Ddos 
Image: Genians Security Center
In a deep-dive analysis released by Genians Security Center, researchers have exposed “Operation Poseidon,” a sophisticated campaign attributed to the notorious Konni APT group. This operation reveals a disturbing evolution in tradecraft: spies are now piggybacking on the massive, trusted infrastructure of Google and Naver advertising ecosystems to slip malware past enterprise defenses.
For years, defenders have trained users to inspect URLs before clicking. But what happens when the malicious link looks like a trusted Google ad? According to the report, Konni operators found a way to weaponize legitimate ad-click redirection mechanisms.
Instead of sending victims directly to a malicious site, the attackers used valid redirection URLs from platforms like ad.doubleclick[.]net and mkt.naver[.]com.
“It was confirmed that the attacker utilized the redirection URL structure of a domain used for legitimate ad click tracking (ad.doubleclick[.]net) to incrementally direct users to external infrastructure where actual malicious files were hosted,” the analysis states.
By exploiting these open redirects, the initial click appears benign to security filters and reputation scanners. It is only after the user clicks that they are bounced through the legitimate ad server and landed on a compromised WordPress site serving the payload.
The campaign’s social engineering is as precise as its delivery method. The attackers crafted targeted lures designed to exploit trust within South Korean sectors, specifically focusing on financial data and human rights issues.
“The threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea, while continuously conducting highly sophisticated and targeted attacks against specific targets.”
Victims received emails disguised as official notices, such as “Request for Submission of Explanation Materials” or “Wire Transfer and Transaction History Confirmation,” duping them into downloading malicious ZIP archives.
Perhaps most devious is the technique used to blind AI-based security scanners. The phishing emails contained large blocks of invisible text—meaningless English sentences hidden with HTML attributes like display:none. To the human eye, the email looks normal; to a security scanner, it looks like a garbled mess of benign text, confusing the logic used to detect phishing patterns.
“This method was confirmed to be a sophisticated content padding technique used to bypass traditional signature-based detection.”
The campaign gets its name from a slip-up in the attacker’s operational security (OPSEC). Deep within the malicious EndRAT malware loaded by the attack, researchers found a build path left behind by the developer: D:\3_Attack Weapon\Autoit\Build_Poseidon – Attack\client3.3.14.a3x.
“This serves as a key naming artifact, suggesting that the attacker internally dubbed the campaign ‘Poseidon’ and manages it as a distinct operational unit.”
This artifact, combined with the reuse of known command-and-control (C2) infrastructure, allowed Genians researchers to firmly attribute the activity to the Konni group.
The report concludes, this is not a threat that can be blocked by a simple firewall rule.
“Operation Poseidon is classified as a sophisticated APT campaign that is difficult to counter through any single security solution.”
Related Posts:
- Sophisticated Phishing Campaign Linked to North Korea Targets Apple and Naver Users
- Konni RAT Resurfaces: North Korean Espionage Malware Evolves with Stealth and Persistence
- North Korea’s KONNI APT Hijacks Google Find Hub to Remotely Wipe and Track South Korean Android Devices
- Cyberattackers Target South Korean Inboxes with LNK Weaponry
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
