Overview
- South Korean firm Genians reports the campaign targets South Koreans, beginning with spear-phishing that spoofed agencies such as the National Tax Service to plant remote access tools.
- Stolen Google credentials let attackers open Find Hub, track GPS locations, and issue factory resets—sometimes multiple times—to erase data and suppress security alerts.
- With phones unusable, hijacked KakaoTalk PC clients were used to send malware to contacts, including a file posed as a stress‑relief program sent from a counselor’s account on Sept. 5.
- Genians links the activity to a KONNI cluster with overlaps to Kimsuky and APT37, leaving attribution to specific North Korean units unresolved.
- The report notes possible use of PC webcams to verify a victim’s absence and recommends multifactor authentication for Google accounts and careful verification of files received over messenger apps.