NKNShell

NKNShell is a Go-based backdoor observed in a campaign in which a trojanized installer from a South Korean VPN provider delivered multiple payloads. AhnLab Security Intelligence Center (ASEC) attributed the broader activity to the Larva-24010 threat actor, which has targeted Korean VPN users since at least 2023. In the reported attack chain, the trojanized VPN installer installs the legitimate VPN software while also executing PowerShell scripts that download and install additional malware including MeshAgent, gs-netcat, and NKNShell.

NKNShell is notable for using both NKN, a blockchain-based peer-to-peer protocol, and MQTT for covert command-and-control communications. Reported MQTT infrastructure included public brokers such as broker.emqx.io and broker.hivemq.com, and the malware was described as using hardcoded NKN addresses. The malware also reportedly leveraged anonymous blogging platforms such as Telegraph for malware updates.

The backdoor provides extensive remote control and post-compromise functionality. Reported capabilities include information gathering, remote control, code injection, DDoS, and file operations. It was also reported to inject into common Windows processes including Microsoft Edge, Notepad, Calculator, and Paint. In the broader campaign, associated PowerShell components disabled security features, bypassed AMSI, disabled Windows Defender and ETW, and established persistence via WMI filters and scheduled tasks.

The campaign targeted users of the affected South Korean VPN service and was assessed as enabling theft of sensitive information and long-term persistent access on compromised systems. High-confidence infrastructure and indicators mentioned in the reporting include the FQDNs kttelecom.duckdns.org and spiffy-crepe-c667e8.netlify.app, along with multiple MD5 hashes, URLs, and FQDNs associated with the campaign.