Genians Security Center has published an in-depth analysis of Operation Poseidon, a sophisticated APT campaign attributed to the Konni threat group that exploits legitimate advertising infrastructure to distribute EndRAT malware.
This advanced spear-phishing operation demonstrates how threat actors leverage trusted platforms to circumvent traditional security defenses while targeting South Korean financial institutions and human rights organizations.
The attack chain begins with weaponized emails containing URLs disguised as legitimate advertising traffic.
Rather than directing users to malicious sites directly, attackers exploit the redirection mechanisms of Google Ads’ DoubleClick infrastructure (ad.doubleclick[.]net) and Naver’s marketing platform (mkt.naver[.]com).
By embedding malicious C2 addresses within URL parameters, the campaign masks the true destination and evades email security filtering.
This technique significantly increases the probability of bypassing URL reputation systems and user suspicion, as the initial redirect appears to originate from trusted advertising platforms.
Upon successful victim engagement, users are directed to compromised WordPress websites serving as malware distribution points and command-and-control infrastructure.
These poorly secured WordPress installations provide threat actors with rapid infrastructure turnover capabilities that undermine domain and URL-based blocking policies.
EndRAT Payload Delivery
Once the malicious file is downloaded, it arrives as a compressed archive containing a malicious Windows shortcut (LNK) file disguised with legitimate-looking document icons and filenames impersonating South Korean financial institutions or NGOs.
Beyond simple obfuscation, this is considered a sophisticated evasion technique designed to intentionally confuse the logic of AI-based phishing detection systems.
Execution of the LNK file triggers a sophisticated multi-stage payload. The shortcut executes an AutoIt script a legitimate scripting language which is further disguised as a PDF document.
This script downloads AutoIt3.exe and a malicious AutoIt-based remote access trojan (EndRAT) directly into memory without requiring additional user interaction.
Analysis of the AutoIt script source code revealed critical metadata including the internal build path: “D:\3_Attack Weapon\Autoit\Build__Poseidon – Attack\client3.3.14.a3x”.
This development artifact indicates the threat actor internally designated the campaign “Poseidon” and manages it as a distinct operational unit, suggesting mature infrastructure and sustained development practices.
Threat attribution to Konni APT is supported by multiple technical correlations with previously reported campaigns.
The reuse of C2 infrastructure (jlrandsons.co[.]uk), consistent LNK file structures, and targeting patterns exploiting North Korean human rights themes align with documented Konni operations.
Mitigations
The threat group’s preference for AutoIt-based malware execution and use of legitimate service domains for infrastructure obfuscation represent established TTPs within their operational playbook.
Organizations must implement endpoint detection and response (EDR) solutions capable of behavioral threat analysis rather than relying solely on signature-based detection.
EDR systems should monitor for suspicious AutoIt script execution, in-memory malware injection patterns, and anomalous process chains initiated by shortcut files.
Email security controls must incorporate advanced content analysis to detect padding evasion techniques, while URL sandboxing should detonate suspected advertising redirects.
Given Operation Poseidon’s sophisticated multi-layered approach, defense strategies require threat-actor-focused correlation analysis and sustained threat hunting capabilities to effectively counter these nation-state operations.
IoC (Indicator of Compromise)
| No. | Hash Value |
|---|---|
| 1 | f5842320e04c2c97d1f69cebfd47df3d |
| 2 | 6a4c3256ff063f67d3251d6dd8229931 |
| 3 | 8b8fa6c4298d83d78e11b52f22a79100 |
| 4 | 303c5e4842613f7b9ee408e5c6721c00 |
| 5 | 639b5489d2fb79bcb715905a046d4a54 |
| 6 | 908d074f69c0bf203ed225557b7827ec |
| 7 | 0171338d904381bbf3d1a909a48f4e92 |
| 8 | 0777781dedd57f8016b7c627411bdf2c |
| 9 | 94935397dce29684f384e57f85beeb0a |
| 10 | a9a52e2f2afe28778a8537f955ee1310 |
| 11 | a58ef1e53920a6e528dc31001f302c7b |
| 12 | ad6273981cb53917cb8bda8e2f2e31a8 |
| 13 | d4b06cb4ed834c295d0848b90a109f09 |
| 14 | d6aa7e9ff0528425146e64d9472ffdbd |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.