CISA observed phishing emails carrying Microsoft Word documents with malicious VBA macros that deploy KONNI, a RAT capable of file theft, keylogging, screenshots, and arbitrary code execution. The macro tries to trick users into enabling content by changing text color, checks whether Windows is 32-bit or 64-bit, and builds command-line activity to download additional files. The infection chain uses CertUtil to retrieve and decode base64 content, silently copies and renames certutil.exe in a temporary directory, writes a decoded batch file, deletes the intermediate text file, and executes the batch script. Documented KONNI behavior includes system and user discovery, HTTP C2, FTP exfiltration, file deletion, PowerShell use, browser credential theft, registry and shortcut persistence, COM hijacking, UAC bypass, clipboard theft, and screenshot capture. CISA also provides Snort detections for KONNI traffic patterns such as /weget/ PHP paths and suspicious HTTP headers.