Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

logo an ninh mang


A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts.

The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43).

“This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices,” Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published this week.

The cyber espionage group is notable for its targeting of Russia, with the modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks.


Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology


Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Recent attacks documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script capable of collecting data from the infected machines.

“Konni’s primary objectives include data exfiltration and conducting espionage activities,” ThreatMon said. “To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution.”

The latest attack sequence observed by Fortinet involves a macro-laced Word document that, when enabled, displays an article in Russian that’s purportedly about “Western Assessments of the Progress of the Special Military Operation.”

The Visual Basic for Application (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and ultimately paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration capabilities.

“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands,” Lin said.

Konni is far from the only North Korean threat actor to single out Russia. Evidence gathered by Kaspersky, Microsoft, and SentinelOne shows that the adversarial collective referred to as ScarCruft (aka APT37) has also targeted trading companies and missile engineering firms located in the country.

The disclosure also arrives less than two weeks after Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom, revealed that threat actors from Asia – primarily those from China and North Korea – accounted for a majority of attacks against the country’s infrastructure.

“The North Korean Lazarus group is also very active on the territory of the Russian Federation,” the company said. “As of early November, Lazarus hackers still have access to a number of Russian systems.”

var share_url = encodeURIComponent(‘’);
var share_title = document.getElementsByTagName(“title”)[0].innerHTML;
share_title = encodeURIComponent(share_title);

Đăng ký liền tay Nhận Ngay Bài Mới

Subscribe ngay

Cám ơn bạn đã đăng ký !

Lỗi đăng ký !

Add Comment

Click here to post a comment

Đăng ký liền tay
Nhận Ngay Bài Mới

Subscribe ngay

Cám ơn bạn đã đăng ký !

Lỗi đăng ký !