{ "id": "7ce7e3e8-c624-4a52-875c-20d44579bf79", "created_at": "2026-04-06T00:17:31.785187Z", "updated_at": "2026-04-10T03:38:06.2748Z", "deleted_at": null, "sha1_hash": "aaf315d67acbcdbec9f30cb18eb9d494b3c6a66f", "title": "To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1766085, "plain_text": "To Russia With Love: Assessing a KONNI-Backdoored Suspected\r\nRussian Consular Software Installer\r\nBy DCSO CyTec Blog\r\nPublished: 2024-02-21 · Archived: 2026-04-05 13:15:59 UTC\r\nEarlier this year, DCSO observed an intriguing malware sample first uploaded to VirusTotal in mid-January 2024\r\nthat we believe to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs.\r\nThe malware itself appears to be KONNI, a North Korea (DPRK) nexus tool believed to have been used since as\r\nearly as 2014. The use of KONNI in highly similar activity targeting the Russian Ministry of Foreign Affairs was\r\npreviously observed by various researchers in a 2021 campaign. We have noted that additional researchers have\r\nindependently uncovered the same upload that we assess in this blogpost and identified it as a KONNI sample.\r\nPerhaps more interestingly, however, the sample was bundled into a backdoored Russian language software\r\ninstaller. This is a KONNI delivery technique that we have previously observed, with a sample from 2023\r\ndelivered via a backdoored installer for the publicly available Russian state-mandated tax filing software “Spravki\r\nBK” (Справки БК).\r\nIn this instance, the backdoored installer appears to be for a tool named “Statistika KZU” (Cтатистика КЗУ).\r\nWhile we were unable to find any public references to the tool, we suspect on the basis of install paths, file\r\nmetadata, and user manuals bundled into the installer that the software is intended for internal use within the\r\nRussian Ministry of Foreign Affairs (MID), specifically for the relaying of annual report files from overseas\r\nconsular posts (КЗУ — консульские загранучреждения) to the Consular Department of the MID via a secure\r\nchannel.\r\nIn this blogpost we will assess the backdoored Russian installer and the possible implications thereof, document\r\nthe functionality of the KONNI variant observed, and fit this finding into the bigger picture of historical DPRK-linked espionage activity and KONNI usage targeting Russian entities.\r\nBlog post authored by Johann Aydinbas, Olivia Hayward, Jiro Minier, and Kritika Roy\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 1 of 15\n\nPicture by Thomas Evans on Unsplash\r\nThe Backdoored Installer\r\nAs noted above, the KONNI sample we discovered appears to have been distributed via a backdoored installer for\r\na Russian-language tool named “Statistika KZU” (Cтатистика КЗУ). In spite of a lack of public references to the\r\ntool, a number of data points lead us to believe that Statistika KZU is a tool intended for use within the Russian\r\nMinistry of Foreign Affairs (MID), specifically for the relaying of consular statistics to the MID from consulates\r\nworldwide. In the section below, we will detail the various data points and findings that led us to reach this\r\nconclusion.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 2 of 15\n\nThe main window of the Statistika KZU GUI\r\nUser Manual\r\nTwo user manual files were discovered bundled into the backdoored installer detailing the installation and usage\r\nof the software. The first one (“Инструкция по установке программы StatRKZU”) explains how to install the\r\n“Statistika KZU” program on an administrative account and begin running the software. It includes the minimum\r\nsoftware requirements and screenshots detailing the process. The software installer installs the program to its\r\ndefault filepath (C:\\ConsulSoft\\StatRKZU). On the first login, the manual instructs administrators to use the\r\nusername “ADMIN” and an empty password, as shown in the image below.\r\nDetailing how to log in to the program for the first time\r\nFrom there, a window pops up and users select the country they are located in and the consulate that they are\r\nworking for. The KZU code is provided by the program automatically based on the entered information. The user\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 3 of 15\n\nthen provides the name of the head as well as their position.