Menu
Browse

Cyber Threat Actor: KONNI

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Spy
Russia
3 incidents
Profile

The threat actor known as the Konni Group, also tracked under the aliases KONNI and UNKN, is associated with Russian origins based on available reporting. Observed activity focuses on targeting United States government entities and foreign nationals who have professional ties to North Korean affairs. The actor’s operations are characterized by the deployment of remote access tools that enable persistent command‑and‑control communication, indicating an espionage‑oriented objective centered on gathering information rather than financial gain or destructive disruption.

Typical tactics involve phishing emails that carry malicious Microsoft Word documents as lures, often framed around North Korean geopolitical topics and sent from Russian email addresses. These documents employ macro code that checks the victim’s system architecture, executes hidden commands, and in later waves delivers embedded Windows binaries encoded as hex strings separated by the “|” character. The macro drops either the CARROTBAT dropper, first seen in a December 2017 incident against a British government agency, or the newer CARROTBALL payload, which functions as a second‑stage installer. Both droppers ultimately install the SYSCON remote access trojan, which communicates with operator‑controlled servers via the File Transfer Protocol for data exfiltration and sustained access.

Attribution to the Konni Group is made with moderate confidence by researchers at Palo Alto Networks’ Unit 42, who link the observed malware families and TTPs to a threat actor aligned with North Korean interests. The most publicly cited operation is the “Fractured Statue” campaign that ran from July to October 2019, consisting of three waves of phishing lures sent from four distinct Russian email addresses. In the final wave, the CARROTBALL payload was used alongside a lure titled “The investment climate of North Korea,” demonstrating the actor’s evolution in delivery mechanics while maintaining consistent targeting of government and North Korea‑related targets. No additional campaigns or broader affiliations are detailed in the supplied sources.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
1 source