Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

The AI-generated PowerShell malware is targeting blockchain developers and engineers in the Asia-Pacific region, raising the risk of credential and wallet theft on infected hosts. A Discord-hosted link delivers a ZIP archive with a PDF lure and a malicious LNK that starts the loader chain. The payload unpacks a DOCX document, a CAB archive, and a PowerShell backdoor that sets up persistence and polls a command-and-control server. The runtime checks for analysis environments and can execute returned PowerShell code asynchronously.

Related Happenings

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Open Happening

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

DEEP#DOOR Python backdoor framework

Malware Activity
First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

GoGra Linux backdoor uses Microsoft Graph API and Outlook for covert command delivery

Malware Activity
First: 22.04.2026 13:00 Last: 22.04.2026 13:00 Sources 1

About this happening: The **GoGra** malware family now includes a **Linux backdoor variant** that uses **Microsoft Graph API** and an **Outlook inbox** for covert command delivery, making operator comm...

Open Happening

Timeline

  1. 24.01.2026 17:23 2 articles · 4mo ago

    Konni targets blockchain developers with AI-generated PowerShell malware

    Technical Analysis Update

    Konni (Opal Sleet, TA406) is targeting blockchain developers and engineers with AI-generated PowerShell malware in a campaign focused on Asia-Pacific targets; the delivery chain starts with a Discord-hosted link that drops a ZIP archive containing a PDF lure and malicious LNK shortcut, then unpacks a DOCX document and CAB archive holding a PowerShell backdoor, batch files, and a UAC bypass executable, while the backdoor uses anti-analysis checks, a masquerading OneDrive scheduled task, XOR-encrypted scripting, and C2 polling to execute returned PowerShell code.

    Show sources
    Open in new tab