\r\nFilling out information about the user’s consulate location when configuring Statistika KZU\r\nIn order to begin sending the automatic reports to the MID, users must set up ViPNet, which is a secure, encrypted\r\nRussian VPN client and one of the stated software requirements for Statistika KZU. In ViPNet, users set up the\r\nautomated report sending process, which is already listed as an option within the program. In the image below, the\r\noption “Statistical report for KD” is selected within the ViPNet program, with the user in the process of creating a\r\nnew automatic processing rule.\r\nSetting up the automated reports through ViPNet\r\nThe second manual (“StatRKZU_Руководство”) is a 22-page user manual for both administrators and operators\r\nexplaining how to use the software. It also clarifies the purpose of the software, which is to generate annual report\r\nfiles on the consular activities of the KZU and automatically send these via a secure internet channel to the\r\nconsular department of the MID on the KZU Statistics server as well as print the reports.\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 4 of 15\n\nIt begins the same way as the other document, stating the minimum software requirements and how to log in and\r\nset up the program for the first time. From there, it walks through the main window of the software and the\r\npurpose of each tab. The screenshot below explains the main window of the program and where information\r\nshould be tracked and entered.\r\nThe manual then details the program functions available to administrators, including: registering users, setting up\r\nmodules in ViPNet, and saving and restoring databases.\r\nThe final section explains how to formulate and print annual reports. In the example below, we can see two of the\r\ntemplates. The first is a template for a table containing the number of registered Russian citizens in the KZU at the\r\nbeginning of the year and at the end, and the second is the number of Russian citizens detained, arrested, or\r\nimprisoned in the territory of the consular district at the beginning of the year and the number at the end.\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 5 of 15\n\nStructure for a printed statistical report template\r\nInstalled Software\r\nWe were able to successfully run the installer and use the instructions provided in the manual to access the\r\ninstalled software offline. The UI of the installed program also appeared to correspond fully to the details provided\r\nin the manual. We were, however, unable to test the functionality of the installed software, preventing us from\r\nconclusively assessing whether the software is legitimate.\r\nInstall Path\r\nThe default install path created by the installer lends additional credibility to the notion that the software is\r\nintended for use in a consular context:\r\n\\ConsulSoft\\StatRKZU\\\r\nReferences to “GosNIIAS” (ГосНИИАС) in MSI File Metadata\r\nAdditionally, we noted that an entity named “GosNIIAS” (ГосНИИАС) is listed in the “authors” field of the MSI\r\nfile’s metadata.\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 6 of 15\n\nThe reference to ГосНИИАС in file metadata\r\nGosNIIAS is an acronym for the State Scientific Research Institute of Aviation Systems (Государственный\r\nнаучно-исследовательский институт авиационных систем), a Russian federal research institute primarily\r\ninvolved in aerospace research and associated projects.\r\nWe were unable to find any direct correlations between GosNIIAS and Statistika KZU due to a lack of public\r\nreferences to the software. However, we were able to uncover references to contracts fulfilled by GosNIIAS to\r\nprovide the MID with various automated consular information services solutions.\r\nSpecifically, we were able to uncover a series of public procurement records that list the Russian Ministry of\r\nForeign Affairs (Министерство иностранных дел Российской Федерации) as the customer for single-source\r\ncontracts fulfilled by GosNIIAS in this area.\r\nTwo of the potentially relevant contracts discovered include a procurement order (#0173100002211000012) for\r\nsoftware maintenance for the operation of automated systems in the consular department of the MID and a\r\nprocurement order (#0173100002213000006) for the maintenance of comprehensive system software for\r\nprotecting personal data during processing on consular systems for the MID. In both of the contracts, the Ministry\r\nof Foreign Affairs was listed as the customer and GosNIIAS as the supplier.\r\nThe following images were taken from the contracts, the first detailing the services procured from GoSNIIAS by\r\nthe MID as well as information on the amount in rubles that would be paid for the services.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 7 of 15\n\nInformation on the services procured from contract #0173100002211000012\r\nThe second screenshot shows GosNIIAS as the supplier of the services, as well as the organization’s address, fax\r\nphone number, and tax IDs.\r\nPress enter or click to view image in full size\r\nInformation on the supplier (GosNIIAS) of contract #0173100002213000006\r\nDespite the lack of a specific reference to Statistika KZU, the various contracts reflect the work done by\r\nGosNIIAS for the Russian MID in the field of consular department data handling, with the two specific contracts\r\npinpointed above detailing work scoping that could plausibly encompass a software solution such as Statistika\r\nKZU.\r\nOther public indications of GosNIIAS involvement in Russian Ministry of Foreign Affairs consular service\r\nprovision can be found; for example, a public portal for consular service reservation credits GosNIIAS for the\r\ndevelopment of the site.\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 8 of 15\n\nGosNIIAS credited for work on a public portal for consular service reservation\r\nThe KONNI Malware\r\nBelieved to have been used since as early as 2014, KONNI was initially known to only serve as an infostealer.\r\nLater versions steadily increased its feature-set up to its apparent peak in 2016 where it offered a variety of stealer\r\nfunctionality (browser data, clipboard, keylogging) in addition to common remote administration capabilities as\r\nreported by Talos Intelligence, followed by a sharp reduction of functionality in 2017, and only minimal\r\nadjustments since.\r\nCurrent samples, such as the one observed in this instance, only come with a minimal set of capabilities for file\r\ntransfers, command execution and configuration of check-in intervals. The tool is tracked under other names,\r\nincluding “UpDog” by Proofpoint.\r\nThe malware has generally been associated with use by DPRK nexus actors. The threat actor typically referred to\r\nas Konni Group due to its prolific use of the tool, also tracked as TA406, is generally understood to fall under the\r\nKimsuky cluster of DPRK Reconnaissance General Bureau-linked actors. The KONNI malware has also been\r\nlinked to other actors within the DPRK nexus, including APT37.\r\nInstallation\r\nBoth installers came in the form of an MSI file with the malware integrated into the benign installation process.\r\nWhen a user runs the backdoored installer, a CustomAction triggers execution of the first stage, which detects the\r\nenvironment (32/64 bit) and selects the appropriate payload. The exact implementation differs for both inspected\r\nsamples — we have observed a VBScript and a small executable performing the same tasks.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn both cases, another batch file is eventually executed, which is responsible for copying the files and setting up\r\nthe Windows service for persistence and execution simultaneously, as well as copying the included configuration\r\nalongside the payload file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 9 of 15\n\nFinal .bat file for both samples\r\nThe service name is chosen to be inconspicuous, with “Windows image Acquisition Service” being very similar to\r\nan existing, legitimate Windows service.\r\nConfiguration\r\nThe configuration file copied during the malware installation process contains the C2 servers and is encrypted\r\nusing AES-CTR, with the service name used as key.\r\nYou can grab a script to decrypt such configuration files from our GitHub.\r\nWe have extracted the C2s from the present samples — you can find them in the IoC section at the end of the\r\nblogpost.\r\nInterestingly, one of the C2 domains we identified was “victory-2024[.]mywebcommunity[.]org.” The consistent\r\nuse of the word “victory” in various aspects of Konni Group/TA406 activity has been highlighted previously by\r\nProofpoint researchers, who identified it as the HTTP title of the version of the PHP e-mail sending tool Star used\r\nby the group as well as in an executable deployed in a campaign suspected to have been undertaken by the group.\r\nResearchers noted that the word had also been employed in various passwords by a Kimsuky cluster actor tracked\r\nas TA408, an observation corroborated in earlier research published by ESTsecurity.\r\nParticularly interestingly from our standpoint, a late 2021 campaign suspected to have leveraged the KONNI\r\nmalware to target the Russian MID was identified in public reporting by Lumen researchers in early 2022. While\r\nthis campaign will be explored in more detail later in this blogpost, we note that a C2 domain identified in this\r\ncampaign was “”victory-2020.atwebpages[.]com.” This may be indicative of a consistent domain name pattern\r\n(victory-yyyy) being employed in campaigns seeking to deploy KONNI against Russian MID targets, though we\r\ncannot preclude the use of this domain name pattern in C2 for other campaigns.\r\nCapabilities\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 10 of 15\n\nKONNI’s recent command set has remained largely unchanged and only permits operators to execute commands\r\nand receive their output, upload and download files and specify sleep intervals (connectivity check interval, check\r\nin interval). Communication is done via HTTP.\r\nFor a check-in, KONNI runs the following commands and sends the output to the C2:\r\nsysteminfo\r\ntasklist\r\nFor file transfers, KONNI checks the extensions against a list of file types it transfers as is. Other file extensions\r\nare compressed into a .CAB archive and then sent.\r\nThe list of extensions transferred unchanged:\r\n.7z\r\n.zip\r\n.rar\r\n.cab\r\n.docx\r\n.xlsx\r\nThe Bigger Picture\r\nDPRK nexus cyberespionage targeting sensitive Russian sectors is a long-standing phenomenon. In 2019, for\r\nexample, Check Point Research stated that they had observed a “coordinated North Korean attack against Russian\r\nentities” leveraging known DPRK tooling. In 2020, meanwhile, Russian press reported on Kimsuky cluster\r\nactivity purportedly impacting targets such as defense conglomerate Rostec.\r\nThe discovery, however, comes amidst a broader context of increasing geopolitical proximity between Russia and\r\nthe DPRK in the aftermath of the former’s renewed invasion of Ukraine in 2022, reflected in a high-profile\r\nsummit between the two countries’ leaders in 2023 as well as consistent reports that large-scale transfers of\r\nartillery ammunition from the DPRK to Russia had taken place in order to support the latter’s ongoing invasion\r\neffort, likely in exchange for boons such as technical support in areas of key interest to the DPRK such as its\r\nballistic missile program or natural resource provision.\r\nIn spite of this evolving strategic relationship, however, DPRK nexus cyberespionage efforts against Russian\r\ntargets of interest in sensitive sectors such as government or defense appear to be ongoing. Notably, in late 2023,\r\nSentinelLabs published findings from a “leaked email collection” that indicated that Russian missile and rocket\r\nengineering bureau NPO Mashinostroyeniya had identified a breach in mid-May 2022 that, according to\r\nSentinelLabs researchers, featured several overlaps with known DPRK activity.\r\nMicrosoft, meanwhile, has disclosed several additional alleged DPRK-linked incidents that impacted Russian\r\nvictims in 2023. According to the firm, threat actor Ruby Sleet (CERIUM) purportedly compromised an unnamed\r\nRussian aerospace research institute in March 2023. Onyx Sleet (PLUTONIUM), another DPRK-linked group,\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 11 of 15\n\ncompromised an unspecified device at a Russian university in the same month. Finally, Opal Sleet\r\n(OSMIUM/Konni Group) purportedly targeted Russian diplomatic entities via phishing, also in March 2023.\r\nKONNI deployment against Russian foreign policy targets\r\nWithin the context of DPRK nexus cyberespionage targeting Russia, a few data points in recent years have\r\nspecifically involved KONNI or related tooling in activity that appeared to target Russian foreign policy-relevant\r\ntargets.