Check Point Research associates an ongoing phishing campaign with KONNI, a North Korean-linked actor historically focused on South Korea but now observed targeting software developers and engineering teams with blockchain and crypto-themed lures. The infection chain begins with a Discord-hosted ZIP containing a PDF lure and LNK file; the LNK launches an embedded PowerShell loader, extracts a DOCX lure and CAB archive, stages files under C:\ProgramData, and creates an hourly scheduled task disguised as a OneDrive startup task. The PowerShell backdoor is heavily obfuscated, performs anti-analysis and user-interaction checks, fingerprints the host, enforces a mutex, communicates with PHP-based C2, and includes comments and structure that CPR says strongly indicate AI-assisted generation. The campaign matters for DPRK tracking because KONNI is shown expanding toward developer and blockchain-related access paths that could expose infrastructure, API credentials, wallet access, and cryptocurrency holdings.