North Korean cybercriminals are using an AI-generated PowerShell backdoor
North Korean cybercriminals are targeting developers with access to blockchains. A PowerShell backdoor appears to be programmed by AI.
(Image: Balefire / Shutterstock.com)
North Korean cybercriminals are targeting developers with blockchain access. They aim to trick them into executing malware through phishing attacks. It is believed that Artificial Intelligence was involved in programming the PowerShell backdoor.
This is reported by the IT security company Checkpoint in an analysis. The criminal organization "Konni" is said to originate from North Korea or be affiliated with the country. However, the attackers have expanded their targets beyond their usual scope of activity – they originally focused on South Korea, but now on the entire Asia-Pacific region, including Australia, India, and Japan.
They are targeting developers and programming teams, especially those with access to blockchain-related resources and infrastructure. The bait documents look like legitimate project materials and include technical details such as architecture, tech stacks, and development timelines. From this, Checkpoint infers that the attackers aim to infiltrate development environments and thereby gain access to sensitive crypto assets, infrastructure, API credentials, wallet access, and ultimately crypto holdings.
Videos by heise
AI used for programming
According to the analysis, there are strong indications that the criminals have been assisted by Artificial Intelligence. The PowerShell script with the backdoor reportedly has an unusually polished structure. It begins with human-readable documentation explaining the script's function: "This script ensures that only one instance of this UUID-based project runs at a time. It sends system info via HTTP GET every 13 minutes." This level of detail in the documentation is highly unusual for PowerShell malware from APTs. The code is also divided into clearly defined logical sections, each performing a specific task, which aligns more with modern software development conventions than spontaneous malware development.
These indications are not yet sufficient for a definitive AI attribution, but a comment in the program code is said to be ultimately revealing: # <– your permanent project UUID. According to IT researchers, this phrasing is highly characteristic of LLM-generated code, where the model explicitly guides the human on how to adjust a placeholder value.
In the article, the Checkpoint analysts explain the functions of the scripts and the infection chains in more detail. They also provide a list of Indicators of Compromise (IOCs).
(dmk)
