KONNI Malware Expands to South East Asia and Eurasia

Written by Nitish Singh
Last updated June 23, 2021

Over the last three years, a large number of malware attacks took place all over North Korea, and the malware was termed KONNI by security researchers globally. A new wave of attacks that are similar in nature was spotted recently. However, despite the similarities, security researchers at Palo Alto Networks have spotted a number of differences leading them to believe that they have not been developed by the same cyber attackers.

Palo Alto Networks has renamed the malware from KONNI to NOKKI internally to reflect the similarities while classifying them as unique to each other. There is a sizeable overlap between the code in both malware. However, security researchers have identified a tenuous relationship between a known hacker group that goes by the name of ‘Reaper.’

NOKKI Payload HTTP Request

Image Courtesy of Palo Alto Security

The latest security vendor to analyze the malware is Cylance, who believe that hacktivism could be the motivation behind these recent attacks. Security experts at Cylance revealed that the KONNI attacks could be linked to the DarkHotel APT campaign which was first uncovered by Kaspersky Lab. The DarkHotel APT campaign was responsible for stealing customer data from luxury hotels.

Cylance Threat Guidance Manager Kevin Finnigin revealed “[Konni] essentially is a still evolving, full-featured RAT,". The company's analysis suggests that additional capabilities are probably under development.”

The new KONNI payload is used to target victims in Eurasia and Southeast Asia. The targets are politically motivated, and the attacks by the payload are designed to compromise infrastructure of 'deliver and command' controls.

Security researchers have been unable to trace the source of the campaigns despite the unknown threat being prevalent for three years now. The new iteration of KONNI’s latest attack took place right after the North Korean government tested an Intercontinental Ballistic Missile (IBM) capable of reaching the United States.

What do you think about the new KONNI malware? Let us know in the comments below. Also, don’t forget to follow us on Facebook and Twitter. Thanks!

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: