49/69 Tuesday, January 27, 2026
Check Point Research has reported the discovery of a new wave of cyberattacks by the Konni hacking group (also known as Earth Imp / Opal Sleet), which has expanded its targeting beyond its traditional focus on South Korea and Russia to software developers and engineering teams in the blockchain sector across Japan, Australia, and India. A particularly concerning aspect of this campaign is evidence suggesting that the PowerShell backdoor malware used in the attacks was written with the assistance of AI, enabling faster development and more structured, easily customizable code.
The attack kill chain begins with phishing emails designed to lure victims into downloading a ZIP file hosted on Discord’s CDN. The archive contains fake project-related documents along with a malicious Windows shortcut (.LNK) file. When the shortcut is opened, it executes a PowerShell loader that extracts a CAB archive and installs the backdoor on the victim’s system. The malware demonstrates strong evasion capabilities and escalates privileges by abusing a User Account Control (UAC) bypass via the FodHelper technique, after which it installs a Remote Monitoring and Management (RMM) tool called SimpleHelp. This tool serves as the primary channel for persistent remote access and ongoing data exfiltration.
Researchers assess that the strategic objective of this campaign extends beyond compromising individual users. Instead, the attackers aim to establish persistence within development environments, enabling supply chain attacks against connected projects and services. The adoption of AI to generate malware code-complete with clear structure and readable comments-highlights an evolution in threat actor tradecraft, reducing development time while increasing attack efficiency. As a result, organizations in the technology sector are urged to strengthen file inspection, developer workstation security, and DevSecOps controls to counter this growing and increasingly sophisticated threat.
Source https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html
