Konni blockchain developer targeting campaign with AI-generated PowerShell malware
Campaign
Summary
Hide ▲
Show ▼
Konni (Opal Sleet, TA406) is running an active campaign that uses AI-generated PowerShell malware to target developers and engineers in the blockchain sector, with an apparent Asia-Pacific focus. The operation matters because the lure is designed to compromise development environments and reach infrastructure, API credentials, wallet access, and cryptocurrency holdings. The intrusion chain uses a Discord-hosted link, a ZIP archive, a malicious LNK, and a PowerShell backdoor to establish access and persistence.
Related Happenings
Cavern Manticore campaign targeting Israeli government and IT organizations
Campaign
H score30
First: 06.07.2026 19:00
Last: 06.07.2026 19:00
Sources 1
About this happening:
The **Cavern Manticore** campaign is **targeting Israeli government and IT organizations** since **early 2026**, increasing the risk of **unauthorized access** and **data theft**...
Cavern Manticore campaign targeting Israeli government and IT organizations
CampaignAbout this happening: The **Cavern Manticore** campaign is **targeting Israeli government and IT organizations** since **early 2026**, increasing the risk of **unauthorized access** and **data theft**...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
H score28
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Hugging Face shared-loader supply chain campaign
Campaign
H score79
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Hugging Face shared-loader supply chain campaign
CampaignAbout this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
PCPJack worm-like credential theft framework
Malware Activity
H score27
First: 07.05.2026 20:45
Last: 07.05.2026 20:45
Sources 1
About this happening:
The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
PCPJack worm-like credential theft framework
Malware ActivityAbout this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
Timeline
-
24.01.2026 17:23 2 articles · 5mo ago
Konni targets blockchain developers with AI-generated PowerShell malware
Initial DisclosureA Konni (Opal Sleet, TA406) campaign targets blockchain-sector developers and engineers in the Asia-Pacific region with AI-generated PowerShell malware delivered through a Discord-hosted link that drops a ZIP archive containing a PDF lure and a malicious LNK shortcut. The execution chain deploys an obfuscated PowerShell backdoor that performs environment checks, generates a unique host ID, creates persistence through an hourly scheduled task masquerading as a OneDrive startup task, and polls a C2 server for host metadata and additional PowerShell code. The lure is framed to gain access to infrastructure, API credentials, wallet access, and cryptocurrency holdings.
Show sources
- Konni hackers target blockchain engineers with AI-built malware — www.bleepingcomputer.com — 24.01.2026 17:23
- Konni hackers target blockchain engineers with AI-built malware — www.bleepingcomputer.com — 24.01.2026 17:23