ClickCease Konni RAT Malware Attack: Russian Govt. Software Backdoor

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Konni RAT Malware Attack: Russian Govt. Software Backdoor

Wajahat Raja

February 6, 2024 - TuxCare expert team

In a recent revelation, German cybersecurity firm DCSO has uncovered the Konni RAT malware attack, which involves the deployment of a Remote Access Trojan. The attackers ingeniously exploited an installer for a tool associated with the Russian Consular Department of the Ministry of Foreign Affairs (MID). This tool, named ‘Statistika KZU,’ was found to have been backdoored, leading to the delivery of the Konni RAT

In this blog, we’ll delve into the intricate details of the Konni RAT malware attack, shedding light on its origins, modus operandi, and implications for cybersecurity.


Origin and Attribution Of The Konni RAT Malware Attack

The origin of this cyber activity has been traced to actors associated with the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea. Remarkably, these DPRK-nexus actors were found targeting Russia, specifically the Russian Consular Department. The Konni activity cluster also recognized as Opal Sleet, Osmium, or TA406, has a documented history of deploying the Konni RAT against Russian entities. 

The threat actor has been linked to attacks on the MID since at least October 2021. This revelation follows Fortinet FortiGuard Labs’ previous discovery in November 2023, wherein Russian-language Microsoft Word documents were utilized to distribute malware capable of harvesting sensitive information from compromised Windows hosts.

Konni RAT Malware Deployed via Russian Govt. Software Backdoor

DCSO highlighted the attackers’ technique of packaging the Konni RAT within software installers. Notably, this technique was previously observed in October 2023, when a backdoored Russian tax filing software named Spravki BK was used for the same purpose. 

In this instance, the compromised installer was associated with the Statistika KZU malware tool intended for internal use within the Russian MID. Specifically, the tool facilitated the relay of annual report files from overseas consular posts to the Consular Department of the MID through a secure channel.

Infection Sequence

The trojanized installer, identified as an MSI file, triggers an infection sequence upon launch. This sequence establishes contact with a command-and-control (C2) server, awaiting further instructions from the attackers. The
Konni RAT capabilities (command execution, file transfer, espionage) have been operational since at least 2014. It is also known to be utilized by other North Korean threat actors, including Kimsuky and ScarCruft (APT37).

Source, Motivation, And Geopolitical Implications

The source of the
Russian government software backdoor installer remains unclear, as it is not publicly available. However, suspicions arise that the extensive history of espionage operations targeting Russia may have enabled the threat actors to identify potential tools for subsequent attacks.

While North Korea’s targeting of Russia is not a new phenomenon, the timing of this cyber threat is noteworthy. It occurs amid increasing geopolitical proximity between the two countries. Recent reports from North Korean state media reveal that Russian President Vladimir Putin gifted leader Kim Jong Un a luxury Russian-made car. 

DCSO CyTec research suggests that despite growing strategic ties, North Korea maintains a keen interest in assessing and verifying Russian foreign policy planning and objectives. The discovery of the Konni RAT malware Russian Govt. software backdoor highlights the sophisticated tactics employed by cyber threat actors in compromising sensitive systems.



North Korean cyberattacks continue to pose significant threats to global cybersecurity infrastructure. The discovery of the Konni RAT deployed through a backdoored Russian Consular Department tool underscores the evolving landscape of cyber threats and geopolitical intricacies. 

Konni RAT malware deployed using Russian Govt. software showcases the increasing sophistication of cyber threats targeting governmental systems. As cyber threats continue to transcend borders, organizations must remain vigilant and adopt robust cybersecurity measures to safeguard sensitive information and ensure business continuity.

The sources for this piece include articles in The Hacker News and Cyber Security News.

Konni RAT Malware Attack: Russian Govt. Software Backdoor
Article Name
Konni RAT Malware Attack: Russian Govt. Software Backdoor
Discover the latest on the Konni RAT malware attack. Stay updated with cybersecurity backdoor breaches and improve security posture.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter