North Korean Hacking Group Konni Targets Android and Windows Devices in Dual-Platform Cyber Campaign

A new cyber campaign attributed to the North Korea–linked Konni group (also known as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been discovered targeting both Android and Windows devices. The attacks, detailed by the Genians Security Center (GSC), showcase a sophisticated blend of social engineering, credential theft, and abuse of legitimate services — marking the first known case of a threat actor weaponizing Google’s Find Hub (formerly Find My Device) service to remotely wipe victim smartphones.

Attack Vector and Delivery Method

The campaign began in September 2025, when attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs. The operation relied heavily on spear-phishing emails that mimicked official entities such as South Korea’s National Tax Service to trick victims into opening malicious attachments.

Upon infection, the Windows component — primarily Lilith RAT or a new variant dubbed EndRAT — granted attackers full remote control. Using this access, they infiltrated victims’ KakaoTalk messaging sessions and spread the malware-laden ZIP files to their contacts, creating a self-propagating infection chain.

Exploiting Legitimate Services

Once the malware compromised the system, the attackers exfiltrated Google and Naver account credentials, enabling unauthorized access to users’ Google accounts. Using these stolen credentials, the attackers logged into Google Find Hub and remotely reset devices, erasing all personal data — a destructive capability never before associated with the Konni group.

In several cases, the hackers deleted Google security alert emails from Naver-linked recovery accounts and emptied the trash folders to cover their tracks.

Google later confirmed that this attack did not exploit any Android or Find Hub vulnerabilities; instead, it abused legitimate account permissions following credential theft.

Technical Details: EndRAT and Additional Payloads

The malicious ZIP files contained a fake MSI installer named “Stress Clear.msi”, signed with a valid certificate from a Chinese company to appear legitimate. When executed, it displayed a decoy error message while launching a Visual Basic Script and an AutoIt-based RAT.

The malware communicated with a command-and-control (C2) server (116.202.99[.]218) and supported commands such as:

• shellStart / shellStop – initiate or terminate remote shell sessions

• download / upload – exfiltrate or receive files

• refresh – gather system details

• run / delete – execute or remove files remotely

Additional tools observed included Remcos RAT v7.0.4, Quasar RAT, and RftRAT, all commonly used by North Korean APTs for espionage and surveillance.

Attribution and Broader Implications

The campaign reflects Konni’s growing technical sophistication and sustained focus on Korean targets, particularly those involved in civil and governmental sectors. The use of legitimate system functions for destructive purposes highlights a dangerous evolution in nation-state cyber operations — blurring the line between espionage and sabotage.

Defensive Recommendations

• Enable Two-Factor Authentication (2FA) or Passkeys for all Google and Naver accounts.

• Enroll high-risk users in Google’s Advanced Protection Program (APP).

• Avoid opening attachments or clicking links from unverified senders, even if they appear familiar.

• Monitor device and account activity for unusual sign-ins or remote management actions.

Conclusion

The Konni group’s Landfall and EndRAT operations represent a new frontier in cyber-espionage — one that leverages social engineering, credential theft, and legitimate platform functionality to execute targeted, stealthy, and destructive attacks. Strengthening identity protection and multi-factor authentication remains the best defense against this escalating threat.