KONNI

Malware Profile Updated 4 days ago
Download STIX
Preview STIX
Konni is a type of malware, malicious software designed to infiltrate and damage computer systems without the user's knowledge. It can infect systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This particular malware has been linked with North Korea and is known for its sophisticated tactics and advanced capabilities. The Konni APT (Advanced Persistent Threat), believed to be associated with North Korea, has been reported to use Russian-language weaponized documents as a means of infection. These documents are typically disguised as harmless files but contain hidden scripts that install the Konni malware when opened. The use of Russian language suggests a specific targeting strategy, possibly aimed at Russian-speaking users or organizations. Further reports have highlighted the advanced nature of the Konni campaign. Specifically, it has been found to deploy an Advanced RAT (Remote Access Trojan) with UAC (User Account Control) bypass capabilities. This allows the malware to gain high-level permissions on the infected system without triggering security alerts, making it more difficult to detect and remove. This level of sophistication indicates a well-resourced and potentially state-backed operation behind the Konni malware.
What's your take? (Question 1 of 5)
521cddae-8797-411c-ae29-df13d68131b9 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kimsuky
3
Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a threat actor linked to North Korea and has been active since it was first identified by a Kaspersky researcher in 2013. The group is known for its cyberespionage activities and has been involved
Ta406
2
TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gai
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Apt
Phishing
Malware
Fortiguard
Russia
Decoy
Korean
Trojan
Cybercrime
Vulnerability
Exploit
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AmadeyUnspecified
2
Amadey is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems via suspicious downloads, emails, or websites without user knowledge, then proceeds to steal personal information, disrupt operations, or even hold data for ransom. Our investigation has
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT37Unspecified
4
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
SandwormUnspecified
3
Sandworm is a threat actor, often linked to Russia, known for its high-profile cyber attacks. The group gained notoriety for compromising 11 Ukrainian telecommunications providers and infiltrating Ukraine's telecom giant Kyivstar for months. In addition, Sandworm was responsible for disrupting power
Konni GroupUnspecified
2
The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to
APT29Unspecified
2
APT29, also known as "The Dukes" or "Cozy Bear," is a sophisticated and well-resourced threat actor believed to be associated with the Russian government. This group has been active for several years and is notorious for its advanced persistent threats (APTs) against various entities worldwide. Nota
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-38831Unspecified
3
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the KONNI Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
New KONNI Malware attacking Eurasia and Southeast Asia
MITRE
a year ago
The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks
MITRE
a year ago
New variant of Konni malware used in campaign targetting Russia
MITRE
a year ago
KONNI: A Malware Under The Radar For Years
CERT-EU
6 months ago
Konni Malware Alert: Uncovering The Russian-Language Threat
MITRE
a year ago
The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia
BankInfoSecurity
3 months ago
North Korean Group Seen Snooping on Russian Foreign Ministry
MITRE
a year ago
NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Securityaffairs
6 months ago
North Korea-linked Konni APT uses Russian-language documents
CERT-EU
7 months ago
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
MITRE
a year ago
ScarCruft continues to evolve, introduces Bluetooth harvester
CERT-EU
6 months ago
Konni Malware Alert: Uncovering The Russian-Language Threat
DARKReading
3 months ago
Lovers' Spat? North Korea Backdoors Russian Foreign Affairs Ministry
Checkpoint
a year ago
Chain Reaction: ROKRAT’s Missing Link - Check Point Research
Securityaffairs
a year ago
North Korea-linked ScarCruft APT uses large LNK files in infection chains
CERT-EU
6 months ago
North Korea-linked Konni APT uses Russian-language weaponized documents
InfoSecurity-magazine
6 months ago
Konni Campaign Deploys Advanced RAT With UAC Bypass Capabilities
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of European Union (EU) member states
CERT-EU
3 months ago
Russian Ministry Software Backdoored with North Korean KONNI Malware
CERT-EU
3 months ago
Konni RAT deployed via backdoored Russian government tool installer