Key Findings:

• The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control.

• Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs.

• The attackers exploited Google's asset tracking services Find Hub (formerly Find My Device) to remotely reset victim devices, leading to the unauthorized deletion of personal data.

• The activity was detected in early September 2025, marking the first time the hacking group has weaponized legitimate management functions to remotely reset mobile devices.

• The attack chain involves spear-phishing emails, leverage of victims' logged-in KakaoTalk chat app sessions, and the deployment of remote access trojans like Lilith RAT and EndRAT.

• The deployed malware allows the threat actors to carry out internal reconnaissance, monitoring, and exfiltration of victims' Google and Naver account credentials.

• The stolen Google credentials are then used to log in to Google's Find Hub and initiate a remote wipe of their devices, with the attackers also accessing recovery email accounts to cover up traces of the activity.

Background

The Genians Security Center (GSC) has uncovered a new phase in the KONNI APT campaign, revealing a state-sponsored cyberespionage operation that leverages Google's Find Hub feature to remotely wipe and track Android devices belonging to South Korean victims. The campaign is attributed to actors associated with North Korea's Kimsuky and APT37 groups, both linked to the regime's 63 Research Center.

Targeted Devices and Impact

The recently identified KONNI campaign is particularly notable for cases in which Google Android–based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices. This is the first confirmed case in which a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the service to perform location tracking and remote wipe.

Delivery and Propagation Tactics

The attack began with spear-phishing and social engineering campaigns targeting psychological counselors and North Korean human rights activists, posing as trusted acquaintances or government officials. The attackers distributed malware disguised as a "stress-relief program" via KakaoTalk Messenger, a widely used communication app in South Korea.

Abuse of Google's Find Hub

The attackers gained access to victims' Google accounts and exploited Find Hub, a legitimate Android management service used to locate lost devices, to perform malicious remote resets and data destruction. Even after the device reset was completed, the threat actor repeatedly sent the same remote reset command more than three times, disrupting and delaying the normal recovery and use of the targeted smart devices for an extended period.

Malware Deployment and Capabilities

The core payload distributed via KakaoTalk was a malicious MSI installer — Stress Clear.msi — digitally signed under a Chinese entity to bypass trust checks. The installer deployed an AutoIt-based script designed for persistence, surveillance, and remote access, including the ability to start a remote shell, list drives, download/upload files, and execute commands on the host.

Evasion and Persistence

By deleting Gmail security alerts and clearing account activity logs, the attackers ensured stealth and persistence. This abuse of a built-in Google feature represents an alarming new technique in APT toolkits, weaponizing trusted cloud services against users themselves.

Sources

• https://thehackernews.com/2025/11/konni-hackers-turn-googles-find-hub.html

• https://securityonline.info/north-koreas-konni-apt-hijacks-google-find-hub-to-remotely-wipe-and-track-south-korean-android-devices/

• https://www.reddit.com/r/SecOpsDaily/comments/1otrgar/konni_hackers_turn_googles_find_hub_into_a_remote/

• https://boltwork.ai/2025/11/how-konni-hackers-are-weaponizing-googles-find-huband-what-every-smb-needs-to-know