slightly different manner.\r\nIn this case, NOKKI begins by extracting and dropping an embedded DLL to the \r\n%LOCALAPPDATA%\\MicroSoft UpdateServices\\Services.dll path. One of two DLLs may be dropped, either a\r\n32-bit or a 64-bit compiled options. The appropriate DLL will be dropped based on the victim host’s CPU\r\narchitecture.\r\nWhile these DLLs are different architectures, they perform the same functions. After the DLL is written, the\r\nmalware loads it via the following command-line:\r\nrundll32.exe [%LOCALAPPDATA%\\MicroSoft UpdateServices\\Services.dll] install\r\nFinally, the malware will write the following registry key to ensure persistence on the victim host:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\qivService - C:\\\\Windows\\\\System32\\\\rundll32.exe \"\r\n[%LOCALAPPDATA%\\MicroSoft UpdateServices\\Services.dll]\"  install\r\nThe payload’s install function makes a call to SetWindowsHookEx with a thread ID of 0, resulting in the function\r\nbeing injected into every GUI process running on the victim machine. This particular process is referenced in this\r\nforum post.\r\nThe DllMain function of this payload begins by comparing the process executable name, seeking out the\r\nexplorer.exe process. In the event it is not loaded in the context of this process, nothing occurs. If the malware is\r\nrunning within explorer.exe, it will load its own HTTPStart exported function, which performs the malicious\r\nactions.\r\nIt begins by writing the ID56SD.tmp file in its current working directory (CWD). A unique randomly chosen 10-\r\nbyte alphabetic string is written to this file, which will be used as an identifier for the victim. A file named stass is\r\nalso written in the CWD, with a single byte of a.\r\nThe payload proceeds to enter an infinite loop, with a 15 minute delay between iterations. The loop begins by\r\nreading in the previously written stass file and uploading it to its embedded C2 server via HTTP.\r\nThe data is encoded with base64 and uploaded via a POST parameter of data. Additionally, the victim’s identifier\r\nand the current timestamp is uploaded via a POST parameter of subject.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 8 of 15\n\nFigure 3 HTTP request made by NOKKI payload\r\nAfter this upload request is made, the malware looks for the presence of a file named uplog.tmp. In the event this\r\nfile exists, it is uploaded via the same method as previously noted. After this file is uploaded via HTTP, the local\r\nfile is deleted. While this file is not present originally in this malware sample, in other NOKKI variants, it has\r\nbeen observed containing the victim’s system information.\r\nThe malware then looks for the presence of the upfile.tmp file. Again, if this file exists, it is uploaded to the\r\nremote server and the local file is deleted.\r\nFinally, the malware will look for the presence of the following remote files, where [id] is the victim identifier:\r\nhttp://mail.[removed].co[.]kr/./pds/down\r\nhttp://mail.[removed].co[.]kr/./pds/data/[id]-down\r\nIf the down file is available, it is written to %TEMP%\\wirbiry2jsq3454.exe and executed. If the [id]-down file is\r\navailable, it is written to %TEMP%\\weewyesqsf4.exe and executed.\r\nDuring execution, a remote module was downloaded from the down URL:\r\nThis module is responsible for collecting the following information and writing it to the\r\n%LOCALAPPDATA%\\MicroSoft UpdateServices\\uplog.tmp file:\r\nIP Address\r\nHostname\r\nUsername\r\nDrive Information\r\nOperating System Information\r\nInstalled Programs\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 9 of 15\n\nThis module acted in an identical way as the information collection function witnessed in the older variant of\r\nNOKKI.