S0356: KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]
Analyst context for executives and security teams
KONNI is a Windows remote access tool associated in ATT&CK reporting with long-running suspected North Korean activity and politically focused targeting. Its practical significance is not just the malware name: the mapped behaviors show a toolset that can discover the host and network, collect local/user data, capture keystrokes/screens/clipboard contents, transfer tools, modify the Registry, disguise artifacts, and exfiltrate data over web or other protocols. For leaders, this makes KONNI a useful test case for whether endpoint, identity, network, and IR processes can recognize a Windows compromise that blends discovery, collection, stealth, and exfiltration rather than relying on a single malware signature.
Executive priority
Prioritize KONNI coverage where Windows endpoints handle sensitive political, executive, legal, operational, or regulated data, because the ATT&CK relationships include credential-adjacent collection, local data collection, and exfiltration behaviors. The key business question is whether the organization can prove it collects enough endpoint and network evidence to reconstruct discovery, persistence/Registry changes, command execution, data collection, and outbound transfer activity. Because MITRE provides no official detection text for this software object, leadership should treat coverage as a validation exercise across controls, logging, and incident response playbooks rather than assuming named-malware detection is sufficient.
Technical view
SOC and detection teams should validate behavior-based coverage on Windows for the related techniques: PowerShell, Windows Command Shell, JavaScript execution, Native API use, Registry modification, masqueraded tasks/services or legitimate-looking resource names, file deletion, packed or encoded files, discovery of users/processes/network configuration/connections/system information/files, local data collection, keylogging, screen capture, clipboard access, ingress tool transfer, web-protocol C2, and exfiltration over C2 or unencrypted non-C2 protocols. Since ATT&CK does not provide a KONNI-specific detection section here, detections should be built around correlated sequences: script or shell execution followed by discovery commands, suspicious file creation or transfer, Registry/task/service changes, collection artifacts, and unusual outbound web or unencrypted protocol traffic from the same host.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell, cmd, script interpreters, and discovery utilities
- Windows Registry change telemetry, especially changes that support persistence or execution
- Scheduled task and service creation/modification logs, including names or paths that resemble legitimate resources
- File creation, deletion, rename, and write events for suspicious executables, scripts, encoded files, packed files, and staging locations
- Endpoint security alerts or file metadata indicating packing, encoding, or masquerading
Detection direction
- Do not rely only on KONNI signatures; validate behavior chains across execution, discovery, collection, stealth, and exfiltration techniques mapped to this object.
- Tune for suspicious use of PowerShell, cmd, and JavaScript in combination with rapid system, user, process, file, and network discovery.
- Review Registry, task, and service changes for legitimate-looking names or locations that do not match normal software management activity.
- Correlate file deletion with prior tool transfer, execution, or collection activity to identify cleanup behavior.
- Inspect outbound web-protocol traffic and unencrypted non-C2 protocols for unusual destinations, volumes, timing, or host/process ownership, while accounting for normal business web traffic false positives.
Mitigation priorities
- First, confirm Windows endpoint visibility and retention are sufficient for process, command line, Registry, service/task, file, and network correlation.
- Harden and monitor script execution paths, including PowerShell, Windows Command Shell, and JavaScript interpreters, using least privilege and approved administration patterns.
- Reduce persistence and masquerading opportunities by controlling who can modify Registry locations, services, scheduled tasks, and trusted directories.
- Limit and monitor outbound traffic paths, especially web-protocol egress and unencrypted protocols that could carry exfiltrated data.
- Apply data handling controls around sensitive local files and user workstations, since the mapped behaviors include local data collection, screenshots, clipboard data, and keylogging.
Analyst notes and limits
The supplied ATT&CK object identifies KONNI as a Windows malware/remote access tool and notes researcher assessments of use by North Korean cyber actors, links to suspected campaigns, code overlap with NOKKI, and potential linkage to APT37. This take uses those statements conservatively and focuses on defensive decision value from the provided technique relationships. The relationship set is broad and should be translated into local detection content based on actual endpoint, proxy, DNS, EDR, and logging architecture.
MITRE provides no official detection text for this KONNI object, no aliases, and no object-level tactics. Technique relationships indicate behaviors associated with the malware, but they do not prove any specific local exposure, active exploitation, or guaranteed detection. Related technique platform lists include non-Windows platforms, but the KONNI object itself is supplied as Windows, so local validation should center on Windows unless other evidence exists.
KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1082 | System Information Discovery | KONNI can gather the OS version, architecture information, hostname, and RAM size information from the victim’s machine and has used |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | KONNI has modified ComSysApp service to load the malicious DLL payload.CitationMedium KONNI Jan 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | KONNI can collect the IP address from the victim’s machine.CitationTalos Konni May 2017 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | KONNI has used FTP to exfiltrate reconnaissance data out.CitationMedium KONNI Jan 2020 |
| Enterprise | T1049 | System Network Connections Discovery | KONNI has used |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.CitationTalos Konni May 2017 |
| Enterprise | T1005 | Data from Local System | KONNI has stored collected information and discovered processes in a tmp file.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1134.004 | Parent PID Spoofing Sub-technique | KONNI has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | KONNI has been packed for obfuscation.CitationMalwarebytes KONNI Evolves Jan 2022 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify".CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | KONNI has used HTTP POST for C2.CitationTalos Konni May 2017CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1033 | System Owner/User Discovery | KONNI can collect the username from the victim’s machine.CitationTalos Konni May 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | KONNI can delete files.CitationTalos Konni May 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.CitationTalos Konni May 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | KONNI is heavily obfuscated and includes encrypted configuration files.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1115 | Clipboard Data | KONNI had a feature to steal data from the clipboard.CitationTalos Konni May 2017 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | KONNI has pretended to be the xmlProv Network Provisioning service.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1057 | Process Discovery | KONNI has used the command |
| Enterprise | T1059.001 | PowerShell Sub-technique | KONNI used PowerShell to download and execute a specific 64-bit version of the malware.CitationTalos Konni May 2017CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1112 | Modify Registry | KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1680 | Local Storage Discovery | KONNI can gather information on connected drives and disk space from the victim’s machine.CitationTalos Konni May 2017CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1560 | Archive Collected Data | KONNI has encrypted data and files prior to exfiltration.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | KONNI can download files and execute them on the victim’s machine.CitationTalos Konni May 2017CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1106 | Native API | KONNI has hardcoded API calls within its functions to use on the victim's machine.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | KONNI has registered itself as a service using its export function.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | KONNI has used a custom base64 key to encode stolen data before exfiltration.CitationMedium KONNI Jan 2020 |
| Enterprise | T1113 | Screen Capture | KONNI can take screenshots of the victim’s machine.CitationTalos Konni May 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.CitationTalos Konni May 2017CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | KONNI has been delivered via spearphishing campaigns through a malicious Word document.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | KONNI has used Rundll32 to execute its loader for privilege escalation purposes.CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.CitationMedium KONNI Jan 2020CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | KONNI has sent data and files to its C2 server.CitationTalos Konni May 2017CitationMalwarebytes Konni Aug 2021CitationMalwarebytes KONNI Evolves Jan 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | KONNI has used AES to encrypt C2 traffic.CitationMalwarebytes KONNI Evolves Jan 2022 |
| Enterprise | T1083 | File and Directory Discovery | A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.CitationTalos Konni May 2017 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.CitationTalos Konni May 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | KONNI has the capability to perform keylogging.CitationTalos Konni May 2017 |
| Enterprise | T1059.007 | JavaScript Sub-technique | KONNI has executed malicious JavaScript code.CitationMalwarebytes Konni Aug 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.CitationTalos Konni May 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | c1074f33827e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Konni May 2017
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
Open source URL -
[2]
Unit 42 NOKKI Sept 2018
Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
Open source URL -
[3]
Unit 42 Nokki Oct 2018
Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
Open source URL -
[4]
Medium KONNI Jan 2020
Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
Open source URL -
[5]
Malwarebytes Konni Aug 2021
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
Open source URL -
[6]
KONNI
(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)
-
[7]
mitre-attack S0356Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.