Konni is a remote access trojan active since at least 2014 but was not identified until over three years later. Researchers suspect the campaigns deploying Konni have limited targets, allowing it to stay under-the-radar. The trojan is typically spread via malicious email attachments. Threat actors use social engineering tactics to convince the target to open a .scr file that will display a document to distract the user while the malware executes on the victim's machine. Konni began as an information-stealing malware and incorporated additional capabilities as it evolved. The version analyzed by Talos researchers in 2017 allows threat actors to steal files, log keystrokes, take screenshots, and execute arbitrary code on the victim's machine. Additionally, different versions of the trojan contain copied code from previous versions and the new versions search for files from previous versions, indicating the malware has been used multiple times against the same target. Of the four campaigns identified by Talos over the last three years, three of them targeted entities linked to North Korea. 


  • July 2017: New distribution campaign was observed on July 4 with the following changes: a new decoy document of an article published on July 3 regarding the North Korean missile test, a 64 bit dropper version of Konni, and new C2 infrastructure including a climbing club website. (Cisco Talos)

Technical Details

  • Talos provides technical details on the Konni RAT, available here.