Elizabeth Montalbano, Contributing Writer January 26, 2026 4 Min Read Source: DD Images via Shutterstock North Korean threat actors are once again targeting developers with an ongoing phishing campaign, this time with a specific focus that goes outside the usual geographic scope and demonstrates the use of artificial intelligence (AI) to develop a novel backdoor. The advanced persistent threat (APT) group Konni has been targeting developers with expertise in and access to blockchain-related resources and infrastructure across the Asia-Pacific (APAC) region, including Japan, Australia, and India, Check Point Research revealed in a recent blog post . In previous threat campaigns, Konni primarily focused on government and politically and academically affiliated targets in South Korea, which means the targeting extends "beyond the group's usual focus areas," according to the post. The activity — which use phishing lures that appear to be legitimate project documentation — also shows the group deviating from its usual tactics and targets, signaling a potential redirection of activity, Check Point said. "The targeting reflects a notable shift in behavior," according to the post. "Instead of focusing on individual end users, the campaign goal seems to be to establish a foothold in development environments, where compromise can provide broader downstream access across multiple projects and services." Indeed, threat actors tied to the Democratic People's Republic of Korea (DPRK) are notorious for targeting software developers, in particular through sweeping job-recruitment campaigns known as Contagious Interview and Wagemole. As mentioned, however, those campaigns were more individual-focused, while this one seems more aimed at long-term persistence. Using AI to Generate Malware Another notable aspect of the campaign is that it uses an AI-written PowerShell backdoor, reflecting the increasing adoption of AI tools by threat actors. Indeed, 2026 is already poised to be the year that AI-generated malware appears in earnest. For example, Check Point recently documented how a complex Linux malware framework, dubbed VoidLink , was built almost entirely with the AI-coding assistant TRAE SOLO. The Konni backdoor used in this latest campaign has "an unusually polished structure," with upfront documentation that Check Point researchers said is unusual for commodity or APT-authored PowerShell implants. That documentation describes the script's functionality — to ensure that only one instance of this UUID-based project runs at a time and to send system info via HTTP GET every 13 minutes — in clear and readable terms. It's also further divided into well-defined, logical sections that each handle a specific task, which reflects "modern software engineering conventions rather than ad-hoc malware development," according to the blog post. "Konni's introduction of AI-assisted tooling suggests an effort to accelerate development and standardize code while continuing to rely on proven delivery methods and social engineering," Check Point said. Targeting Blockchain Developers The lure documents used in the campaign demonstrate its focus on blockchain developers and also are a departure for Konni, which typically uses weaponized documents with geopolitical themes focused on the Korean Peninsula. In this case, the lures appear to be legitimate development-project materials and include technical details such as architecture, technology stacks, development timelines, and, in some cases, even budgets and delivery milestones, according to Check Point. "This pattern suggests an intent to compromise development environments, thereby obtaining access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings," read the post. While this blockchain and cryptocurrency focus is more commonly associated with other DPRK-linked actors, there are indications that Konni — a subset of the more formidable APT Kimsuky — also engaged in similar financially motivated targeting in the past, according to Check Point. APT Evolution Keeps Defenders Guessing With APTs using new tools like AI and shifting tactics in campaigns that are evolving quickly, defenders also must be on high alert to the changing nature of these activities, according to Check Point. "Combined with indicators suggesting activity beyond Konni's historically South Korean–centric footprint, this operation illustrates how a mature threat actor can maintain stable intrusion workflows while adapting both its targeting and tooling," read the post. As always, anyone receiving unsolicited emails asking them to click on attached or embedded documents, no matter how legitimate those documents seem, should approach them suspiciously. To help organizations recognize specific signs of Konni's latest attacks on blockchain developers, Check Point included in its blog post a list of indicators of compromise (IoCs), including artifacts related to hashes, scripts, executables, and domains and IPs. About the Author Elizabeth Montalbano, Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano, Contributing Writer