Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Link New NOKKI Malware to North Korean Actor

A recently observed variant of the KONNI malware appears tied to a remote access Trojan (RAT) previously attributed to a North Korean actor, Palo Alto Networks security researchers say.

A recently observed variant of the KONNI malware appears tied to a remote access Trojan (RAT) previously attributed to a North Korean actor, Palo Alto Networks security researchers say.

Dubbed NOKKI, the new malware family shows close resemblance and code overlaps with KONNI, a piece of malware long used in attacks targeting the Korean peninsula, and is likely the work of the same developer. The threat has been in use since at least January 2018 and shows ties to the threat group known as Reaper, Palo Alto Networks reveals in a recent post.

NOKKI, the security researchers discovered, was designed to collect a broad range of information from the infected machine (includes IP address, hostname, username, drive information, operating system information, and details on the installed programs), can drop additional malware onto the system, and can also execute decoy documents.

Starting in January, the researchers observed several attacks involving NOKKI, targeting entities in Cambodia and Russia with documents featuring content related to local political matters.

In a report published this week, Palo Alto Networks reveals that NOKKI is related to the DOGCALL malware family, a backdoor previously attributed to the Reaper group and likely in use by this group only. The actor is known for targeting the military and defense industry within South Korea, as well as a Middle Eastern organization doing business with North Korea.

By analyzing malicious macros within Microsoft Word documents designed to drop NOKKI, the researchers discovered that the employed deobfuscation technique was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

While the NOKKI dropper samples would fetch both a payload and a decoy document, the World Cup malware sample would download and execute a remote VBScript file wrapped in HTML, while also appending text to the original Word document to provide the lure for the victim.

The VBScript file leverages the same unique deobfuscation routine, and fetches and executes a dropper called Final1stspy, which in turn downloads a payload belonging to the DOGCALL malware family.

When installed on a compromised machine, the threat can take screenshots, log keys, capture microphone data, collect victim information, collect files of interest, and download and execute additional payloads.

Communication with the command and control (C&C) is performed via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group. Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” Palo Alto Networks concludes.

Related: North Korean Hacking Group APT37 Expands Targets

Related: New Malware Used in Attacks Aimed at Inter-Korean Affairs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.