Konni And APT37 Behind AI Malware And Device Wiping Campaigns
In recent months, cybersecurity researchers have documented a marked escalation in the sophistication and ambition of cyberattacks linked to North Korean state–aligned threat actors. This includes those attributed to the Konni cluster and its close ties with APT37.
These campaigns highlight a widening repertoire of tactics. They blend AI-generated malware, targeted exploitation of software developers, and the abuse of legitimate device management tools. The convergence of these methods underscores the evolving threat landscape. It also signals strategic shifts in how advanced persistent threats (APTs) pursue both financial and operational objectives.
Actors with presumed ties to North Korea are leveraging artificial intelligence to enhance the capabilities of their malware. At the same time, they exploit widely used consumer platforms to achieve destructive outcomes. A larger fear exists that this trend will embolden other APTs. The combination of sophisticated software exploitation and social engineering shows adversaries are adapting to modern defensive controls. They are seeking new vectors to better compromise secure environments.
Further illustrating this adaptive approach, a recent phishing campaign analyzed by Check Point researchers and reported on by Bleeping Computer shows that the Konni group has begun using AI-generated PowerShell backdoors in attacks specifically targeting blockchain engineers and developers. These professionals are often custodians of sensitive infrastructure, including API credentials, access to systems, and cryptocurrency wallets, making them high-value targets for financially motivated threat actors.
The attack chain typically begins with a Discord-hosted link delivered to a victim. When clicked, it provides a ZIP archive with a PDF lure and a malicious LNK shortcut. Once executed, the shortcut triggers an embedded PowerShell loader. This loader extracts further components, including a document file and a Cabinet archive. The Cabinet archive contains the PowerShell backdoor, batch scripts, and a utility designed to bypass Windows' User Account Control (UAC).
Unlike traditional malware, the PowerShell payload exhibits characteristics strongly associated with large language model (LLM) assistance. Signs include clear in-script documentation, a clean modular layout, and placeholder comments that reflect AI guidance patterns rather than hand-crafted coding. This structural sophistication suggests an AI tool contributed significantly to the malware's development.
Once deployed, the backdoor performs checks, including anti-analysis checks to see if it is running in a sandbox or virtual environment. These are common defensive techniques. After confirming it is on a genuine target machine, the malware contacts a command-and-control (C2) server. It periodically sends system metadata and polls for further instructions. The malware can execute additional PowerShell code received from the C2 infrastructure, allowing operators to remotely control infected systems.
Supporting these observations, threat intelligence attributes this campaign to Konni based on overlaps in execution chain structure, naming conventions, and similarities with previously documented malware artifacts. The shift toward AI-crafted components represents a notable evolution in the group's tooling, which historically relied on more conventional cyber-espionage mechanisms.
At the outset of the AI-augmented attacks, phishing remains the primary delivery mechanism. In these new campaigns, attackers carefully craft lure documents that resemble legitimate project materials and technical documentation for blockchain initiatives. These deceptive materials are designed to lower suspicion and entice targets into executing the malicious content.
While not new, pairing social engineering with AI-enhanced malware shows a sharper focus on stealth and effectiveness. Targeting developers and engineers—who often have broad system access—boosts the adversary's chances of deeper entry into corporate networks and decentralized infrastructure.
Abuse of Google's Find Hub for Destructive Device Wiping
Another part of the broader threat landscape involves the misuse of a legitimate consumer tool, Google's Find Hub (also known as Find My Device), by threat actors linked to APT37 and the Konni cluster. Research published by Genians reports this trend. Instead of exploiting a vulnerability in Android or the Google service itself, attackers have been stealing Google account credentials through sophisticated phishing campaigns. They then use the legitimate remote wipe and location features for devastating effects.
This campaign, mostly targeting individuals in South Korea, often begins with a message sent via KakaoTalk, a widely used mobile messaging app. Attackers impersonate trusted entities such as the national tax authority or law enforcement. Their goal is to trick victims into executing a digitally signed installer or ZIP archive. Once run, this installer deploys a suite of remote access trojans (RATs).
These tools include RemcosRAT, QuasarRAT, and RftRAT. The RATs harvest credentials and establish remote persistence. After stealing Google credentials, operators log into victims' accounts and access the Find Hub interface.
There, attackers can track the GPS locations of registered Android devices and issue remote factory reset commands that erase all data. Attackers have been known to initiate multiple wipes. This ensures devices are inoperable and data recovery is nearly impossible.
The destructive phase serves two purposes: to sever communication channels and erase evidence of intrusion. Once the mobile device is wiped, the active KakaoTalk session on a compromised PC stays usable. Attackers exploit this continuity to distribute more malicious files to the victim's contacts. This increases the campaign's spread and impact.
Recent campaigns attributed to Konni and APT37 highlight a worrying evolution in cyber threat strategies. These actors combine AI-generated malware, targeted phishing, and abuse of legitimate remote services. They are pushing the boundaries of traditional cyber-espionage and financially motivated attacks. This environment demands a proactive and adaptive approach from defenders.
Defenders must anticipate sophisticated tooling and use both human and technological countermeasures. Failure to do so will leave critical infrastructure and consumer devices open to covert compromise and catastrophic loss.
To stay ahead, organizations need comprehensive security policies that address both the technological innovation of malicious actors and the increasing integration of consumer and enterprise digital systems.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion