코니(Konni) 위협 세계관의 확장 분석 리포트
2024-09-05 • Genians • Expanded analysis of the Konni threat campaign •
https://www.genians.co.kr/blog/threat_intelligence/konni_universe
Genians links increased Konni campaign activity with high confidence to the Kimsuky cluster and describes continued use of spear phishing against South Korean, Russian, diplomatic, security, finance, and cryptocurrency-related targets. The activity uses staged infection chains involving legitimate cloud services, FTP, LNK files, executable payloads, AutoIt-based defense-evasion tactics, and C2 infrastructure hosted through free web-hosting and domain services. The report correlates older Konni operations against Russian foreign-affairs themes with newer 2024 samples, including AsyncRAT variants tied to 159.100.13[.]216 and related domains such as duplikyservjc[.]cloud. Reused command patterns, victim-identification parameters based on hostnames, and shifting obfuscation techniques show a long-running campaign adapting its tooling while retaining recognizable infrastructure and tradecraft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 185.176.43.108 | 2024-09-05 | 2025-11-05 |
| DOMAIN | medianewsonline.com | 2020-05-27 | 2025-11-05 |
| DOMAIN | mywebcommunity.org | 2021-10-15 | 2025-05-13 |
| DOMAIN | mygamesonline.org | 2020-03-20 | 2025-05-13 |
| IPv4 | 159.100.13.216 | 2024-09-05 | 2025-03-12 |
| DOMAIN | scienceontheweb.net | 2019-10-20 | 2024-12-16 |
| DOMAIN | sportsontheweb.net | 2022-01-25 | 2024-11-14 |
| DOMAIN | getenjoyment.net | 2021-03-26 | 2024-11-14 |
| HASH | f1b542971711bf229d02f5e385225a8d | 2024-09-05 | 2024-11-01 |
| IPv4 | 79.133.56.173 | 2024-09-05 | 2024-11-01 |
| HASH | 87bfdd6dd3c8722ad97a92b3ad706ed2 | 2024-09-05 | 2024-09-05 |
| HASH | 47d66179d1437e4b7e4ad863a3fc25b2 | 2024-09-05 | 2024-09-05 |
| HASH | 8ec9a6ff22c497375b53344cafeb2292 | 2024-09-05 | 2024-09-05 |
| HASH | 36db685fd4dd778306c985b61f29292c | 2024-09-05 | 2024-09-05 |
| HASH | b49480bb06d30a6ac414313da8be170f | 2024-09-05 | 2024-09-05 |
| HASH | 9b1ca0408e33c43970b87c4c380b134f | 2024-09-05 | 2024-09-05 |
| HASH | 4638e7c17057fef4613af1f0f6821702 | 2024-09-05 | 2024-09-05 |
| HASH | 6793c3d6438553222f5e8ed2ee8c3ebf | 2024-09-05 | 2024-09-05 |
| HASH | 7671fc2dce5d3f84f984f052adf35f9a | 2024-09-05 | 2024-09-05 |
| HASH | 728feadb5c096238ac9e2192ede0f13… | 2024-09-05 | 2024-09-05 |
| HASH | 315b01f826d9f2b20665a8cee732cc49 | 2024-09-05 | 2024-09-05 |
| HASH | a0d332a95e2f42a7f26dd452c63938a4 | 2024-09-05 | 2024-09-05 |
| HASH | 9de46ffec09c07f1e55f94fe4b4b820f | 2024-09-05 | 2024-09-05 |
| HASH | 406e4f5b327742f64791674f86f79d64 | 2024-09-05 | 2024-09-05 |
| HASH | bf91038ca0711f737e203cc9f4f9e434 | 2024-09-05 | 2024-09-05 |
| HASH | 2afb9ccd85ffcef656eefc18150741ab | 2024-09-05 | 2024-09-05 |
| HASH | 681d210f7931197775cac0ff31fb1ff5 | 2024-09-05 | 2024-09-05 |
| HASH | 914eb1b37d5679931fc9c2b5f3a2bbcd | 2024-09-05 | 2024-09-05 |
| HASH | 70b84f854b86d2ee6349ed348ef824ac | 2024-09-05 | 2024-09-05 |
| HASH | ca2bc501ea4b94b9d6cf220a09b2812f | 2024-09-05 | 2024-09-05 |
| HASH | 9c968c668d4de1ef90f914a7cbb74f23 | 2024-09-05 | 2024-09-05 |
| HASH | 1b3af9f3d4c279b618656178f22b89db | 2024-09-05 | 2024-09-05 |
| HASH | 8b7fdb80ea30a675d776ee3c6a2b5062 | 2024-09-05 | 2024-09-05 |
| HASH | 1bb62f16635e0bcaf7b4ac2c27ceac71 | 2024-09-05 | 2024-09-05 |
| HASH | b1504090e9a70ae80190302e524589f2 | 2024-09-05 | 2024-09-05 |
| DOMAIN | 3756298.c1.biz | 2024-09-05 | 2024-09-05 |
| DOMAIN | 837593.c1.biz | 2024-09-05 | 2024-09-05 |
| DOMAIN | ykcchu.c1.biz | 2024-09-05 | 2024-09-05 |
| DOMAIN | pelham-holles.com | 2024-09-05 | 2024-09-05 |
| DOMAIN | ftp.byethost6.com | 2024-09-05 | 2024-09-05 |
| DOMAIN | ka174f.scienceontheweb.net | 2024-09-05 | 2024-09-05 |
| DOMAIN | glonalcnielmxc.mywebcommunity.o… | 2024-09-05 | 2024-09-05 |
| DOMAIN | rq7592.c1.biz | 2024-09-05 | 2024-09-05 |
| DOMAIN | thictu.sportsontheweb.net | 2024-09-05 | 2024-09-05 |
| IPv4 | 54.86.50.139 | 2024-09-05 | 2024-09-05 |
| IPv4 | 192.186.3.160 | 2024-09-05 | 2024-09-05 |
| IPv4 | 216.107.137.73 | 2024-09-05 | 2024-09-05 |
| IPv4 | 67.211.213.224 | 2024-09-05 | 2024-09-05 |
| IPv4 | 34.198.205.50 | 2024-09-05 | 2024-09-05 |
| HASH | 21d12dc7f08752293847af6ed19df0e3 | 2024-07-17 | 2024-09-05 |
| HASH | 0993cf18121be84f5b1511318df80f44 | 2024-06-03 | 2024-09-05 |
| HASH | 78b3290a93de62116e083eb7c9b93b22 | 2024-05-31 | 2024-09-05 |
| HASH | 0018e7e7613bd92b9dc23b9d4db59fa8 | 2024-05-31 | 2024-09-05 |
| HASH | b896c2b2ae51f7100a342c73f5062896 | 2024-05-31 | 2024-09-05 |
| DOMAIN | victory-2024.mywebcommunity.org | 2024-02-21 | 2024-09-05 |
| HASH | b58eb8a3797d3a52aba30d91d207b688 | 2023-12-06 | 2024-09-05 |
| DOMAIN | gjdow.atwebpages.com | 2023-12-06 | 2024-09-05 |
| DOMAIN | kmdqj1.c1.biz | 2023-11-20 | 2024-09-05 |
| HASH | 7b27586c4b332c5e87784c8d3e45a523 | 2023-04-11 | 2024-09-05 |
| DOMAIN | 4895750.c1.biz | 2022-12-07 | 2024-09-05 |
| HASH | 705c8d431b4b8fa834491ff6975a0532 | 2022-11-16 | 2024-09-05 |
| HASH | 28942e7704b629c63afefe23d38068f5 | 2022-11-16 | 2024-09-05 |
| HASH | cf5f18032667bfb4c7373191e7fb1fbf | 2022-11-16 | 2024-09-05 |
| HASH | 00e6e9ed4666623860686c123ed334f0 | 2022-11-16 | 2024-09-05 |
| HASH | 66fba06e965f9a6ea192db7f452ea9b6 | 2022-11-16 | 2024-09-05 |
| DOMAIN | 968796.c1.biz | 2022-11-16 | 2024-09-05 |
| DOMAIN | word2022.c1.biz | 2022-09-28 | 2024-09-05 |
| HASH | dae0efd29230feab95f46ee20030a425 | 2022-08-26 | 2024-09-05 |
| DOMAIN | gg1593.c1.biz | 2022-08-26 | 2024-09-05 |
| DOMAIN | victory-2020.atwebpages.com | 2022-01-05 | 2024-09-05 |
| DOMAIN | h378576.atwebpages.com | 2022-01-05 | 2024-09-05 |
| DOMAIN | takemetoyouheart.c1.biz | 2021-08-20 | 2024-09-05 |
| DOMAIN | onlinewebshop.net | 2021-05-21 | 2024-09-05 |
| DOMAIN | mypressonline.com | 2021-05-01 | 2024-09-05 |
| DOMAIN | myartsonline.com | 2020-09-30 | 2024-09-05 |
| DOMAIN | atwebpages.com | 2018-02-02 | 2024-09-05 |