A state-sponsored hacking group known as KONNI, suspected to be linked to the North Korean regime and related groups like Kimsuky or APT37, has been caught using a two-part attack to spy on users and erase data on their Android devices.
This concerning finding comes from an investigation by the Genians Security Center (GSC), which first identified the attack chain.
Phishing, Spying, and Gaining Trust
The initial problem starts with spear phishing, where hackers send a convincing message to trick a person into opening a malicious file. In this campaign, the attackers impersonated trusted roles, such as a professional psychological counsellor supporting North Korean defector youths or staff from the National Tax Service.
Once a victim opened the malicious file (disguised as a document or application form), hackers gained hidden access to their computer. Research reveals the Konni actors stayed hidden for over a year, secretly monitoring the victim, sometimes through their webcam.
Weaponising Trust and Erasing Data
The research firm found that once inside, the KONNI hackers focused their operation on the South Korean region, leveraging the widely used local platform, KakaoTalk messenger. They abused the victim’s logged-in KakaoTalk messenger account to spread their malware further, like a stress relief program called Stress Clear.zip, to their contacts.
This trust-based attack is highly effective. As per GSC’s report, logs show that on September 5, 2025, one victim’s account was compromised, followed by a larger wave on September 15, 2025.
The attack then turned destructive; after stealing the victim’s Google account passwords, the hackers misused the legitimate Google Find Hub service (which is meant to help you find a lost phone).
By confirming the victim was away from their devices, KONNI hackers used Find Hub to execute a remote factory reset on the victim’s Android smartphone and tablet. This action wiped out all personal data and blocked the victim from receiving alerts, successfully cutting off their ability to detect and respond to the ongoing attack.
Recommended Defences
This case shows how personal data can be stolen and then used to turn a victim into a source of further attack. To protect against this, you should never open or run files from unexpected sources, even if they appear to come from someone you know.
Additionally, using extra security like two-factor authentication (2FA) for your Google account is highly recommended to protect against unauthorised access.