On January 24, the security agency Check Point released an alert stating that the North Korean hacker group Konni (also known as Opal Sleet or TA406), which has been active for many years, is using AI-assisted malicious software to launch targeted attacks against blockchain developers and engineers in the Asia-Pacific region.

Hackers, leaks, internet

Deep Impersonation: AI-Generated Backdoor Scripts

Check Point researchers found that the PowerShell backdoors used in this attack chain show clear signs of being generated by a Large Language Model (LLM). Unlike traditional scripts written manually, which are usually messy, this malicious code is extremely concise, modular, and includes well-structured documentation comments.

The most conclusive evidence lies in comments like "# <– Your permanent project UUID" appearing in the script. Researchers point out that this wording is typical of AI tutorials or code generation prompts, designed to guide human users on how to customize placeholders. Hackers use AI to significantly increase the complexity of malicious scripts and improve development efficiency.

QQ20260126-112647.png

Attack Path: Targeting Cryptocurrency Assets

The attack begins with phishing links hosted on Discord. Once the victim clicks and runs the malicious shortcut file (LNK), a series of infection actions are triggered:

  1. Persistence and Stealth: Creates a scheduled task that runs every hour, disguised as a OneDrive startup item.

  2. Environment Detection: The malware checks hardware and user activity to ensure it does not run in a security analysis environment.

  3. Asset Theft: Its ultimate goal is to gain infrastructure access, API credentials, and wallet private keys, thereby stealing cryptocurrency assets.

QQ20260126-112655.png

According to BleepingComputer report, such attack samples have been intercepted in Japan, Australia, and India. This marks a new phase in cybercrime, where AI is used as an aid. Developers should be vigilant about unknown links and documents from social platforms.