\r\nIn 2018, Palo Alto Networks researchers detailed a campaign leveraging a KONNI variant that they dubbed\r\nNOKKI targeting “politically-motivated victims in Eurasia and possibly Southeast Asia.” As part of this\r\ncampaign, the researchers uncovered a series of samples with Cyrillic contents relevant to Russian political\r\nmatters. While it remains unclear whether the Russian MID was the ultimate end-target of this activity, it can\r\nplausibly be assessed as representing an early instance of KONNI(-adjacent) deployment against targets in the\r\nbroader sphere of Russian foreign policy interests.\r\nIn a similar vein, Malwarebytes researchers uncovered a campaign in mid-2021 involving the use of KONNI\r\nleveraging Russian language lures concerning Russian-Korean trade and economic issues, and a meeting of a\r\nRussian-Mongolian intergovernmental commission. While the specific targeting of the campaign remains unclear,\r\nthe discovery nonetheless constitutes another instance of KONNI deployment being facilitated via Russian-language lures with content relevant to Russian foreign policy interests.\r\nThe publicly available data point with perhaps the most explicit relevance to our finding is the late 2021 campaign\r\nuncovered by Lumen researchers and Cluster 25 researchers already mentioned earlier in this blogpost, involving\r\nvery similar TTPs and targeting to our finding. The campaign occurred in multiple stages, leveraging tools such as\r\nspoofed MID login portals for credential harvesting, a fake malicious installer for a Russian state-mandated\r\nvaccination registration tool, and trojanized screensaver attachments to target MID personnel in a “highly\r\ntargeted” manner.\r\nFinally, as noted above, Microsoft disclosed a March 2023 case in which an account linked to Konni Group\r\ntargeted Russian “diplomatic government entities” with phishing e-mails. Further details were not provided\r\nconcerning this activity.\r\nThe sample we uncovered, therefore, appears to fit into an established pattern of KONNI deployment against\r\nRussian foreign policy targets, with the 2021 campaign uncovered by Lumen and Cluster25 researchers appearing\r\nto be particularly similar in its execution and targeting.\r\nCaveats and Open Questions\r\nA number of caveats and open questions remain concerning this finding.\r\nIs this a legitimate software installer?\r\nWe cannot conclusively assess whether the software installer itself is legitimate as we were unable to find\r\ncorroborating references to the existence of Statistika KZU in the public domain. Additionally, we were unable to\r\ntest the proper functionality of the tool itself.\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 12 of 15\n\nIt should be noted nonetheless that there are strong indicators in favour of Statistika KZU being a legitimate tool.\r\nThese include the GosNIIAS contracts for technical consular service provision and the inclusion of complete user\r\nmanuals in the installer discovered.\r\nFurthermore, as noted previously, we were able to use the instructions provided in the user manual to access the\r\ntool offline, and the UI layout post-authentication corresponded to the contents of the user manual, lending further\r\ncredibility to the notion that the backdoored software installer itself may be legitimate.\r\nIf the software or installer are not legitimate, considerable effort would appear to have been invested into giving\r\nthem the veneer of legitimacy.\r\nIf it is a legitimate installer, is it publicly obtainable?\r\nIf the software installer is indeed legitimate, the natural follow-on question is whether it is publicly obtainable in\r\nany way. Investigation on our part, as noted previously, found no public records concerning Statistika KZU or its\r\ninstaller.\r\nIt remains possible, however, that a legitimate Statistika KZU installer may have been acquired by the actors via\r\nan unidentified public channel.\r\nIf the installer is legitimate but not publicly obtainable, how was it acquired by the attackers for\r\nbackdooring?\r\nIf the software installer is legitimate and was not obtained publicly, the question of how the attackers were able to\r\nobtain a sample for backdooring emerges.