North Korea's KONNI APT Hijacks Google Find Hub to Remotely Wipe and Track South Korean Android Devices

The Genians Security Center (GSC) has uncovered a new phase in the KONNI APT campaign, revealing a state-sponsored cyberespionage operation that leverages Google’s Find Hub feature to remotely wipe and track Android devices belonging to South Korean victims. The campaign is attributed to actors associated with North Korea’s Kimsuky and APT37 groups, both linked to the regime’s 63 Research Center.

“The recently identified KONNI campaign is particularly notable for cases in which Google Android–based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices,” GSC stated. “This is the first confirmed case in which a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the service to perform location tracking and remote wipe.”

The attack began with spear-phishing and social engineering campaigns targeting psychological counselors and North Korean human rights activists, posing as trusted acquaintances or government officials. The attackers distributed malware disguised as a “stress-relief program” via KakaoTalk Messenger, a widely used communication app in South Korea.

KONNI Find Hub Abuse, North Korea Remote Wipe — Attack flowchart | Image: The Genians Security Center

“Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs,” the GSC report noted. “Malicious files were delivered through the KakaoTalk messenger, leveraging impersonation of acquaintances to conduct trust-based attacks.”

One of the victims, a psychological counselor assisting North Korean defectors, received a file titled “Stress Clear.msi”. Once executed, the installer appeared to display a language error but silently deployed malicious scripts designed to maintain persistence, exfiltrate data, and monitor user activity.

The attackers’ tactics reflected a high level of psychological and social engineering sophistication. After compromising a victim’s PC, they used the victim’s KakaoTalk account to propagate the same malware to contacts, amplifying the infection chain.

“This campaign is assessed as a typical social-engineering attack that leveraged trust-based communications to precisely exploit the target’s psychological and social context,” GSC said. “The compromise of messenger accounts and their use as a secondary attack vector increased the attack’s level of customization while expanding its attack surface.”

Notably, the attackers timed their remote actions to coincide with the victims’ absence, using Google’s Find Hub to confirm when a victim was physically away before triggering a remote factory reset of Android devices — effectively cutting off communications and delaying incident response.

“Immediately after confirming through Find Hub’s location query that the victim was outside, the threat actor executed a remote reset command on the victim’s Android devices,” GSC detailed. “This combination of device neutralization and account-based propagation is unprecedented among previously known state-sponsored APT scenarios.”

The KONNI operators gained access to victims’ Google accounts and exploited Find Hub, a legitimate Android management service used to locate lost devices, to perform malicious remote resets and data destruction.

“Using the stolen credentials, the attacker took control of the accounts and misused Find Hub’s management features to execute destructive actions, such as remotely wiping mobile devices,” the report explained. “Even after the device reset was completed, the threat actor repeatedly sent the same remote reset command more than three times, disrupting and delaying the normal recovery and use of the targeted smart devices for an extended period, which rendered the affected devices unavailable for normal use.”

By deleting Gmail security alerts and clearing account activity logs, the attackers ensured stealth and persistence. This abuse of a built-in Google feature represents an alarming new technique in APT toolkits, weaponizing trusted cloud services against users themselves.

The core payload distributed via KakaoTalk was a malicious MSI installer — Stress Clear.msi — digitally signed under a Chinese entity (Chengdu Hechenyingjia Mining Partnership Enterprise) to bypass trust checks. The installer deployed an AutoIt-based script designed for persistence, surveillance, and remote access.

“The MSI contains a valid digital signature issued to “Chengdu Hechenyingjia Mining Partnership Enterprise” in China. This represents an abuse of code signing: the attacker used a legitimate-looking signature to disguise the file’s origin and integrity, making it appear like a legitimate application,” GSC wrote.

The AutoIt script (IoKlTr.au3) deployed on the victim’s system mimicked legitimate Windows tasks, registered a scheduled job to execute every minute, and connected to Germany-based WordPress C2 infrastructure — bp-analytics[.]de — to fetch remote payloads.

ENKI identified multiple RATs embedded in the infection chain, including RemcosRAT, QuasarRAT, and RftRAT, which provided remote control, keylogging, webcam activation, and command execution capabilities. Each RAT was encrypted using AES and embedded within obfuscated AutoIt scripts to evade detection.

“Analysis shows that these files contain malicious AutoIt scripts and modules that enable remote access and keylogging,” the report confirmed. “The threat actor concealed various malware components by encoding or encrypting them within AutoIt scripts. This technique is assessed as a strategy to evade security product detection and delay analysis of malicious activity.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply