LAC analyzed a Konni campaign linked to North Korean activity in which Japanese financial institutions were targeted through spear-phishing and malicious archive delivery. The intrusion chain used email links to WordPress-hosted ZIP files, malicious LNK execution, PowerShell, curl, CAB extraction, VBScript, and AutoIt components to install GSRAT. GSRAT is described as an AutoIt-based RAT used since February 2025, with TCP socket-based C2, host identification built from PC, CPU, and disk data, and remote command execution capability. The presentation also notes Konni’s overlap or relationship with other DPRK-linked clusters such as Kimsuky and ScarCruft, making the campaign useful for tracking DPRK payload evolution and delivery tradecraft.