Knownsec 404 reported that Konni used the WinRAR CVE-2023-38831 vulnerability in a lure archive aimed at the digital currency industry, a target set the source describes as unusual for Konni compared with Lazarus. The captured archive referenced Qbao Network and abused WinRAR handling of same-named HTML files and directories so that opening the decoy HTML executed a hidden EXE payload. The payload contacted e9f0dkd.c1.biz, staged BAT and VBS scripts, downloaded ZIP and CAB components, and used UAC bypass methods including wusa.exe token impersonation and AppInfo RPC with PPID spoofing. The final Konni RAT installed a "Remote Database Service Update" service, collected systeminfo and tasklist output, encrypted and uploaded host data, and supported remote command, file upload, and file execution functions.