Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Konni blockchain developer targeting campaign with AI-generated PowerShell malware

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

Konni (Opal Sleet, TA406) is running an active campaign that uses AI-generated PowerShell malware to target developers and engineers in the blockchain sector, with an apparent Asia-Pacific focus. The operation matters because the lure is designed to compromise development environments and reach infrastructure, API credentials, wallet access, and cryptocurrency holdings. The intrusion chain uses a Discord-hosted link, a ZIP archive, a malicious LNK, and a PowerShell backdoor to establish access and persistence.

Related Happenings

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Open Happening

Hugging Face shared-loader supply chain campaign

Campaign
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....

Open Happening

PCPJack worm-like credential theft framework

Malware Activity
First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Timeline

  1. 24.01.2026 17:23 2 articles · 4mo ago

    Konni targets blockchain developers with AI-generated PowerShell malware

    Initial Disclosure

    A Konni (Opal Sleet, TA406) campaign targets blockchain-sector developers and engineers in the Asia-Pacific region with AI-generated PowerShell malware delivered through a Discord-hosted link that drops a ZIP archive containing a PDF lure and a malicious LNK shortcut. The execution chain deploys an obfuscated PowerShell backdoor that performs environment checks, generates a unique host ID, creates persistence through an hourly scheduled task masquerading as a OneDrive startup task, and polls a C2 server for host metadata and additional PowerShell code. The lure is framed to gain access to infrastructure, API credentials, wallet access, and cryptocurrency holdings.

    Show sources
    Open in new tab