North Korean KONNI Group Deploys AI-Generated Malware Against Blockchain Developers
North Korean APT group KONNI deployed AI-generated PowerShell backdoors targeting blockchain and cryptocurrency developers in Japan, Australia, and India. Check Point Research published findings on 21 January 2026, documenting the campaign's use of Discord-hosted malicious archives.
Konni targets blockchain developers with AI
North Korean advanced persistent threat (APT) group KONNI targeted blockchain and cryptocurrency developers with AI-generated malware. The campaign focused on developers in Japan, Australia, and India using Discord as the first delivery channel.
Discord lures and staged infection chain
Attackers sent a Discord link that delivered a ZIP archive to targeted developers. The ZIP contained a legitimate-looking PDF lure, a Windows shortcut file, and additional components that executed a multi-stage infection chain on the victim machine.
The Windows shortcut file triggered scripts that unpacked more files, created a scheduled task, and ran a PowerShell script in memory. This script contacted attacker-controlled servers and prepared a persistent backdoor on the infected system.
AI-generated Powershell backdoor characteristics
Check Point Research identified specific markers that linked the PowerShell backdoor to large language model (LLM) code generation. The script included clear English documentation, modular structure, and instructional placeholders such as the comment “# <– your permanent project UUID”.
The backdoor used a fixed universally unique identifier (UUID) string to identify the project instance on each infected device. It sent system information to a remote server every 13 minutes and waited for further attacker commands.
Historical Konni activity and crypto focus
KONNI has operated since at least 2014 according to earlier threat research from Cisco Talos. Previous campaigns targeted organisations linked to the Korean Peninsula, including diplomatic and government entities connected to South Korea.
Recent operations expanded this focus to the cryptocurrency sector. By aiming at blockchain and crypto developers, KONNI targeted teams that handle code and infrastructure for digital currency projects.
Security implications for blockchain industry
Attackers in this campaign used an AI-generated backdoor as part of their tools against blockchain-related developers. The case documents how AI-generated code already appears in real-world offensive operations linked to North Korea.