APT Group - Konni Launches New Attacks on South Korea
2024-10-30 • Threat Book •
https://threatbook.io/blog/APT-Group---Konni-Launches-New-Attacks-on-South-Korea
ThreatBook reports that Konni targeted South Korean RTP engineering staff and people working on tax and North Korean market analysis from mid-April to early July 2024. The campaign used Korean-themed LNK lures such as meeting materials, tax evasion, and market-price documents, with samples apparently mass generated from templates and delivered at different times. The LNK execution chain downloaded payloads from compromised websites, used AutoIt3 scripts for evasion, and maintained persistence so the actor could reuse short-lived core payload infrastructure. ThreatBook extracted related sample, IP, and domain indicators for detection, including the Meeting Materials sample tied to RTP employees.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 93.183.93.185 | 2024-07-12 | 2026-01-22 |
| HASH | 87dc4c8f67cffc8a9699328face923e2 | 2024-07-12 | 2024-11-10 |
| HASH | c5d67fb97a7a824168c872f8557eb52… | 2024-07-12 | 2024-11-10 |
| HASH | 0aaec376904434197bae4f1a10ecfe8… | 2024-07-08 | 2024-11-10 |
| HASH | 7887cea2962c954ccb60d005da03abc… | 2024-10-30 | 2024-10-30 |
| HASH | ff87a87bc552723f4aee3e7b6c75686… | 2024-10-30 | 2024-10-30 |
| HASH | 5ea09247ad85915a8d1066d1825061c… | 2024-08-22 | 2024-10-30 |
| HASH | 0329bb5b3a450b0a8f148a57e045bf6… | 2024-08-22 | 2024-10-30 |
| HASH | d7f9185ffc17b3d6f1fd91eafbf9ccc… | 2024-07-12 | 2024-10-30 |
| URL | https://jethropc.com | 2024-07-12 | 2024-10-30 |
| DOMAIN | phasechangesolutions.com | 2024-07-12 | 2024-10-30 |
| HASH | 65f5f7d127c478522e9669200de2000… | 2024-05-06 | 2024-10-30 |
| HASH | 2189aa5be8a01bc29a314c3c3803c2b… | 2024-05-06 | 2024-10-30 |
| HASH | 9d6c79c0b395cceb83662aa3f7ed0123 | 2024-05-06 | 2024-10-30 |
| HASH | ba59f1ece68fa051400fd46467b0dc0… | 2024-04-12 | 2024-10-30 |