북한 해킹 그룹 Konni(코니)에서 만든 악성코드-ECRM.M.hwp.lnk(<-가칭,2025.3.24)
2025-04-10 • Sakai • Malware Made by North Korean Hacking Group Konni: ECRM.M.hwp.lnk •
A Konni-linked Windows shortcut sample named ECRM.M.M.hwp.lnk uses mshta.exe to build and run an obfuscated PowerShell command. The script searches for an LNK file of exactly 0x17cb bytes, falls back to the user's TEMP subdirectories if needed, skips the first 0x8e4 bytes, writes the remaining embedded payload to e.ps1, and executes it with PowerShell policy-bypass behavior. The analysis identifies the sample hashes and a reversed or encoded IP artifact that resolves to 46.20.95.148, giving defenders concrete hunting material for related Konni LNK activity.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 6da06e1e7b9e8e5eb9f199b0fbcf811a | 2025-04-10 | 2025-04-10 |
| HASH | 6ae124c02d58737ba8b74e1f2da6b45… | 2025-04-10 | 2025-04-10 |
| IPv4 | 46.20.95.148 | 2025-04-10 | 2025-04-10 |
| DOMAIN | caller.3utilities.com | 2025-03-28 | 2025-04-10 |
| DOMAIN | blessdayservices.org | 2025-03-28 | 2025-04-10 |
| HASH | 6fb3dfe451b37b0304a42e62759bf36… | 2025-03-27 | 2025-04-10 |
Related Actors
Related Reports
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Same author: Sakai • Published within a month
Shares tags: Konni, LNK • Same author: Sakai
Shares tags: Konni, LNK • Same author: Sakai
Shares tags: Konni, LNK • Same author: Sakai