North Korea-linked Konni APT used Google Find Hub to erase data and spy on defectors
November 11, 2025
North Korea-linked APT Konni posed as counselors to steal data and wipe Android phones via Google Find Hub in Sept 2025.
Genians Security Center researchers warn that the North Korea-linked Konni APT group (aka Kimsuky, Earth Imp, TA406, Thallium, Vedalia, and Velvet Chollima) posed as counselors to hack Android and Windows, stealing data and wiping phones via Google Find Hub in September 2025.
The KONNI RAT was first spotted by Cisco Talos researchers in 2017. It has been undetected since 2014 and was employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it can execute arbitrary code on target systems and steal data.
The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.
“Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs.” reads the report published by Genians Security Center (GSC).
“Malicious files were delivered through the KakaoTalk messenger, leveraging impersonation of acquaintances to conduct trust-based attacks.”
The new KONNI campaign has abused Google’s “Find Hub” service to remotely reset Android devices in South Korea, erasing users’ personal data. The attackers compromised victims’ Google accounts to track locations and trigger remote wipes.
The researchers pointed out that this is the first known use of this feature by a state-sponsored APT group. They also exploited victims’ KakaoTalk PC sessions to spread malware to close contacts. The report highlights this emerging tactic and guides in detecting and mitigating similar threats.
The attack chain began with spear-phishing emails impersonating the National Tax Service to infect targeted individuals, including a counselor aiding North Korean defector youths. After compromising devices, attackers used them as relays to spread malware through victims’ KakaoTalk accounts. When victims were confirmed away from their devices via Google’s Find Hub, attackers issued remote reset commands to Android phones and tablets, wiping data and silencing alerts.
They then exploited KakaoTalk’s active PC sessions to distribute malware, blending evasion and propagation.
“All samples of the “Stress Clear.zip” files distributed via KakaoTalk messages were found to share the same structure. The archive contains a Microsoft Installer (MSI) package disguised as “Stress Clear.msi.”” continues the report. “The ‘Stress Clear.msi’ file runs only on Windows operating systems and is not executable on non-compatible platforms such as smartphones, so those devices are not infection targets. When executed in a compatible environment, the standard MSI installation GUI appears, while malicious actions embedded in the installation routine are performed without the user’s awareness.”
The attack involved data theft, account compromise, and mass data destruction.
The attack aims to trick recipients into opening malicious attachments that deliver remote access trojans, such as Lilith RAT, to take over victims’ machines.
“If behavior-based anomaly detection such as EDR is absent, threat actors can remain resident on compromised endpoints for long periods, harvesting user data and conducting covert surveillance via webcams.” continues the report. “In this process, the access obtained during the initial intrusion enables system control and additional information collection, while evasion tactics allow long-term concealment.”
Without behavior-based detection like EDR, attackers can persist on infected systems, steal data, spy via webcams, and evade detection for extended periods.
The KONNI APT campaign, linked to North Korea, used spear-phishing emails disguised as Korean government agencies to deliver malicious MSI installers built with EMCO MSI Package Builder. These installers executed AutoIt scripts (IoKlTr.au3) that deployed multiple RATs (RemcosRAT, QuasarRAT, and RftRAT) connected to C2 servers in Russia, Japan, and the Netherlands.
Both Quasar RAT and RftRAT malware were previously used by the Kimsuky APT group in 2023.
Artifacts revealed a folder named “Attack Weapon,” suggesting organized malware development. The group leveraged WordPress sites as staging infrastructure and used multi-layer relays for evasion. EDR logs enabled full attack reconstruction, showing infection chains and aiding rapid containment.
The report provides Indicators of Compromise (IoCs) for the recent Konni campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, North Korea)