Malwarebytes reported that KONNI RAT, used by a North Korean threat actor under the Kimsuky umbrella, was still being actively developed for attacks against political institutions in Russia and South Korea. Newer samples removed the rundll32 execution branch and instead favored Windows service execution, causing sandbox runs that invoke rundll32 to fail early. The malware also moved from simpler string obfuscation to AES-protected strings and support files, deriving keys from the service or file names and encrypting data sent to command-and-control servers. These changes make samples harder to analyze without the correct service context and show continued investment in stealth and anti-analysis for KONNI operations.