The North Korean hacker group Konni is targeting blockchain developers with sophisticated AI-generated PowerShell malware. Active since at least 2014, Konni has been linked to APT37 and Kimsuky and has previously attacked organizations in South Korea, Russia, Ukraine, and Europe. The latest campaign is particularly focused on the Asia-Pacific region, with malware submissions traced back to Japan, Australia, and India. The attack begins when victims receive a link hosted on Discord, leading to a ZIP file that includes a PDF lure and a malicious LNK file. Once the LNK file is activated, it executes a PowerShell loader that extracts a DOCX document and a CAB archive containing a backdoor, batch files, and a UAC bypass executable. The DOCX document is designed to entice victims into compromising their development environments, granting the hackers access to sensitive data such as API credentials and cryptocurrency wallets. The PowerShell backdoor is notably complex, using obfuscation techniques that suggest an AI-assisted design rather than traditional malware authoring. Researchers from Check Point highlight that the script features structured documentation and modular code, which are common in AI-generated scripts. The malware conducts checks to avoid detection in analysis environments and communicates with a command-and-control server to execute additional commands based on the compromised host’s privileges. Check Point has identified specific indicators of compromise related to this campaign to aid in defense strategies.