Unit 42 identified NOKKI, a malware family closely related to KONNI through code and infrastructure overlap, in attacks observed from early 2018 through at least July 2018. The activity likely targeted politically motivated victims in Eurasia and possibly Southeast Asia, using Cambodian and Russian political decoys delivered as executable files, screen-saver files, and later macro-enabled Word documents. NOKKI collected victim host data, wrote artifacts such as uplog.tmp, installed payloads under local Microsoft-themed paths, and used Run-key persistence before communicating with C2 over FTP in earlier variants and HTTP in later variants. The operators relied heavily on compromised legitimate South Korean infrastructure for delivery and C2, with additional infrastructure including 101.129.1[.]104 and files.000webhost[.]com, the latter previously seen in KONNI activity. The report matters for tracking KONNI/NOKKI tradecraft because it shows a transition in delivery and C2 protocols while preserving shared development artifacts such as the zeus document author and repeated PDB paths.