S0356: KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]
Analyst context for executives and security teams
KONNI is a Windows remote access tool associated in ATT&CK reporting with long-running suspected North Korean activity and politically focused targeting. Its practical significance is not just the malware name: the mapped behaviors show a toolset that can discover the host and network, collect local/user data, capture keystrokes/screens/clipboard contents, transfer tools, modify the Registry, disguise artifacts, and exfiltrate data over web or other protocols. For leaders, this makes KONNI a useful test case for whether endpoint, identity, network, and IR processes can recognize a Windows compromise that blends discovery, collection, stealth, and exfiltration rather than relying on a single malware signature.
Executive priority
Prioritize KONNI coverage where Windows endpoints handle sensitive political, executive, legal, operational, or regulated data, because the ATT&CK relationships include credential-adjacent collection, local data collection, and exfiltration behaviors. The key business question is whether the organization can prove it collects enough endpoint and network evidence to reconstruct discovery, persistence/Registry changes, command execution, data collection, and outbound transfer activity. Because MITRE provides no official detection text for this software object, leadership should treat coverage as a validation exercise across controls, logging, and incident response playbooks rather than assuming named-malware detection is sufficient.
Technical view
SOC and detection teams should validate behavior-based coverage on Windows for the related techniques: PowerShell, Windows Command Shell, JavaScript execution, Native API use, Registry modification, masqueraded tasks/services or legitimate-looking resource names, file deletion, packed or encoded files, discovery of users/processes/network configuration/connections/system information/files, local data collection, keylogging, screen capture, clipboard access, ingress tool transfer, web-protocol C2, and exfiltration over C2 or unencrypted non-C2 protocols. Since ATT&CK does not provide a KONNI-specific detection section here, detections should be built around correlated sequences: script or shell execution followed by discovery commands, suspicious file creation or transfer, Registry/task/service changes, collection artifacts, and unusual outbound web or unencrypted protocol traffic from the same host.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell, cmd, script interpreters, and discovery utilities
- Windows Registry change telemetry, especially changes that support persistence or execution
- Scheduled task and service creation/modification logs, including names or paths that resemble legitimate resources
- File creation, deletion, rename, and write events for suspicious executables, scripts, encoded files, packed files, and staging locations
- Endpoint security alerts or file metadata indicating packing, encoding, or masquerading
Detection direction
- Do not rely only on KONNI signatures; validate behavior chains across execution, discovery, collection, stealth, and exfiltration techniques mapped to this object.
- Tune for suspicious use of PowerShell, cmd, and JavaScript in combination with rapid system, user, process, file, and network discovery.
- Review Registry, task, and service changes for legitimate-looking names or locations that do not match normal software management activity.
- Correlate file deletion with prior tool transfer, execution, or collection activity to identify cleanup behavior.
- Inspect outbound web-protocol traffic and unencrypted non-C2 protocols for unusual destinations, volumes, timing, or host/process ownership, while accounting for normal business web traffic false positives.
Mitigation priorities
- First, confirm Windows endpoint visibility and retention are sufficient for process, command line, Registry, service/task, file, and network correlation.
- Harden and monitor script execution paths, including PowerShell, Windows Command Shell, and JavaScript interpreters, using least privilege and approved administration patterns.
- Reduce persistence and masquerading opportunities by controlling who can modify Registry locations, services, scheduled tasks, and trusted directories.
- Limit and monitor outbound traffic paths, especially web-protocol egress and unencrypted protocols that could carry exfiltrated data.
- Apply data handling controls around sensitive local files and user workstations, since the mapped behaviors include local data collection, screenshots, clipboard data, and keylogging.
Analyst notes and limits
The supplied ATT&CK object identifies KONNI as a Windows malware/remote access tool and notes researcher assessments of use by North Korean cyber actors, links to suspected campaigns, code overlap with NOKKI, and potential linkage to APT37. This take uses those statements conservatively and focuses on defensive decision value from the provided technique relationships. The relationship set is broad and should be translated into local detection content based on actual endpoint, proxy, DNS, EDR, and logging architecture.
MITRE provides no official detection text for this KONNI object, no aliases, and no object-level tactics. Technique relationships indicate behaviors associated with the malware, but they do not prove any specific local exposure, active exploitation, or guaranteed detection. Related technique platform lists include non-Windows platforms, but the KONNI object itself is supplied as Windows, so local validation should center on Windows unless other evidence exists.
KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | c1074f33827e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Konni May 2017
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
Open source URL -
[2]
Unit 42 NOKKI Sept 2018
Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
Open source URL -
[3]
Unit 42 Nokki Oct 2018
Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
Open source URL -
[4]
Medium KONNI Jan 2020
Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
Open source URL -
[5]
Malwarebytes Konni Aug 2021
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
Open source URL -
[6]
KONNI
(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)
-
[7]
mitre-attack S0356Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.