Skip to content
July 4, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • North Korea’s KONNI APT Hijacks Google Find Hub to Remotely Wipe and Track South Korean Android Devices
  • Cyber Security
  • Malware

North Korea’s KONNI APT Hijacks Google Find Hub to Remotely Wipe and Track South Korean Android Devices

Do Son November 11, 2025 5 minutes read
0
AdaptixC2 Abuse, Russian Cybercrime RondoDox Botnet, Exploit Shotgun China Cyber Power, Red Hackers Nvidia cyberattack
Add as a preferred
source on Google

The Genians Security Center (GSC) has uncovered a new phase in the KONNI APT campaign, revealing a state-sponsored cyberespionage operation that leverages Google’s Find Hub feature to remotely wipe and track Android devices belonging to South Korean victims. The campaign is attributed to actors associated with North Korea’s Kimsuky and APT37 groups, both linked to the regime’s 63 Research Center.

“The recently identified KONNI campaign is particularly notable for cases in which Google Android–based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices,” GSC stated. “This is the first confirmed case in which a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the service to perform location tracking and remote wipe.”

The attack began with spear-phishing and social engineering campaigns targeting psychological counselors and North Korean human rights activists, posing as trusted acquaintances or government officials. The attackers distributed malware disguised as a “stress-relief program” via KakaoTalk Messenger, a widely used communication app in South Korea.

KONNI Find Hub Abuse, North Korea Remote Wipe
Attack flowchart | Image: The Genians Security Center

“Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs,” the GSC report noted. “Malicious files were delivered through the KakaoTalk messenger, leveraging impersonation of acquaintances to conduct trust-based attacks.”

One of the victims, a psychological counselor assisting North Korean defectors, received a file titled “Stress Clear.msi”. Once executed, the installer appeared to display a language error but silently deployed malicious scripts designed to maintain persistence, exfiltrate data, and monitor user activity.

The attackers’ tactics reflected a high level of psychological and social engineering sophistication. After compromising a victim’s PC, they used the victim’s KakaoTalk account to propagate the same malware to contacts, amplifying the infection chain.

“This campaign is assessed as a typical social-engineering attack that leveraged trust-based communications to precisely exploit the target’s psychological and social context,” GSC said. “The compromise of messenger accounts and their use as a secondary attack vector increased the attack’s level of customization while expanding its attack surface.”

Notably, the attackers timed their remote actions to coincide with the victims’ absence, using Google’s Find Hub to confirm when a victim was physically away before triggering a remote factory reset of Android devices — effectively cutting off communications and delaying incident response.

“Immediately after confirming through Find Hub’s location query that the victim was outside, the threat actor executed a remote reset command on the victim’s Android devices,” GSC detailed. “This combination of device neutralization and account-based propagation is unprecedented among previously known state-sponsored APT scenarios.”

The KONNI operators gained access to victims’ Google accounts and exploited Find Hub, a legitimate Android management service used to locate lost devices, to perform malicious remote resets and data destruction.

“Using the stolen credentials, the attacker took control of the accounts and misused Find Hub’s management features to execute destructive actions, such as remotely wiping mobile devices,” the report explained. “Even after the device reset was completed, the threat actor repeatedly sent the same remote reset command more than three times, disrupting and delaying the normal recovery and use of the targeted smart devices for an extended period, which rendered the affected devices unavailable for normal use.”

By deleting Gmail security alerts and clearing account activity logs, the attackers ensured stealth and persistence. This abuse of a built-in Google feature represents an alarming new technique in APT toolkits, weaponizing trusted cloud services against users themselves.

The core payload distributed via KakaoTalk was a malicious MSI installer — Stress Clear.msi — digitally signed under a Chinese entity (Chengdu Hechenyingjia Mining Partnership Enterprise) to bypass trust checks. The installer deployed an AutoIt-based script designed for persistence, surveillance, and remote access.

“The MSI contains a valid digital signature issued to “Chengdu Hechenyingjia Mining Partnership Enterprise” in China. This represents an abuse of code signing: the attacker used a legitimate-looking signature to disguise the file’s origin and integrity, making it appear like a legitimate application,” GSC wrote.

The AutoIt script (IoKlTr.au3) deployed on the victim’s system mimicked legitimate Windows tasks, registered a scheduled job to execute every minute, and connected to Germany-based WordPress C2 infrastructure — bp-analytics[.]de — to fetch remote payloads.

ENKI identified multiple RATs embedded in the infection chain, including RemcosRAT, QuasarRAT, and RftRAT, which provided remote control, keylogging, webcam activation, and command execution capabilities. Each RAT was encrypted using AES and embedded within obfuscated AutoIt scripts to evade detection.

“Analysis shows that these files contain malicious AutoIt scripts and modules that enable remote access and keylogging,” the report confirmed. “The threat actor concealed various malware components by encoding or encrypting them within AutoIt scripts. This technique is assessed as a strategy to evade security product detection and delay analysis of malicious activity.”

Related Posts:

  • Konni RAT Resurfaces: North Korean Espionage Malware Evolves with Stealth and Persistence
  • Cyberattackers Target South Korean Inboxes with LNK Weaponry
  • Malicious software targeted North Korean Defectors and Journalists
  • Google Discover Evolves into a Multimedia Hub, Integrating Instagram, X, and YouTube
  • The WhatsApp Kill Switch: New npm Packages Use Developer’s Phone Number to Wipe Systems

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Kaspersky Labs Uncovers ShrinkLocker Ransomware Exploiting Microsoft’s BitLocker
  • OXLOADER Malware Loader Spreads CASTLESTEALER via Fake Node.js Ads
  • Chinese Hackers Emperor Dragonfly Use Espionage Tools for Ransomware
  • The original LokiBot malware was hijacked by hackers to sell on the Internet
  • Transparent Tribe APT Group’s New Arsenal: Mythic Poseidon, Linux, and C2 Takedown

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Find Hub Abuse Google Account KakaoTalk KONNI APT North Korea Remote Wipe social engineering south korea

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.

    We respect your inbox. Unsubscribe anytime.

    Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.