The Trojan Contact: Konni APT Hijacks KakaoTalk to Turn Victims into Attackers
Ddos 
Overall Attack Flow | Image: Genians Security Center
The Konni APT group has launched a sophisticated multi-stage campaign that turns victims into unwilling accomplices. According to a deep-dive analysis by the Genians Security Center, the threat actor is moving beyond traditional email-based attacks, now hijacking KakaoTalk PC sessions to spread malware through trusted contact lists.
The attack begins with a precisely targeted spear-phishing email. Attackers pose as official entities, sending a “notice appointing the recipient as a North Korean human rights lecturer”. This document is actually a malicious LNK shortcut file.
Once the victim double-clicks the file, a complex background process begins:
- Decoy Deployment: The LNK file executes a PowerShell script that decodes a hidden PDF header from within itself, opening a fake document to lower the user’s guard.
- Stealthy Execution: While the victim reads the decoy, the script downloads AutoIt3.exe and a malicious script (disguised as another PDF) from a C2 server.
- Persistence: The malware schedules a task to run every minute for a full year, ensuring it survives system reboots.
What sets this campaign apart is the “account-based redistribution” phase. After establishing a foothold, the attackers gain unauthorized access to the victim’s KakaoTalk PC application.
As the Genians report explains:
“The threat actor selectively chose contacts from the friend list for secondary distribution of the malicious file… effectively turning existing victims into new distribution channels“.
By sending malicious files from a “trusted” friend’s account, the attackers successfully bypass standard security skepticism. These follow-up messages often use lures related to “North Korea-related video proposals” to maintain thematic consistency.
The investigation revealed that Konni is not relying on a single piece of software. Instead, they are deploying a “modular attack approach” using at least three distinct Remote Access Trojans (RATs):
| Malware Family | Purpose | C2 Location |
| EndRAT |
File management and remote shell access. |
Finland |
| RftRAT |
Stealthy communication via obfuscated C2 strings. |
Japan |
| RemcosRAT |
Keylogging and encrypted configuration storage. |
Netherlands |
The use of a Japan-based C2 server provided a “key correlation point,” linking this activity to earlier Konni operations like Operation Poseidon.
Genians Security Center emphasizes that traditional file-blocking is no longer enough to stop such an adaptive adversary.
“This incident highlighted the need for an EDR-centered response framework to support behavior-based threat detection… effectively detecting account-based secondary propagation“.
Organizations are urged to monitor for anomalous messenger behavior and suspicious scheduled tasks (like those running in 1-minute intervals) to catch the “concealed and persistent” threat before it spreads to the entire network.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
