FortiGuard Labs analyzed a new KONNI RAT variant delivered by a malicious Word document using a decoy article about North Korea, while noting that the actual victim relationship to North Korea was unclear. The document’s VB macro drops an Aspack-packed installer as stify.exe, which installs 32-bit or 64-bit KONNI DLLs under %LocalAppData%\MFAData\event and establishes persistence through rundll32.exe autorun registry entries. The RAT retains capabilities seen in earlier KONNI activity, including file upload, system discovery, screenshot capture, file search, keylogging, and clipboard grabbing. Network handling changed from prior reporting: exfiltrated data is zipped, RC4-encrypted with a hardcoded key, Base64-encoded, and sent to a C2 using a query-string format, with indicators including donkeydancehome[.]freeiz.com and a DOC download URL hosted on uphero[.]com.