\r\nComparison to KONNI\r\nThe NOKKI malware family differs from KONNI in a number of ways. Unlike KONNI, NOKKI is modular in\r\nnature, with multiple steps taken between the initial infection and the final payload(s) being delivered. Early\r\nversions of NOKKI observed between January 2018 to May 2018 used a remote FTP server to ultimately accept\r\ncommands and download additional modules. While newer versions of NOKKI starting in June 2018 use HTTP,\r\nthe communication is quite different from the previously reported KONNI malware, both in the URI structure and\r\ndata being sent. In addition, while the KONNI samples used C2 infrastructure set up specifically by the adversary,\r\nNOKKI mostly leveraged what appeared to be likely compromised legitimate servers for their infrastructure.\r\nNOKKI URIs Previously Reported KONNI URIs\r\n/./pds/data/upload.php /login.php\r\n/./pds/data/[victim_id]-down /upload.php\r\n/./pds/down /download.php\r\n/common/exe /weget/uploadtm.php\r\n/common/doc /weget/upload.php\r\nTable 5. URI differences between NOKKI and KONNI\r\nWhile we consider these malware families to be separate, we identified some similarities with KONNI. In addition\r\nto overlapping infrastructure between KONNI and NOKKI, a NOKKI module used to collect victim information\r\nwas observed exhibiting very similar characteristics to the KONNI victim information collection function as seen\r\nin Figure 4. This same function was also observed in early instances of the dropper used to deploy NOKKI\r\nbetween January 2018 and May 2018.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 10 of 15\n\nFigure 4 Similarities between KONNI malware family and NOKKI module\r\nBased on the similarities witnessed, we think it is highly probable there is some amount of code sharing and likely\r\na single adversary group involved.\r\nConclusion\r\nThe adversary operating the NOKKI malware family appears to have begun using NOKKI in January 2018 and\r\nhas continued their activity through 2018. At this time, we can only speculate who these series of attacks may be\r\nattributed to based on tenuous relationships. However, there is significant evidence from our attack telemetry and\r\nvictimology indicating the operator has a strong interest in specific regions of the world such as Eurasia, the\r\nKorean Peninsula, and Southeast Asia. The general tactics used to deliver NOKKI are similar in nature to the\r\nactors behind a previously identified malware, KONNI. Additionally, there are overlaps both in code and some\r\ninfrastructure with previously reported KONNI activity. Unlike KONNI, however, this particular malware family\r\nmakes use of compromised servers for both hosting and C2 operations.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 11 of 15\n\nThe NOKKI malware itself has been updated in the short period of time it has been observed, moving from FTP to\r\nHTTP for C2 operations. The malware is modular in nature, and based on analysis of the information gathering\r\nmodule, it is highly likely the NOKKI operators are the same as the KONNI operators. Unit 42 will continue to\r\nmonitor this malware family and the threat actor responsible.\r\nPalo Alto Networks customers are protected by the following:\r\nAll known samples of NOKKI maintain a malware verdict in WildFire\r\nAutoFocus customers may learn more via the NOKKI tag\r\nAppendix\r\nIndicators of Compromise\r\nJuly 2018 Attack\r\nIndicator Type Indicator\r\nHash d92c94423ec3d01ad584a74a38a2e817449648a4da3f12d345c611edc5c4cdbd\r\nHash dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae\r\nHash 0657f788e89a437a1e6fe2630c19436736aa55dcf255540698864a7576192611\r\nHash d211815177ce4b9fd2d3c258d2fc6282c23b8458d71f8f6f0df06a9dda89c12f\r\nProcess rundll32.exe [%LOCALAPPDATA%\\MicroSoft UpdateServices\\Services.dll] install\r\nRegistry Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\qivService\r\nFile ID56SD.tmp\r\nFile stass\r\nFile %LOCALAPPDATA%\\MicroSoft UpdateServices\\uplog.tmp\r\nFile %TEMP%\\wirbiry2jsq3454.exe\r\nFile %TEMP%\\weewyesqsf4.exe\r\nURL hxxp://mail.