Campaigns
North Korean Konni Group s DevSupply Campaign

North Korean Konni Group s DevSupply Campaign

KonniDPRKAIGeneratedMalwareSupplyChainRiskBlockchainSecurity
Campaign is an advanced cyber espionage campaign attributed to the North Korea-linked Konni group, targeting blockchain and cryptocurrency developers. The campaign spreads through phishing content disguised as developer projects or collaboration offers. Victims are lured into executing an AI-generated PowerShell backdoor that evades analysis, establishes persistence via scheduled tasks, disables security controls, and connects to attacker infrastructure. The objective is to access developer environments, source code, API keys, and sensitive digital asset data.

Indicators of Compromise

No domains found for this campaign

APT Groups2

KimsukyKR

Summary of Actor:Kimsuky, also known as Velvet Chollima, is a North Korean threat actor group primarily engaged in cyber espionage. They are known for targeting South Korea, Japan, and the United States, with a focus on government, think tanks, and human rights organizations. General Features:Kimsuky employs phishing and social engineering techniques to gain initial access, often using spear-phishing emails with malicious attachments or links. They leverage publicly available tools and custom malware to conduct their operations. Related Other Groups: APT37,APT38 Indicators of Attack (IoA): Suspicious email attachments and links Use of PowerShell for command execution Domain generation algorithms (DGA) Recent Activities and Trends: Latest Campaigns : Kimsuky has been active in targeting COVID-19 vaccine developers, conducting phishing campaigns to steal sensitive information related to vaccine research. Emerging Trends : Recent observations indicate a shift towards targeting cloud services and employing advanced obfuscation techniques to evade detection.

APT43Black BansheeEmerald SleetG0086Operation Stolen PencilSparkling PiscesSpringtailTHALLIUMThalliumVelvet Chollima
Opal SleetKP

Summary of Actor:Opal Sleet is a sophisticated cyber threat actor known for its advanced persistent threats (APTs). This group is believed to operate with state sponsorship and has been active since at least 2015. They specialize in espionage and data exfiltration. General Features:Opal Sleet utilizes a combination of zero-day vulnerabilities, sophisticated malware, and social engineering techniques to infiltrate target networks. They often employ custom tools and maintain a low profile to avoid detection. Related Other Groups: Silver Rain,Golden Hawk Indicators of Attack (IoA): Suspicious logins from unusual locations Abnormal data transfer activities Presence of specific malware signatures linked to the group Recent Activities and Trends: Latest Campaigns : Opal Sleet has recently been linked to a campaign targeting defense contractors in North America using spear-phishing emails containing malicious attachments. Emerging Trends : The group has been observed shifting towards using more fileless malware techniques which are harder to detect and increasing their focus on cryptocurrency exchanges.

KonniOSMIUMVedalia

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


Spearphishing Link (T1566.002)


ID

Name

Analytic ID

Analytic Description

DET0107

Detection Strategy for Spearphishing Links

AN0298

Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity.

AN0299

Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process.

AN0300

Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly.

AN0301

Detection of OAuth consent phishing or malicious login attempts initiated through spearphishing links. Behavior chain includes inbound email with OAuth URL → consent page visited → unusual token grants logged in IdP logs.



 SyncAppvPublishingServer (T1216.002)


ID

Name

Analytic ID

Analytic Description

DET0440

Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse

AN1220

Execution of SyncAppvPublishingServer.vbs through wscript.exe with a command-line containing embedded PowerShell, proxying malicious PowerShell execution through a Microsoft-signed VBScript interpreter to evade detection and restrictions.



Scheduled Task/Job: Scheduled Task(T1053.005)


ID

Name

Analytic ID

Analytic Description

DET0441

Detection of Suspicious Scheduled Task Creation and Execution on Windows

AN1221

Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts.



Impair Defenses: Disable or Modify Tools(T1562.001)


ID

Name

Analytic ID

Analytic Description

DET0497

Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.

AN1369

Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.

AN1370

Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations.

AN1371

Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents.

AN1372

Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination.

AN1373

Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars.

AN1374

Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features.

Reports & References1

Observed Countries14

AU (441)
CN (2)
HK (530)
ID (802)
IN (843)
JP (24)
KR (674)
MY (285)
NZ (521)
PH (117)
SG (767)
TH (822)
TW (999)
VN (267)