북한 해킹 그룹 Konni(코니)에서 만든 사이버범죄 신고시스템 사칭 악성코드-ECRM.hwp.lnk(2025.3.11)
2025-03-14 • Sakai • Malware Created by the North Korean Hacking Group Konni Impersonating the Cybercrime Reporting System - ECRM.hwp.lnk (2025.3.11) •
Konni activity described in the source uses an ECRM-themed HWP LNK lure that impersonates South Korea's cybercrime reporting system and launches mshta with obfuscated JavaScript and PowerShell commands. The malware chain relies on shortcut-file execution, encoded command content, and likely decoy-document context to gain initial execution while hiding malicious behavior from the victim.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 64.20.59.148 | 2025-02-26 | 2025-05-13 |
| HASH | 811d221a1340e64aa1736d9d4e8f808… | 2025-03-12 | 2025-03-19 |
| HASH | 61bae4c2061e3672eb1d416a2e894f8… | 2025-03-14 | 2025-03-14 |
| HASH | 5bd8cad0e4f14e252056830d16abfbe5 | 2025-03-14 | 2025-03-14 |
| URL | http://snswf.dropwm.com/ | 2025-03-14 | 2025-03-14 |
| DOMAIN | snswf.dropwm.com | 2025-03-14 | 2025-03-14 |
Related Actors
Related Reports
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Same author: Sakai • Published within a week
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Shares 1 IOC • Same author: Sakai