[removed].co[.]kr/./pds/data/upload.php\r\nURL hxxp://mail.[removed].co[.]kr/./pds/down\r\nURL hxxp://mail.[removed].co[.]kr/./pds/data/[id]-down\r\nURL hxxp://mail.[removed].co[.]kr/common\r\nURL hxxp://mail.[removed].co[.]kr/common/exe\r\nURL hxxp://mail.[removed].co[.]kr/common/doc\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 12 of 15\n\nJune 2018 Attack\r\nIndicator Type Indicator\r\nHash 5137f6a59c2c7a54f1a5fc9a9650972b17d52dd0e203f5abefedf5c593c41ff0\r\nHash fd673703c502be907919a4ff2922b7b969d96d206abc572a5cb83e69ab32ca18\r\nHash 4e84f97bb61c2d373a574676fa374131460839ecc7b53064f558ce7ce55528ad\r\nHash fd673703c502be907919a4ff2922b7b969d96d206abc572a5cb83e69ab32ca18\r\nHash 74ddd56b1e33aa3752f143a77e5802a5803fd2c222f2cca77bfa5c740dfc8f5e\r\nProcess rundll32.exe [%LOCALAPPDATA%\\MicroSoft UpdateServices\\Services.dll] install\r\nRegistry Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\qivService\r\nFile ID56SD.tmp\r\nFile stass\r\nFile uplog.tmp\r\nFile %TEMP%\\wirbiry2jsq3454.exe\r\nFile %TEMP%\\weewyesqsf4.exe\r\nURL hxxp://mail.[removed].co[.]kr/./pds/data/upload.php\r\nURL hxxp://mail.[removed].co[.]kr/./pds/down\r\nURL hxxp://mail.[removed].co[.]kr/./pds/data/[id]-down\r\nURL hxxp://mail.[removed].co[.]kr/common\r\nMay 2018 Attack\r\nIndicator Type Indicator\r\nHash 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10\r\nHash c3172b403068aabc711b7cbe4d923ae1fa705ce11c4cc71271fde83ce751c21c\r\nFolder %LOCALAPPDATA\\MicroSoft Update1\r\nFile %LOCALAPPDATA\\MicroSoft Update1\\svServiceUpdate.exe\r\nFile %TEMP%\\uplog.tmp\r\nFile %STARTUP%\\Antdule.lnk\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 13 of 15\n\nFile %TEMP%\\ID56SD.tmp\r\nFile %TEMP%\\svchostav.exe\r\nURL hxxp://mail.[removed].co[.]kr/de/de_includes/mail/yandex.ru/download.php\r\nApril 2018 Attack\r\nIndicator Type Indicator\r\nHash 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9\r\nHash d5fc0ef2d1ed037b5b6389882f9bb4ea15a6b41f21cdc0f5e90752f4e687445c\r\nFolder %LOCALAPPDATA\\MicroSoft Update1\r\nFile %LOCALAPPDATA\\MicroSoft Update1\\svServiceUpdate.exe\r\nFile %TEMP%\\uplog.tmp\r\nFile %STARTUP%\\Antdule.lnk\r\nFile %TEMP%\\ID56SD.tmp\r\nFile %TEMP%\\svchostav.exe\r\nURL hxxp://mail.[removed].co[.]kr/de/de_includes/mail/yandex.ru/download.php\r\nIP Address 210.112.239[.]74\r\nEarly April 2018 Attack\r\nIndicator Type Indicator\r\nHash 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd\r\nHash c07bea0928a35b9292eebab32563378d01d95434d098e5c7c076e94866a14212\r\nFolder %LOCALAPPDATA\\MicroSoft Update1\r\nFile %LOCALAPPDATA\\MicroSoft Update1\\svServiceUpdate.exe\r\nFile %TEMP%\\uplog.tmp\r\nFile %STARTUP%\\Antdule.lnk\r\nFile %TEMP%\\ID56SD.tmp\r\nFile %TEMP%\\svchostav.exe\r\nURL hxxp://mail.[removed].co[.]kr/de/de_includes/mail/yandex.ru/download.php\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 14 of 15\n\nIP Address 141.223.125[.]112\r\nJanuary 2018 Attack\r\nIndicator Type Indicator\r\nHash b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311\r\nHash 0d98ca35b29d2a9f7ca6908747c457ebdba999f0e83e182f770848e2335ade5b\r\nFolder %LOCALAPPDATA\\MicroSoft Update1\r\nFile %LOCALAPPDATA\\MicroSoft Update1\\svServiceUpdate.exe\r\nFile %TEMP%\\uplog.tmp\r\nFile %STARTUP%\\Antdule.lnk\r\nFile %TEMP%\\ID56SD.tmp\r\nFile %TEMP%\\svchostav.exe\r\nURL hxxp://mail.[removed].co[.]kr/de/de_includes/mail/yandex.ru/download.php\r\nIP Address 101.129.1[.]104\r\nSource: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" ], "report_names": [ "unit42-new-konni-malware-attacking-eurasia-southeast-asia" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434416, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/939e034168db66b31a40ef1283d6be7fe151b031.pdf", "text": "https://archive.orkl.eu/939e034168db66b31a40ef1283d6be7fe151b031.txt", "img": "https://archive.orkl.eu/939e034168db66b31a40ef1283d6be7fe151b031.jpg" } }