Check Point Research revealed that the North Korean advanced persistent threat (APT) group, KONNI, has been targeting blockchain developers in Japan, Australia, and India. The hackers are using AI-generated PowerShell backdoors.
According to reports released on January 21, 2026, the attack starts when KONNI uses Discord to offer a link that prompts developers to download a ZIP file. This archive contains elements that start a multi-stage infection process on the victim’s computer.
The ZIP file includes a Windows shortcut and an apparently authentic PDF file. The Windows shortcut initiates scripts that launch a PowerShell script in memory, generate scheduled tasks, and unpack other files. This script then connects to servers under the attackers’ control, creating a permanent backdoor on the compromised system.
Check Point Research reveals that the PowerShell backdoor possesses unique features linked to the development of large language model (LLM) code. Additionally, the script is renowned for its modular design, excellent English documentation, and educational placeholders.
Also, it includes a comment that indicates where to put a unique project identification (UUID). Every 13 minutes, while waiting for more instructions from the attackers, the backdoor transmits system information to a remote server using this UUID to identify the project instance on each compromised device.
Since at least 2014, KONNI has been active. Previous efforts have targeted South Korean governmental and diplomatic institutions as well as organizations associated with the Korean Peninsula.
The organization’s attention has recently switched to the cryptocurrency industry, namely targeting blockchain developers who oversee the infrastructure and code for initiatives using digital currencies.