North Korea\u2013aligned hackers have launched a new campaign that turns artificial intelligence into a weapon against software teams. <\/p>\n
Using AI-written PowerShell code, the group known as KONNI is delivering a stealthy backdoor that blends real project content with malicious scripts. <\/p>\n
This operation shows how fast threat actors are adopting AI tools to speed up development and hide their tracks.<\/p>\n
In the latest wave, KONNI is targeting developers and engineering teams working on blockchain and crypto projects across the Asia\u2011Pacific region, including Japan, Australia, and India. <\/p>\n
The attackers craft detailed requirement papers that look like real product briefs, describing trading bots, credential systems, and delivery roadmaps, then deliver them as PDF lures.<\/p>\n
![\"Blockchain](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiXlFJ7p6_HQKe6kagFFUskmvzhF4SNZPKcHp1h3g6ll02A3RiZv-d1rNtkFWjxof1i3F2tDGxs-t9GL_6SyoR6EgszJH31oGA-A4NSf_NetW-JSZenWcdKZSHYoP4EYGmz3B0S7DXfSH5FWsWGYD5_rCycqSCmYSqUYvO8bINMuRGjxpWf-dxWddOXBqg\/s16000\/Blockchain%2520themed%2520lures%2520used%2520in%2520this%2520campaign%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
These documents are designed to win the trust of technical staff and draw them into opening attached shortcut files that silently start the infection chain.<\/p>\n
Check Point researchers identified<\/a> the activity as part of the long\u2011running KONNI cluster and noted that the payload is an AI\u2011generated PowerShell backdoor with extensive comments and clean structure. <\/p>\n This backdoor does more than open a remote door; it gathers hardware details, checks for debugging tools<\/a>, and ensures only one copy runs at a time, all while maintaining a professional, developer\u2011style layout.<\/p>\n For victim organizations, the risk goes far beyond a single compromised workstation. By targeting developers who hold access to repositories, cloud consoles, and signing keys, KONNI can pivot from one infected endpoint into entire build pipelines or production systems.<\/p>\n The attack begins when a target opens the ZIP archive and double\u2011clicks a Windows shortcut file that sits next to the PDF lure. <\/p>\n That shortcut runs an embedded PowerShell<\/a> loader, which quietly drops a second lure document and a compressed CAB archive.<\/p>\n From there, batch files unpacked from the CAB archive move the backdoor into a hidden ProgramData folder and create a scheduled task that mimics a OneDrive startup entry. <\/p>\n This task runs every hour, decrypts the PowerShell payload from disk using a simple XOR key, and executes it directly in memory, keeping the core malware<\/a> file\u2011less during runtime and making incident response far more difficult.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post North Korean Hackers Adopted AI to Generate Malware Attacking Developers and Engineering Teams<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Chain and Persistence Tactics<\/strong><\/h2>\n
![\"Infection](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGT2oq7yX2fc5jVE2ZolLn_x6NJgeB8iQBAyxyh8Vcd9k_8wxELyWYeWA6xOiSraUJwvq9GkBR56NsXzeO3isUP2AUraRRRmvGPgNLWu3teHPZv9MGaNEdCM8agUFl-h8zIU1XM7_nTs_zT-hg18C4_6i7SEoN-v1MhUI5y4zuQwQnivo1dohOQe_PErI\/s16000\/Infection%2520Chain%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
![\"Privilege-Based](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqVIBsuLcjv7xx95vNOJkBZeQgfersFkdlXsVFGbwHD2SY_1Qthnt1GtC8EEDd3C61pRYF40xlJsNn0ZIg09xbRdXL8ZLdNHrxypMkn9efYzfF8LsD6StggdIyjfLF9XV2WKPcudbbi6I-kuVWDc14fsxv_Lk0vXWmz6XHAzSjof0LXzBDZzoYMscJe3Y\/s16000\/Privilege-Based%2520Execution%2520Flow%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")