Konni RAT (North Korean Espionage Malware on the rise) >>>

Cyfirma’s recent analysis sheds light on Konni RAT, a sophisticated Remote Access Trojan (RAT) targeting Windows systems. This malware employs a multi-stage attack, utilizing a combination of batch files, PowerShell scripts, and VBScript to infiltrate systems, exfiltrate data, and maintain persistence.
“Konni RAT employs a multi-stage attack process involving a combination of batch files, PowerShell scripts, and VBScript to exfiltrate sensitive data, maintain persistence, and execute additional payloads,” the report states.
The infection chain begins with a ZIP archive containing decoy PDF files and a malicious .lnk file disguised as a .docx document. The LNK file exploits Windows Explorer’s quirks—such as file extension hiding and the 260-character path limit—to bury a command that launches cmd.exe and triggers a cascade of hidden execution steps.
This command initiates a PowerShell script that searches for .lnk files, decodes encrypted segments, and prepares the malware payload, including a malicious CAB file (disappear.cab) and a decoy document to distract the user.
Konni RAT’s architecture reflects a layered and modular design:
PowerShell executes functions like friend, wickedness, and pregnant—names intentionally chosen to obfuscate behavior.A VBScript (start.vbs) is launched to maintain stealth, leveraging Windows Shell COM objects for indirect command execution.That script triggers a batch file (9315288.bat) that loops through other scripts, gathers system data, and even handles exfiltration.
The script collects:
Directory listings from Downloads, Documents, and DesktopSystem details via systeminfoAll data is saved into files like d1.txt, d2.txt, and d4.txtThese files are then uploaded to a C2 server (roofcolor[.]com) via encoded HTTP POST requests. Custom PowerShell functions encrypt the data, attach system identifiers like %COMPUTERNAME%, and erase all traces post-upload.
Konni RAT ensures long-term access by:
Adding the VBScript to the Windows Registry Run keyDeleting all temporary files, including .lnk, .cab, and intermediary .bat scriptsUsing silent execution (> nul) to suppress command window outputs

Even failed payloads are accounted for—if something doesn’t download correctly, the malware simply skips that step, deletes evidence, and proceeds with minimal impact.
Cyfirma confirms the tool’s ties to APT37, a North Korean state-sponsored group linked to espionage campaigns across Russia, East Asia, Europe, and the Middle East.
The malware has been spotted in attacks against the Russian Ministry of Foreign Affairs, embedded within backdoored software and malicious macro-laced documents.
Konni RAT is designed to efficiently exfiltrate sensitive data, including system information and user files, to a remote server. Its modular design and advanced evasion strategies pose significant risks to system security, effectively bypassing detection and hindering analysis.