Overview
- Researchers say North Korea–linked Konni actors stole Google credentials, queried GPS in Find Hub, and triggered factory resets that erased data and cut off alerts.
- Initial access relied on spear‑phishing via KakaoTalk and emails impersonating South Korean agencies, delivering digitally signed MSI or ZIP payloads posing as stress‑relief apps.
- With phones wiped, the attackers leveraged victims’ logged‑in KakaoTalk desktop sessions on compromised PCs to rapidly send malware to contacts, including incidents on September 5 and 15.
- The toolchain used AutoIt loaders to deploy RATs such as RemcosRAT, QuasarRAT, RftRAT, and an EndRAT/Lilith‑like variant, with C2 infrastructure observed across multiple countries.
- Genians attributes the campaign to the KONNI cluster overlapping Kimsuky/APT37 and calls it the first publicly documented state‑linked abuse of Find Hub, urging MFA, EDR, and verification of messenger‑origin files.