top of page
Search

North Korea's KONNI APT Abuses Google Find Hub to Spy and Erase Data

  • Nov 12, 2025
  • 2 min read

Key Findings


  • North Korea-linked Konni APT group posed as psychological counselors and North Korean human rights activists to distribute malware disguised as stress-relief programs via KakaoTalk messenger

  • Attackers compromised victims' Google accounts and abused Google's "Find Hub" service to remotely reset Android devices in South Korea, erasing users' personal data

  • This is the first known case of a state-sponsored APT group exploiting Find Hub to perform destructive remote wipes and track victims' locations

  • Attackers leveraged compromised KakaoTalk accounts to propagate malware to victims' contacts, expanding the infection chain

  • Malware payloads included remote access trojans such as Lilith RAT, enabling data theft, surveillance, and long-term persistence on infected systems


Background


  • The Konni APT group (also known as Kimsuky, Earth Imp, TA406, Thallium, Vedalia, and Velvet Chollima) has been active since 2014 and has conducted highly targeted attacks, often against North Korean defectors and human rights activists

  • The group has been attributed to North Korea-linked threat actors and has employed the KONNI remote access trojan (RAT) in its operations

  • The KONNI RAT is a versatile malware that can execute arbitrary code and steal data from compromised systems


Social Engineering and Delivery


  • Attackers impersonated psychological counselors and North Korean human rights activists to build trust with targets

  • Malicious files were delivered through the KakaoTalk messenger, leveraging the impersonation of acquaintances to conduct trust-based attacks

  • The payload was a malicious Microsoft Installer (MSI) package disguised as a "Stress Clear" program


Exploitation and Remote Access


  • After compromising victims' devices, the attackers used them as relays to spread malware through victims' KakaoTalk accounts

  • Attackers leveraged the compromised Google accounts to track victims' locations and trigger remote wipes of their Android devices using the Find Hub service

  • The remote reset commands were repeatedly sent, disrupting and delaying the normal recovery and use of the targeted devices


Data Theft and Espionage


  • The malware payloads included remote access trojans such as Lilith RAT, Quasar RAT, and RftRAT, enabling data theft, system control, and long-term surveillance

  • Without behavior-based detection like EDR, the attackers were able to persist on infected systems, stealing data and spying on victims for extended periods


Indicators of Compromise (IoCs)


The report provides a comprehensive list of IoCs, including:


  • Malware hashes

  • C2 server addresses

  • Compromised WordPress sites used as staging infrastructure

  • Indicators related to the KONNI RAT and associated malware families


Sources


  • https://securityaffairs.com/184474/intelligence/north-korea-konni-apt-used-google-find-hub-to-erase-data-and-spy-on-defectors.html

  • https://securityonline.info/north-koreas-konni-apt-hijacks-google-find-hub-to-remotely-wipe-and-track-south-korean-android-devices/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page