Overview
- The campaign began with targeted spear‑phishing and KakaoTalk lures that delivered a signed Stress Clear.msi installer, AutoIt loaders, and RATs including RemcosRAT, QuasarRAT, RftRAT, and Lilith/EndRAT.
- Stolen Google credentials enabled use of Find Hub to query device locations and trigger factory resets that erased data and silenced mobile alerts.
- After the wipes, attackers leveraged victims’ active KakaoTalk desktop sessions to distribute malware to contacts, reaching sensitive defector networks.
- Researchers link the activity to the KONNI cluster with overlaps to Kimsuky and APT37, noting incidents in early September and a confirmed case involving a counselor for North Korean defector students.
- Google states no Android or Find Hub vulnerability was exploited and urges two‑step verification or passkeys, while Genians releases indicators of compromise and mitigation guidance.