KONNI
Konni RAT is a remote access trojan associated in the provided content with North Korea-linked activity, including Kimsuky and reporting that also references Velvet Chollima/Opal Sleet/OSMIUM/Planedown/Konni/APT43 naming overlaps. It has been used in spearphishing campaigns, including delivery via malicious Word documents that rely on victims enabling macros, as well as phishing emails and malicious attachments. The content also states Konni has been distributed via phishing messages or emails, and that attackers used the same Konni RAT implant across different campaigns.
Capabilities directly described in the content include executing arbitrary code and commands on compromised Windows systems, gathering information from victims, capturing screenshots, stealing files, building a remote interactive shell, sending data and files to command-and-control servers, stealing clipboard data, stealing browser profiles containing credential information from Firefox, Chrome, and Opera, and using FTP to exfiltrate reconnaissance data. The malware has also executed malicious JavaScript code and, in some cases, used PowerShell to download and execute a specific 64-bit version of the malware. The content further notes Konni has used a custom Base64 key to encode stolen data before exfiltration and that newer activity included a geofencing mechanism.
A detailed campaign described by FortiGuard Labs involved a Russian-language Microsoft Word lure document with a malicious VBA macro. When a victim enabled content, the macro extracted and launched batch scripts and DLLs, including a UPX-packed UAC bypass component that abused wusa.exe to elevate execution. The infection chain installed persistence as a Windows service named "netpp" with the display name "Internet Print Provider Service," copied files including netpp.dll, netpp.dat, and netpp.ini into System32, and added related SvcHost and service registry entries. The final payload decrypted C2 configuration from netpp.ini using AES-CTR with a key derived from the service name, collected host and process information via systeminfo and tasklist, compressed data with makecab, encrypted it, uploaded it via HTTP POST requests to up.php, and retrieved commands or payloads from dn.php. Supported tasking included privileged command execution, file download, and file upload.
The content also references Konni in broader DPRK operations, including campaigns targeting EU-based organizations, U.S. journalists, software developers and engineering teams, and, in February 2025, Ukrainian government agencies for credential theft and malware delivery. One report cited an AI-assisted PowerShell backdoor used in a Konni-linked campaign targeting software developers and engineering teams, though this is described as campaign-specific rather than a core characteristic of Konni RAT itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT (remote access trojan) called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.'
For example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT (remote access trojan) called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.'
In a campaign targeting software developers and engineering teams, the group deployed a PowerShell backdoor whose structure and embedded comments strongly indicate AI‑assisted generation.
“The KONNI RAT was first spotted by Cisco Talos researchers in 2017… it can execute arbitrary code on target systems and steal data.”
“...connection... between DarkHotel and the Konni/Nokki set of activity described by other vendors.”
Tools BabyShark, KONNI, FastFire, FireViewer, FastSpy, ReconShark, KimJongRAT, Kimsuky ... Malware families such as Kimsuky RAT, KimJongRAT, KONNI, and BabyShark have been linked to NICKEL KIMBALL activity.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
6 techniquesThe content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Upon selecting the button, a VBA script is initiated... The VBA script retrieves information from “OLEFormat.IconLabel” and stores it in a temporary folder under the filename “temp.zip.”
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Upon opening the document, a yellow prompt bar appears, displaying “Enable Content” ... Upon selecting the button, a VBA script is initiated...
Persistence
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
The script then transitions to the “INSTALL” section, where it generates and configures a service named “netpp” using commands like “sc create,” “sc description,” and “sc config.” It configures the service to initiate automatically...
Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniquesThe script then transitions to the “INSTALL” section, where it generates and configures a service named “netpp” using commands like “sc create,” “sc description,” and “sc config.” It configures the service to initiate automatically...
Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Firstly, “wpns.dll” is invoked... It is primarily designed for UAC bypass... It initiates the process “wusa.exe”... duplicates its access token and proceeds to execute a specified command... Finally, it runs a “netpp.bat” script that inherits the elevated privileges.
Stealth
6 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueCredential Access
1 techniqueThe content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
4 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
3 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
BabyShark has encoded data using certutil before exfiltration... KONNI has used a custom base64 key to encode stolen data before exfiltration... Mafalda can encode data using Base64 prior to exfiltration.
Following this, it executes “cmd /c makecab” to compress the file unless the temporary file has one of the following extensions...
Command and Control
3 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Representative examples include "APT33 has utilized PowerShell to download files from the C2 server and run various scripts," "QakBot can use PowerShell to download and execute payloads," and "TrickBot has been known to use PowerShell to download new payloads."
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
1 techniqueElise exfiltrates data using cookie values that are Base64-encoded... KONNI has used a custom base64 key to encode stolen data before exfiltration... Kevin can Base32 encode chunks of output files during exfiltration.
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
90 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A PowerShell backdoor associated with Konni activity, described here as AI-assisted in its code generation while retaining established delivery and execution tradecraft.
Konni is referenced in the context of a multi-stage attack involving malicious LNK files used to implant a Python-based backdoor.
KONNI malware/tooling is described as being enhanced with AI-generated components (e.g., PowerShell backdoors) to improve stealth.
Referenced in the context of AI-assisted generation of PowerShell backdoors and an internally named operation unit attributed to the Konni APT.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.