KONNI Adopts AI to Generate PowerShell Backdoors

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/
• Blog Title: KONNI Adopts AI to Generate PowerShell Backdoors
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (fodhelper UAC bypass details) and/or Generic Hacking / Phishing Methodology (weaponized LNK + scheduled task in-memory PS execution). Optionally: AV Bypass / Defense Evasion (Defender exclusions) and Web (anti-bot JS challenge emulation) if generalized.

🎯 Content Summary

Check Point Research (CPR) analyzes an ongoing KONNI (North Korea–linked; active since at least 2014) phishing campaign pivoting from traditional geopolitics-themed spearphishing to targeting software developers/engineering teams—especially those with blockchain/crypto access—in APAC (samples uploaded to VirusTotal from Japan, Australia, India). The objective is to compromise developer endpoints to reach higher-value assets: infrastructure access, API credentials, wallet access, and potentially ...

🔧 Technical Details

Weaponized .LNK launchers can embed secondary payloads (e.g., a DOCX lure and a CAB) and use an embedded PowerShell loader to decode and drop them; a follow-on BAT can establish persistence with schtasks and execute a stored PowerShell backdoor in-memory by reading encrypted bytes from disk, XOR-decrypting them with a single-byte key (e.g., 'Q') and running the decoded script via iex, then self-deleting the BAT to reduce the initial execution artifact.

Arithmetic-based PowerShell obfuscation can hide strings by generating characters at runtime using sums/subtractions of numeric literals (ASCII reconstruction), concatenating them into “dictionary” variables, and finally reconstructing the real logic by substring indexing before executing it with IEX—making static analysis harder while still allowing full runtime execution.

Anti-analysis gating in commodity PowerShell implants can combine (1) minimu...

🤖 Agent Actions

Summary:

• Added a new CurVer/extension-based fodhelper.exe UAC bypass variant to the UAC guide, including HKCU-only registry steps and post-elevation actions used in the KONNI campaign.
• Documented follow-on defense evasion/persistence tactics (disabling UAC prompts, Defender exclusion, and XOR-decrypted in-memory scheduled task) tied to this bypass.
• Updated references with the Check Point Research source.

Tests:

• Not run (documentation change only).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (fodhelper UAC bypass details) and/or Generic Hacking / Phishing Methodology (weaponized LNK + scheduled task in-memory PS execution). Optionally: AV Bypass / Defense Evasion (Defender exclusions) and Web (anti-bot JS challenge emulation) if generalized.".

Repository Maintenance:

• MD Files Formatting: 941 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0