North Korean hackers are abusing Google’s Find Hub tool (formerly known as “Find My Device”) to track the GPS locations of South Korean targets and remotely reset their smartphones to factory settings.
According to a new report from South Korean cybersecurity firm Genians, the attacks are linked to the KONNI activity cluster, which overlaps with Kimsuky (Emerald Sleet) and APT37 (ScarCruft), two groups long associated with North Korean cyber espionage operations.
The campaign begins with social engineering on KakaoTalk, South Korea’s most popular messaging app. Attackers pose as officials from the National Tax Service, police, or other agencies, sending malicious MSI or ZIP attachments disguised as legitimate documents. When executed, the files install a remote access trojan (RAT) capable of stealing credentials, recording keystrokes, and delivering additional payloads such as RemcosRAT, QuasarRAT, and RftRAT.
Using stolen Google credentials, the hackers log into victims’ accounts to access Find Hub, where they can query GPS data and issue remote wipe commands. Genians’ analysis confirmed multiple cases where attackers used the feature to reset Android devices, including one incident targeting a counselor working with North Korean defectors.
By wiping mobile devices, the hackers not only hide their tracks but also cut off victims from their accounts, which allows them to use compromised KakaoTalk sessions to spread malware to new targets.
According to Google, no vulnerability in Android or Find Hub was exploited, instead, the threat actors leveraged stolen credentials obtained via infected PCs.
Users are recommended to enable multi-factor authentication (MFA) or passkeys on their Google accounts and always verify unexpected file senders, especially over messenger apps.