KONNI
KONNI is a DPRK-linked remote access trojan active since at least 2014 and commonly associated with the Kimsuky/TA406 cluster; some reporting also links it to APT37. It has been used in cyberespionage campaigns, including targeting the Russian Ministry of Foreign Affairs and Russian diplomatic entities, EU-based organizations, software developers and engineering teams, and other government-related targets. Delivery has relied heavily on spearphishing and user execution, including malicious Word documents with macros, Russian-language lure documents, backdoored MSI installers, malicious JavaScript, PowerShell download-and-execute chains, and email attachments requiring victims to enable content.
Observed KONNI capabilities include command execution, file upload and download, configurable sleep/check-in intervals, collection of the victim username, clipboard theft, and theft of browser profiles or credentials from Firefox, Chrome, and Opera. In FortiGuard-observed activity, the malware gathered host and process information via systeminfo and tasklist, compressed collected data with makecab, encrypted it, and uploaded it over HTTP. KONNI has also been reported to send data and files to command-and-control servers and to encode stolen data with a custom Base64 key before exfiltration.
Persistence commonly involves Windows service abuse. Reported variants registered themselves as services, including masquerading as legitimate services such as a Windows Image Acquisition-like service or a service named "netpp" displayed as "Internet Print Provider Service." Configuration data has been observed encrypted with AES-CTR using the service name as the key; in one campaign, netpp.ini stored an AES-CTR-encrypted C2 configuration, and another 2024 sample stored AES-CTR-encrypted configuration keyed by the service name. KONNI communications have been observed over HTTP, with tasking that included command execution and file transfer. Reported C2-related artifacts include dn.php and up.php endpoints and the domain victory-2024.mywebcommunity[.]org, which aligns with previously observed KONNI naming patterns.
Additional reported tradecraft includes execution of malicious JavaScript, PowerShell-based staging, UAC bypass via a malicious DLL in one 2023 campaign, and geofencing added to Konni RAT by the intrusion set. High-confidence indicators and artifacts directly mentioned in the content include the service name "netpp," files netpp.dll, netpp.dat, netpp.ini, the registry path HKLM\SYSTEM\CurrentControlSet\Services\netpp\Parameters, and the C2 domain victory-2024.mywebcommunity[.]org.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malware itself appears to be KONNI, a North Korea (DPRK) nexus tool believed to have been used since as early as 2014. Current samples, such as the one observed in this instance, only come with a minimal set of capabilities for file transfers, command execution and configuration of check-in intervals.
The malware itself appears to be KONNI, a North Korea (DPRK) nexus tool believed to have been used since as early as 2014. Current samples, such as the one observed in this instance, only come with a minimal set of capabilities for file transfers, command execution and configuration of check-in intervals.
For example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT (remote access trojan) called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.'
“The KONNI RAT was first spotted by Cisco Talos researchers in 2017… it can execute arbitrary code on target systems and steal data.”
“...connection... between DarkHotel and the Konni/Nokki set of activity described by other vendors.”
Tools BabyShark, KONNI, FastFire, FireViewer, FastSpy, ReconShark, KimJongRAT, Kimsuky ... Malware families such as Kimsuky RAT, KimJongRAT, KONNI, and BabyShark have been linked to NICKEL KIMBALL activity.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
The KONNI sample we discovered appears to have been distributed via a backdoored installer for a Russian-language tool named “Statistika KZU”... Both installers came in the form of an MSI file with the malware integrated into the benign installation process.
Microsoft disclosed a March 2023 case in which an account linked to Konni Group targeted Russian “diplomatic government entities” with phishing e-mails... The late 2021 campaign... leveraged tools such as spoofed MID login portals for credential harvesting, a fake malicious installer... and trojanized screensaver attachments to target MID personnel.
The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
6 techniques
Execution
KONNI’s recent command set has remained largely unchanged and only permits operators to execute commands and receive their output...
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
In both cases, another batch file is eventually executed, which is responsible for copying the files and setting up the Windows service for persistence and execution simultaneously, as well as copying the included configuration alongside the payload file.
When a user runs the backdoored installer, a CustomAction triggers execution of the first stage... we have observed a VBScript and a small executable performing the same tasks.
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
3 techniques
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
another batch file is eventually executed, which is responsible for copying the files and setting up the Windows service for persistence and execution simultaneously... The service name is chosen to be inconspicuous, with “Windows image Acquisition Service” being very similar to an existing, legitimate Windows service.
Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
another batch file is eventually executed, which is responsible for copying the files and setting up the Windows service for persistence and execution simultaneously... The service name is chosen to be inconspicuous, with “Windows image Acquisition Service” being very similar to an existing, legitimate Windows service.
Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
7 techniques
Stealth
The configuration file copied during the malware installation process contains the C2 servers and is encrypted using AES-CTR, with the service name used as key.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The service name is chosen to be inconspicuous, with “Windows image Acquisition Service” being very similar to an existing, legitimate Windows service.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
For a check-in, KONNI runs the following commands and sends the output to the C2: systeminfo tasklist
For a check-in, KONNI runs the following commands and sends the output to the C2: systeminfo tasklist
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
4 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The campaign occurred in multiple stages, leveraging tools such as spoofed MID login portals for credential harvesting...
IOCs tracked for this family
68 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
95 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A PowerShell backdoor associated with Konni activity, described here as AI-assisted in its code generation while retaining established delivery and execution tradecraft.
Konni is referenced in the context of a multi-stage attack involving malicious LNK files used to implant a Python-based backdoor.
KONNI malware/tooling is described as being enhanced with AI-generated components (e.g., PowerShell backdoors) to improve stealth.
Referenced in the context of AI-assisted generation of PowerShell backdoors and an internally named operation unit attributed to the Konni APT.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.