DPRK's Konni Targets Blockchain Developers With AI-Generated Backdoor
The North Korean threat group is using a new PowerShell backdoor to compromise development environments and target cryptocurrency holdings, according to researchers.
PowerShell is Microsoft's task-automation shell and scripting platform, whose capabilities affect endpoint administration, abuse, and security controls.
Search across headline titles and summaries.
Background for this topic.
PowerShell is a command-line shell and scripting language for automating administration and configuration. It began as a Windows technology and is also available on Linux and macOS; its security-relevant features include access to operating-system APIs, scripting, and remote management. Administrators and defenders use it for tasks such as configuration enforcement, log analysis, and investigation.
Because PowerShell can download, decode, and execute scripts and use trusted administrative interfaces, attackers may abuse it for execution, persistence, credential access, or lateral movement, especially after obtaining valid permissions. PowerShell itself is not inherently malicious or a universal antivirus bypass. Useful controls include applying updates to the relevant PowerShell edition and its runtime, limiting script and remoting privileges, and enabling detailed logging such as script-block and transcription logs. Security teams can correlate those records with process, authentication, and network telemetry; controls such as application allowlisting and constrained language mode can further reduce abuse, while preserving required administrative workflows.
Weekly headline count for the current query.
The North Korean threat group is using a new PowerShell backdoor to compromise development environments and target cryptocurrency holdings, according to researchers.
Researchers discovered an attack chain that uses several layers of obfuscated batch files and PowerShell scripts to deliver an advanced and persistent rootkit.
The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.
"ClearFake" and "ClickFix" attackers are tricking people into cutting and pasting malicious PowerShell scripts to infect their own machines with RATs and infostealers.
The attack, associated with Shuckworm, employs TTPs observed in prior campaigns against the Ukrainian military, predominantly using PowerShell.
Seedworm, aka MuddyWater, drops PowerShell-based malware on victims using living-off-the-land techniques.
Custom PowerShell scripts are being deployed against geofenced targets in Australia, Belgium, and Poland to exfiltrate data.
Microsoft is aware of the issue, but so far its attempts to address it don't appear to have worked, the vendor says.
Disguised as harmless PDF documents, LNK files trigger a PowerShell script, initiating a Rust-based injector called Freeze[.]rs and a host of malware infections.
Hackers used a little to do a lot, cracking a high-value target with hardly more than the living-off-the-land tools (PowerShell especially) found on any standard Windows computer.
Aiming to give threat hunters a list of popular attack tactics, a cybersecurity team analyzed collections of real-world threat data to find attackers' most popular techniques.
Branded as a components library for two popular open source resources, Material Tailwind instead loads a Windows .exe that can run PowerShell scripts.
The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.