{ "id": "59d63af2-8e60-4187-b3a1-48553858b906", "created_at": "2026-04-06T00:19:43.028559Z", "updated_at": "2026-04-10T03:26:56.216381Z", "deleted_at": null, "sha1_hash": "d320198cf35747685c57c87f7938e934432c8a38", "title": "Rewterz Threat Alert – KONNI APT Group – Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42239, "plain_text": "Rewterz Threat Alert – KONNI APT Group – Active IOCs -\r\nRewterz\r\nPublished: 2022-10-04 · Archived: 2026-04-05 15:07:33 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nKONNI is a remote access tool that North Korean cyber attackers have been using since at least 2014. The North\r\nKorean hacker group distributes Konni RAT via phishing messages or emails. The infection chain begins when the\r\nvictim accesses a weaponized file. Adversaries employ Konni RAT to gather information from victims, capture\r\nscreenshots, steal files, and build a remote interactive shell. KONNI has been linked to various alleged North\r\nKorean attacks targeting political groups in Russia, East Asia, Europe, and the Middle East. KONNI shares a\r\nsignificant code overlap with the NOKKI malware family. Konni’s APT Group continues to attack malicious\r\ndocuments written in Russian. This threat actor group conducts attacks with Russian-North Korean trade and\r\neconomic investment documents.\r\nThis APT group was detected targeting the Russian diplomatic sector in January 2022, employing a spear phishing\r\ntheme for New Year’s Eve festivities as a bait. When the malicious email attachment is opened and processed, a\r\nseries of events occur, allowing the actor to install an implant from the Konni RAT family as the final payload.\r\nThe latest campaign includes filename:보상명부.xlam\r\nImpact\r\nInformation Theft and Espionage\r\nIndicators of Compromise\r\nIP\r\n92[.]38[.]160[.]152\r\nMD5\r\nd306925713baf2d7410e26deb7f157bc\r\nSHA-256\r\n593811e53cfa8aa655fc5bbf5e27c76e372e7d715b5b4e0e3f36f947d66a70f6\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11\r\nPage 1 of 2\n\nSHA-1\r\nf0f00aed4052bbbe4eb4d1f990dccb2986ea169c\r\nURL\r\nhttp[:]//rq7592[.]c1[.]biz/dn[.]php?name=065367\u0026prefix=cc%20(0)\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for IOCs in your environment.\r\nAlways be suspicious about emails sent by unknown senders.\r\nNever click on the link/attachments sent by unknown senders.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11" ], "report_names": [ "rewterz-threat-alert-konni-apt-group-active-iocs-11" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434783, "ts_updated_at": 1775791616, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d320198cf35747685c57c87f7938e934432c8a38.pdf", "text": "https://archive.orkl.eu/d320198cf35747685c57c87f7938e934432c8a38.txt", "img": "https://archive.orkl.eu/d320198cf35747685c57c87f7938e934432c8a38.jpg" } }