\r\nWe are unable to offer any concrete conclusions in this regard. As noted above, however, KONNI and KONNI-linked activity targeting Russian foreign policy end-targets including the MID has been observed for many years,\r\npotentially providing many opportunities for internal tool identification and subsequent acquisition or exfiltration\r\nfor backdooring purposes.\r\nFinal Thoughts\r\nAs noted by experts, the public discovery and discussion of so-called “red on red” activity between the DPRK and\r\nRussia remains necessarily limited due to fundamental visibility constraints. Given the VirusTotal upload date, this\r\nfinding would appear to indicate that as of early 2024 such activity remains, at the very least, alive and well.\r\nThe attempted use of a backdoored software installer that either is or is masquerading as a tool intended\r\nspecifically for internal use within the Russian Ministry of Foreign Affairs is likely the most interesting aspect of\r\nthis finding. Whether legitimate or otherwise, the backdoored installer is indicative in itself of highly specific\r\ntargeting against the MID by virtue of the stated use-case for Statistika KZU. Such activity is in line with but also\r\nan evolution from historical KONNI deployment that also appeared to specifically target the MID and its\r\npersonnel.\r\nIt also indicates that this highly specific targeting of the MID by the DPRK appears to have continued in spite of\r\nthe increasing recent strategic alignment of the DPRK and Russia, in line with other DPRK threat activity\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 13 of 15\n\ntargeting strategically sensitive Russian government and economic sectors. To some extent, this should not come\r\nas a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection\r\nneeds, with an ongoing need on the part of the DPRK to be able to assess and verify Russian foreign policy\r\nplanning and objectives.\r\nSome accounts of the origins of the DPRK’s cyber program detail the role purportedly played by Russian\r\ninstructors in the early years of foundational institutions in the program such as the then-Mirim College. Though\r\ndetails remain murky, the possibility remains that this may represent a classic case of the chickens coming home\r\nto roost.\r\nIndicators of compromise can be found below; as noted earlier in the blogpost, a script to decrypt KONNI\r\nconfiguration files can be found in our GitHub repository.\r\nIoCs\r\nSamples\r\n58bcd90f6f04c005c892267a3dfe91d1154d064482b07715ad5802f57c1ea32d StatRKZU.msi\r\n9339eaf1d77bb0324e393a08a6180fe0658761fc0cd20ba25081963286dfb9c7 wiasvc32.dll\r\nb60dc12833110098f5eec9a51749d227db7a12d4e91a100a4fd8815695f1093f wiasvc64.dll\r\nC2s\r\nvictory-2024.mywebcommunity[.]org\r\n3cym4ims.medianewsonline[.]com\r\nj1p75639.medianewsonline[.]com\r\n99695njd.myartsonline[.]com\r\nmhhnv7s9.myartsonline[.]com\r\ng66nzt8q.mygamesonline[.]org\r\np593d8g9.mygamesonline[.]org\r\nmbfasq54.mypressonline[.]com\r\ntl2j38w9.mypressonline[.]com\r\nt8nptw2h.mywebcommunity[.]org\r\nw9uzs9la.mywebcommunity[.]org\r\nzcvbm1zv.onlinewebshop[.]net\r\nzomfaa9a.onlinewebshop[.]net\r\n694qf6w8.scienceontheweb[.]net\r\n24ev0apa.scienceontheweb[.]net\r\nc6cdg4su.sportsontheweb[.]net\r\n5s6bqbea.sportsontheweb[.]net\r\njbkza9h7.atwebpages[.]com\r\n88zr7cua.atwebpages[.]com\r\np8tebfel.getenjoyment[.]net\r\ncor8xcib.getenjoyment[.]net\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 14 of 15\n\nSource: https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nhttps://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3" ], "report_names": [ "to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74a1f6b1-6790-44eb-9e31-9bea8ea0192b", "created_at": "2024-02-02T02:00:04.04584Z", "updated_at": "2026-04-10T02:00:03.539136Z", "deleted_at": null, "main_name": "Ruby Sleet", "aliases": [ "CERIUM" ], "source_name": "MISPGALAXY:Ruby Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434651, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aaf315d67acbcdbec9f30cb18eb9d494b3c6a66f.pdf", "text": "https://archive.orkl.eu/aaf315d67acbcdbec9f30cb18eb9d494b3c6a66f.txt", "img": "https://archive.orkl.eu/aaf315d67acbcdbec9f30cb18eb9d494b3c6a66f.jpg" } }