FortiGuard Labs has recently discovered a sophisticated malware campaign called ‘Konni’ that targets Windows systems [1]. This campaign utilizes Word documents with malicious macros to infect devices. The malware, known as the Konni RAT, can steal login credentials [1], execute remote commands [1] [2] [3] [4] [5], and download/upload files [1]. The malicious Word document is disguised as legitimate files to deceive users.


The Konni campaign involves a Russian-written Word document that triggers a Visual Basic for Applications (VBA) script when opened. This script displays Russian text related to a military operation and retrieves information [4] [5], performs system checks [4] [5], and bypasses User Account Control (UAC) to execute commands with elevated privileges [4].

The malware encrypts its command and control (C2) configuration and gathers system information, which is then uploaded to the C2 server. It also establishes encrypted communication with the C2 server and utilizes batch scripts and DLL files to execute privileged commands [1]. The malware creates a service that starts at system startup and adds registry entries for persistence [1].

Despite the Word document being created in September 2023 [2], ongoing activity on the campaign’s command and control server suggests that the Konni campaign is still active. This campaign has been linked to APT37 [3], a North Korean cyber espionage actor known for targeting political organizations in South Korea [3], as well as other countries in Asia and the Middle East [3].


To protect against the Konni campaign, users should exercise caution when dealing with suspicious documents. Organizations are recommended to undergo Fortinet’s free NSE training module on information security awareness for enhanced protection [4] [5]. For more detailed information on the techniques and strategies employed by the Konni campaign, refer to the Fortinet advisory [4] [5].