KONNI campaigns observed from 2014 to 2017 used spear-phishing attachments and social engineering to make victims open .scr droppers that displayed decoy documents before executing malware. The malware evolved from a one-time information stealer into a multi-component RAT with keylogging, clipboard theft, file upload and download, command execution, screenshot capture, and improved instruction handling. Several campaigns used decoys tied to North Korea themes or public organizations linked to North Korea, including UN, UNICEF, embassy, and agency contact lists. Infrastructure was hosted on free web-hosting domains such as 000webhost, with C2 paths including login.php, upload.php, download.php, and uploadtm.php. The reuse of files, code, and checks for artifacts from earlier versions suggests repeat targeting and a long-running, technically improving operation.